You also need to setup the scope of work and what and where you are going to pen test, and get signoff by CIO/CTO/CEO and legal from that company, to CYA, or you can be up against it with legal stuff.
Are you going to do Whitebox testing, Blackbox testing? Vulnerability analysis and full pen testing? Which assets are you going to test? Any requirements under SOX HIPPA, PCI for the pen test based on the customer. Etc etc. I would definitely, have in the wording, of the engagement, that the organization, business cannot pursue actions against you for authorized pen testing activties under the following: Computer Fraud and Abuse Act CFAA is also known as Title 18 U.S.C Section 1030.8 http://www.sans.org/reading_room/whitepapers/legal/federal_computer_crim e_laws_1446?show=1446.php&cat=legal Read up, you are stepping in dicey territory.. exciting but dicey. Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + [email protected] Phone:401-639-3505 ________________________________ From: Erik Goldoff [mailto:[email protected]] Sent: Thursday, May 21, 2009 10:20 AM To: NT System Admin Issues Subject: RE: Anyone have ... ? why ? Erik Goldoff IT Consultant Systems, Networks, & Security ________________________________ From: Steve Ens [mailto:[email protected]] Sent: Thursday, May 21, 2009 10:10 AM To: NT System Admin Issues Subject: Re: Anyone have ... ? That kind of request is like walking in a minefield on this list. On Thu, May 21, 2009 at 7:24 AM, Erik Goldoff <[email protected]> wrote: a good boilerplate/template for penetration testing permission ??? Erik Goldoff IT Consultant Systems, Networks, & Security ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
