thanks, and agreed, even including a timeframe that agreement expires so they're not signing a carte blanche permission. Got a face to face meeting to discuss scope of work first, before it goes on paper, to make sure we're all in agreement with the requirements and limitations
Erik Goldoff IT Consultant Systems, Networks, & Security _____ From: Ziots, Edward [mailto:[email protected]] Sent: Thursday, May 21, 2009 10:32 AM To: NT System Admin Issues Subject: RE: Anyone have ... ? You also need to setup the scope of work and what and where you are going to pen test, and get signoff by CIO/CTO/CEO and legal from that company, to CYA, or you can be up against it with legal stuff. Are you going to do Whitebox testing, Blackbox testing? Vulnerability analysis and full pen testing? Which assets are you going to test? Any requirements under SOX HIPPA, PCI for the pen test based on the customer. Etc etc. I would definitely, have in the wording, of the engagement, that the organization, business cannot pursue actions against you for authorized pen testing activties under the following: Computer Fraud and Abuse Act CFAA is also known as Title 18 U.S.C Section 1030.8 http://www.sans.org/reading_room/whitepapers/legal/federal_computer_crime_la ws_1446?show=1446.php <http://www.sans.org/reading_room/whitepapers/legal/federal_computer_crime_l aws_1446?show=1446.php&cat=legal> &cat=legal Read up, you are stepping in dicey territory.. exciting but dicey. Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + [email protected] Phone:401-639-3505 _____ From: Erik Goldoff [mailto:[email protected]] Sent: Thursday, May 21, 2009 10:20 AM To: NT System Admin Issues Subject: RE: Anyone have ... ? why ? Erik Goldoff IT Consultant Systems, Networks, & Security _____ From: Steve Ens [mailto:[email protected]] Sent: Thursday, May 21, 2009 10:10 AM To: NT System Admin Issues Subject: Re: Anyone have ... ? That kind of request is like walking in a minefield on this list. On Thu, May 21, 2009 at 7:24 AM, Erik Goldoff <[email protected]> wrote: a good boilerplate/template for penetration testing permission ??? Erik Goldoff IT Consultant Systems, Networks, & Security ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
