Re: Legalities and Penetration Testing

[Velislav K Pavlov <VelislavPavlov () FERRIS EDU>]

David,

Take a look here http://www.pentest-standard.org/index.php/Pre-engagement. The Rules of Engagement and Scoping document 
should spell out what is included and not included (techniques like DoS, phishing, parameter pollution, backdoors 
during post-exploitation and targets). Define the schedule and testing times. The rules of engagement should spell out 
what happens when a vulnerability is discovered, is the vendor to act on it or notify you first, what happens with an 
exploit? Determine your communication chain for findings and emergencies. You would typically sign a master service 
level agreement to give permission to the vendor to test based on the scope and rules of engagement. Consider having 
BAA if HIPAA is to be accessed along with confidentiality/Non-disclosure agreement. Discuss what happens to the results 
and how they are protected at rest and in transfer. Make sure you understand the difference between security audit, 
vulnerability scan, red teaming, and penetration test. If PCI is in scope, check this guideline 
https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf. Overall document for 
selecting vendor, preparing for, and managing pen test outcomes can be found here 
https://www.crest-approved.org/wp-content/uploads/CREST-Penetration-Testing-Guide.pdf. Feel free to shoot me an email 
if you need more information. Best wishes.

Vel Pavlov | Coordinator, IT Security
M.Sc. ISM, CISSP, C|HFI, C|EH, C)PTE,
Security+, CNA, MPCS, ITILv3F, A+
Big Rapids, MI 49307
VelPavlov () ferris edu<mailto:VelPavlov () ferris edu>
[cid:image001.png@01D24414.DC8BCD70]

Notice:This email message and any attachments are for the confidential use of the intended recipient. If that isn’t 
you, please do not read the message or attachments, or distribute or act in reliance on them. If you have received this 
message by mistake, please immediately notify VelPavlov () ferris edu<mailto:VelPavlov () ferris edu> and delete this 
message and any attachments. Thank you.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David 
Stack
Sent: Tuesday, July 11, 2017 1:27 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Legalities and Penetration Testing

I’m new to the list, so I apologize if this has been discussed already. I did a scan of the group archives and did not 
find anything directly relevant.

We are on the verge of contracting with a vendor to do some penetration testing and have run into concerns about how 
penetration testing could get us and/or the vendor in legal trouble.

http://www.techrepublic.com/article/dont-let-a-penetration-test-land-you-in-legal-hot-water/<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.techrepublic.com%2Farticle%2Fdont-let-a-penetration-test-land-you-in-legal-hot-water%2F&data=01%7C01%7CVelislavPavlov%40ferris.edu%7C93fd197299174cbf7f2808d4c8836ce6%7C64b0362e85c04e95a4ce5651d96cb739%7C1&sdata=Ks8gup8PBvzF%2F8MWP865%2BLP6VEHHmfEWTge6%2FSMpXlM%3D&reserved=0>

Could any point me to a more concrete list of best practices regarding legal terms and conditions for penetration 
testing contracts?

Thanks in advance!

— David

David Stack
Interim Associate VP & CIO
University of Wisconsin System
dstack () uwsa edu<mailto:dstack () uwsa edu>