RE: International Penetration Testing Law (United Kingdom)

From: pete (pete@ideahamster.org)
Date: Sat May 25 2002 - 15:49:30 EDT


You may want to look in the Open Source Security Testing Methodology
Manual at OSSTMM.org-- there is an Appendix in 2.0 written by a British
lawyer concerning the various laws for pen testers.

-pete.

-----Original Message-----
From: Greg [mailto:greg@hoobie.net]
Sent: Friday, May 24, 2002 6:58 PM
To: Penetration Testers
Subject: RE: International Penetration Testing Law (United Kingdom)

Assuming a generic remote pen test, you will be dealing with the UK
Computer Misuse Act (1990). You will need written permission from the
system owners and a well defined scope which must also be agreed and
signed off before you start (but I guess that's the same everywhere.)

If client data is to be or may be exposed during the test you should
also consider the UK Data Protection Act which governs the handling of
personal data and the like.

Your engagement letter/contract may need to be re-worded if is designed
for use within the US. For instance, I don't beleive there is the
concept of the data protection act in the US although I'm not entirely
sure about that one.

CMA 1990 : http://www.hmso.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm
DPA 1998 : http://www.hmso.gov.uk/acts/acts1998/19980029.htm

enjoy

Greg

> -----Original Message-----
> From: M W [mailto:crackthis22@hotmail.com]
> Sent: 22 May 2002 23:12
> To: crackthis22@hotmail.com
> Subject: International Penetration Testing Law (United Kingdom)
>
>
> Does anybody have any insight (website/links) as to laws/restrictions
> on international pen testing, specifically from the United States to a

> client in the United Kingdom?
>
> Thanks in Advance
>
> _________________________________________________________________
> Join the world's largest e-mail service with MSN Hotmail.
> http://www.hotmail.com
>
>
> ------------------------------------------------------------------
> ----------
> This list is provided by the SecurityFocus Security Intelligence Alert

> (SIA) Service. For more information on SecurityFocus' SIA service
> which automatically alerts you to the latest security vulnerabilities
> please see:
> https://alerts.securityfocus.com/
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:21 EDT