From: rob havelt (rob@cobal.org)
Date: Sat Oct 15 2005 - 17:04:05 EDT
Hi All,
Lately I've been seeing some stuff on the legal end of Penetration
Testing, and have had some clients ask, and I thought that it would
be an interesting question to pose to the list.
Mainly I've been seeing articles like this one:
<http://webmail.intelligentconnections.net/exchange/rhavelt/Inbox/FW:%20Contract%20Question.EML//exchweb/bin/redir.asp?URL=http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1131713,00.html?track=NL-358%26ad=530198USCA>http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1131713,00.html?track=NL-358&ad=530198USCA
That suggest that a penetration test should be commissioned by, and
the results delivered to an organization's legal department in such a
way where the results of the test will be covered by attorney client
privilege...
The main crux of the suggestion was to insulate an organization
against the liability of not implementing all the suggestions and
recommendations in the report - I.E. if they were sued later the
results of the penetration test would be available to the plaintiff
during the discovery process under normal circumstances - the test
was commissioned by the IT or Risk Management department, but it
would be privilege info if it were commissioned by legal...
Has anyone faced this in their client interactions? Or done this before?
How does setting that up look exactly?
And does anyone have any thought of the effectiveness of this?
To me it seems like that would be a very easy way to get an
unfavorable report buried very quickly so that it ostensibly has no
visibility in the organization. I've also wondered how the results
are communicated between say, legal and the IT group or the rest of
the organization in this case?
Anyway, just something I though was interesting is all...
-- oOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOo It's a Kafka high. You feel like a bug. --------------------------------------------------------------- rob@cobal.org rob.havelt ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:03 EDT