RE: Papers prior to pen-test

From: Bud Gordon (bud.gordon@hughes.net)
Date: Tue Sep 19 2006 - 17:06:33 EDT

• Next message: Ofir Arkin: "White paper release: Bypassing network access control (NAC) systems"
• Previous message: Erin Carroll: "New SecurityFocus article: Liar, Liar, and pretexting"
• In reply to: Maxime Ducharme: "Papers prior to pen-test"
• Next in thread: jgervacio@seguridad.unam.mx: "RE: Papers prior to pen-test"
• Reply: jgervacio@seguridad.unam.mx: "RE: Papers prior to pen-test"
• Reply: Eoin: "Re: Papers prior to pen-test"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I am no lawyer, but how about this?

Memorandum for File

Subject: Information Technology Security Testing Authorization

Date: MMDDYY

To properly secure its information technology assets, the <Company> is
required to assess its security stance periodically by conducting
information security testing. These activities involve testing
<Company> computer systems to discover vulnerabilities present on these
systems. Only with knowledge of these vulnerabilities can the <Company>
apply security fixes or other compensating controls to improve the
security of the <Company> information infrastructure.

It is understood that information security testing involves manipulating
system processes and services, and that this process may cause a host to
become unstable. Even though the likelihood of a system failure is
small, critical or sensitive data should be backed up prior to testing.

The purpose of this memo is to grant authorization <pen tester> to
conduct security testing of the <Company>'s assets. To that end, the
undersigned attests to the following:

1) The personnel named below have permission to scan / test the
<Company>'s computer equipment to find vulnerabilities. This permission
is granted for from [date] until [date].

2) <CIO> has the authority to grant this permission for testing the
organization's Information Technology assets.

Bud

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Maxime Ducharme
Sent: Tuesday, September 19, 2006 11:47 AM
To: pen-test@securityfocus.com
Subject: Papers prior to pen-test

Hello guys

I'm looking for examples of a kind of "contract" prior
to a pen-test, I mean writing down responsabilities
for each parties before doing a pen-test in case anything
goes wrong.

Any ideas ?

TIA
 
Maxime Ducharme

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

• Next message: Ofir Arkin: "White paper release: Bypassing network access control (NAC) systems"
• Previous message: Erin Carroll: "New SecurityFocus article: Liar, Liar, and pretexting"
• In reply to: Maxime Ducharme: "Papers prior to pen-test"
• Next in thread: jgervacio@seguridad.unam.mx: "RE: Papers prior to pen-test"
• Reply: jgervacio@seguridad.unam.mx: "RE: Papers prior to pen-test"
• Reply: Eoin: "Re: Papers prior to pen-test"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:58 EDT