Security Assessment -- Scope Document
Engagement Overview
[Define the engagement type, objectives, and driving requirement]
Client Information
[Client name, organization, contact details, business context]
Scope
In-Scope Systems
| System | Description | Location | Owner |
|---|---|---|---|
Out-of-Scope
- [List systems, networks, or services explicitly excluded from the assessment]
Rules of Engagement
- Do not disrupt production systems or services
- Testing during agreed hours only -- coordinate with client before any high-impact testing
- No data exfiltration beyond proof of access (demonstrate access, do not extract actual sensitive data)
- Critical findings reported to client within 24 hours of confirmation
- All testing must remain within the defined scope -- do not probe systems not listed above
- Maintain confidentiality of all findings until the final report is delivered
- Document all tools used and scans performed for the assessment methodology section
Regulatory Context
This assessment is conducted in support of Royal Government Directive 2026/CS-04, which requires all ministries and agencies operating public-facing digital services to:
- Implement continuous security monitoring capability
- Undergo an independent security assessment
- Produce a compliance report for Ministry review
[The specific compliance criteria and how they map to assessment activities should be determined during the engagement]
Timeline
[Assessment phases, milestones, and deadline]
Points of Contact
[Client contact, escalation path, emergency contact]