----------------------
Source: http://www.social-engineer.org/wp-content/uploads/2014/03/Social-Engineer_CTF_Report.pdf

In House IT Support?
Trash Handling?
How are Documents Disposed of? Who Does Offsite Back-Up? Employee Schedules?
PBX System?
Name of PBX?
Employee Termination Process New Hire Process?
Open a Fake URL
What OS Used?
What Service Pack?
Mail Client?
Version of Mail client?
Anti-Virus Used?
Is there a Cafeteria?
Computer Make and Model Wireless On-Site?
ESSID Name?
Days of Months Paid? Duration of Employment? Shipping Supplier?
Time Deliveries Are Made? Browser?
Version of Browser?
PDF Reader?
Version of PDF Reader? Websites Blocked?
VPN In Use?
VPN Software?
Badges for Bldg Access? Who Supplies Food?

----------------------
Source: https://web.archive.org/web/20100606000522/http://www.social-engineer.org/blog/defcon-social-engineering-contest/

THE DO NOT LIST:

Underlying idea of this contest is: No one gets victimized in the duration of this contest. Social Engineering skills can be demonstrated without engaging in unethical activities. The contest focuses on the skills of the contestant, not who do the most damage.

Items that are not allowed to be targeted at any point of the contest:

    1)  No going after very confidential data. (i.e. SS#, Credit Card Numbers, etc)
    2)  Nothing that can get Social-Engineer.org, Defcon, or the participants in the contest sued
    3)  No porn
    4)  At no point are any techniques allowed to be used that would make a target feel as if they are “at risk” in any manner. (ie. “We have reason to believe that your account has been compromised.”)
    5)  No targeting information such as passwords.
    6)  No pretexts that would appear to be any manner of government agency, law enforcement, or legally liable entity.
    7)  The social engineer must only call the target company, not relatives or family of any employee
    8)  Use common sense, if something seems unethical – don’t do it. If you have questions, ask a judge