Something I collected some years ago, and with rework, I still use it today:
Ladies and Gentlemen,
As part of the XYZ Outsourcing Contract, ITCOMPANY Security provides several value-added security related services. One of these is Vulnerability Scanning through coordination with XYZ IT Security. We would like to perform this activity in the LOCATION data centres on Tuesday, May 4th beginning at 9:30 in the morning.
These scans are designed to identify configuration issues, operating system vulnerabilities, etc… so that we can make sure that the integrity, confidentiality and availability of XYZ resources are properly protected. Only devices which ITCOMPANY has management responsibility for are included in this scan. There will be no brute force attacks or password cracking performed as part of this activity.
As in the past, the scan will be monitored by the ITCOMPANY SERVICE MONITORING TEAM (ISMT)
In the event they see service degradation of any of the servers included in the scan. We will immediately turn the scan off if notified. We have successfully performed these scans in the past three years without incident.
The activity will be scheduled, reviewed, and approved by CHANGE MANAGEMENT prior to the scanning.
The notifications (this message and two others prior to the scheduled scan), CHANGE MANAGEMENT approval and the ISMT monitoring are control activities to make sure that this activity is publicized and that we are able to immediately disconnect if any adverse activity is noted.
Please let me know if you have any concerns or conflicts with this timing.
Please feel free to contact me directly if you have any questions or concerns about this activity. If there are others who should receive this communication, please forward directly to that person with a cc: to me.
Thank you in advance for your assistance and time.