Cyber Security Audit Requirement & Scope Assessment Form

Name of the Client: Controller of Defense Accounts, Patna Contact Person Name: Amit Kumar
Address of the Client: Patna, Bihar Contact Person Designation: EDP Manager
Contact : Contact Person Number: 7008809259
E-mail : cda-patna@nic.in Contact Person E-mail: cda-patna@nic.in

Needs Assessment – At, ’Code Decode Labs’, while we recommend that all the four elements (Network, Web Application,
Wireless and User-Exploitation) of the ‘Pen test++’ be carried out, we also understand that every organizations
requirement is unique. In the form below, you can indicate the type of testing your organization would prefer, and our
experts would map your requirements and draft the Scope of Work and Rules of Engagement, ensuring that there is no
mismatch of the requirements and the deliverables.

Web Application Penetration Testing -

Test Parameter Remarks Our Suggestions/Your Responses

Application Name/URL (If available for scoping) Web Application CDA Patna Website
Nomenclature, Version & Release Date
Dynamic Website
Type - Customer Facing/ Internal / Backend with Brief Description of the Web
With information
Application (Purpose, Objectives, Scope of software Application)
sharing.
Is it a Web application (HTTP/HTTPS) or not? If not, please provide details. Yes
Development platform Asp.Net
20 Static Pages, 25
Approximately how many pages does the web application have? Number of
Dynamic Pages, Total
dynamic pages? Number of static pages? Total Size of Website (MB)?
Size approx. 200 MB
Is it CMS (Content Management System) based site? If yes, will CMS pen No
testing also be part of scope.
Will this app need to be tested via Internet or Internal network? Both Available
Will testing be conducted in UAT or production environment? Hosted URL
Production / Host URL
Will user credentials be provided for testing from the perspective of a Temporary URL will
malicious authorized user? Will functional documentation be provided to be provided
reduce the time spent in learning the application? Staging / Temporary URL for
Testing Exercise -
Number of roles? I.e. Admin, user, manager. Admin, User
Interconnectivity with other systems No
Operating System (e.g. Windows2003, AIX, Solaris etc) Server 2016
Which type of Server side scripts (e.g. asp, jsp, php etc.)? None
Application Web Server – Web / Application Server with its version of use IIS 10.0
(e.g. IIS 5.0, Apache, and Tomcat etc.)
Databases at backend (Oracle, MS SQL, MySQL etc.) ? MS SQL
Total Forms approx.
Total no. of input fields or Number of forms available for user input?
20
Will web server and database server IP penetration testing also be part of
Yes, 2 IP
scope? If yes, Please provide number of IP Addresses.
Is the application consisting of any online payment module? No
For the purpose of the assessment,
examples of independent Web
If required, number of Web Applications to be tested? 1
Applications are ERP, Customer Login
Area, Corp. Website etc.
Has Risk assessment been carried out for this application? No
Has a DR plan been in place for this application? Is there a configured firewall Provided by NIC server
Yes
deployed to secure the web App?

Code Decode Labs Pvt. Ltd. /A-02, Cassiopeia Classic, Near Pancard Clubs, Baner, Pune - 411045. (MAH), India
 Network Penetration Testing –
Remarks
Test Parameter Our Suggestions/Your Responses
(Yes/No )
We strongly suggest undergoing this test, as most
Is the Network PT Required?
Server vulnerabilities can be silently exploited.
Our Experts can help you decide to choose the
If required, number of Servers to be tested?
number of servers to test.
How many servers are Mail Servers?
How many servers are Web Servers?
How many servers are Database Servers?
How many Workstations are on the network (including laptops & desktops)?
Number of Web Servers (Publicly Exposed)?

Mobile App / IOT Security Testing -

Test Parameter Remarks Our Suggestions/Your Responses
Name & version of the application to be tested
Brief description of application
Application / Servers hosted on which platform / development environment?
End users for the application? (In-house teams/customers/partners/citizens /
general users etc.)
No. of screens in the application
No. of activities (dynamic pages / screens) in the application
No. of Modules
APIs in use

Wireless Penetration Testing -

Remarks
Test Parameter Our Suggestions/Your Responses
(Yes/No )
Wireless Penetration Test is required in cases
Is the Wireless Penetration Test Required? where critical networks are connected via
wireless medium.
If required, numbers of routers are to be tested?
How many resources / IT Assets are connected to the Wireless Network?
What are the make and models of the wireless routers and network devices?
Is it securely self-configured? Encryption Type configured? Last Audited period?
Has the organization deployed a Wireless IDS (WIDS) solution to monitor for
the use of inappropriate wireless systems?
Any recent wireless breach incident led to security risks or any flaws open?

Other Details-
Scope of Work - Preferred days / time for testing (Weekends/weekdays/Time)
Have you faced any Cyber Attacks / Hacking Attacks / Data Privacy Breach / Data Theft / Information Leakage or Disclosure / Security Breach /
Virus & Malware Attacks Lately? Please provide details, if any, related to this scope.

Any other information you would like to provide under the scope of this security audit or security purview scope?

Note – IT Administrators should try to share as much as best possible real & practical information for this assessment of
the scope for the APT exercise, which ultimately would help the entire team for the more accurate testing & employ
reliable technical methodologies for best of results. Thank you.
(Sign & Seal of Responsible IT Official/Officer)

Code Decode Labs Pvt. Ltd. /A-02, Cassiopeia Classic, Near Pancard Clubs, Baner, Pune - 411045. (MAH), India