(a)

communication channels and procedures;

(b)

the tactics, techniques and procedures allowed and not-allowed for use in the attack, including ethical boundaries for social engineering;

(c)

the risk management measures to be followed by the testers;

(d)

a description for each scenario, including:

(e)

a detailed description of each expected attack path, including pre-requisites and possible leg-ups to be provided by the control team, including deadlines for their provision and potential usage;

(f)

the scheduling of red teaming activities, including time planning for the execution of each scenario, at a minimum split according to the three phases a tester takes throughout the testing phase, respectively entering financial entities’ ICT systems, moving through the ICT systems and ultimately executing actions on objectives and eventually extracting itself from the ICT systems (in, through, and out phases);

(g)

particularities of the financial entities’ infrastructure to be considered during testing;

(h)

if any, additional information or other resources necessary to the testers for executing the scenarios.