The volume of work requested must be scheduled rationally across the client's existing commitments, keeping in mind potential impacts on other important initiatives (e.g., ongoing database platform migrations that might interrupt testing for extended periods). Special attention should be given to the IT maintenance window schedule, if the customer requires that all testing be performed during those slots. This also aligns closely with the scope/scale of the assessment, especially where automated tools are to be used to perform numerous iterations (e.g., network vulnerability scanning across hundreds of IP addresses for dozens of vulnerabilities). Always leave a bit of padding for special access needs, such as on-site host assessments -- it always takes longer than you think to get access to target systems.Return to the security site assessment FAQ guide and read the rest of Joel's expert answers.
This was first published in May 2008