Security Assessment -- Scope Document
Engagement Overview
Client: Assessment type: Start date: Target completion: Assessor:
Client Information
Organization: Industry: Location: Key contact: Contact method:
Scope
In-Scope Systems
| System | Description | URL/IP | Owner | Notes |
|---|---|---|---|---|
Out-of-Scope
Rules of Engagement
- Do not disrupt production systems. The cooperative has active shipments and buyer access.
- Testing during low-traffic periods preferred (early morning Venezuelan time, before buyers log in).
- No data exfiltration beyond proof of access -- demonstrate access, do not download bulk data.
- Critical findings (immediate risk to farmer data or buyer pricing) reported within 24 hours.
- All testing contained within the lab environment unless explicitly authorised for external checks.
- Third-party systems (shipping provider, external APIs) are NOT in scope for active testing. Passive observation of the integration is permitted.
- Document all tools used and scan times for the compliance evidence package.
Timeline
Phase 1: Phase 2: Phase 3: Report delivery: Buyer compliance deadline:
Points of Contact
| Name | Role | Contact Method | Response Time |
|---|---|---|---|