I work for a company that wants to test the vulnerabilities of their web system that contains medical record information. How do you plan that out?