Educause Security Discussion mailing list archives
Re: Legalities and Penetration Testing
From: Velislav K Pavlov <VelislavPavlov () FERRIS EDU>
Date: Tue, 11 Jul 2017 18:11:58 +0000
David, Take a look here http://www.pentest-standard.org/index.php/Pre-engagement. The Rules of Engagement and Scoping document should spell out what is included and not included (techniques like DoS, phishing, parameter pollution, backdoors during post-exploitation and targets). Define the schedule and testing times. The rules of engagement should spell out what happens when a vulnerability is discovered, is the vendor to act on it or notify you first, what happens with an exploit? Determine your communication chain for findings and emergencies. You would typically sign a master service level agreement to give permission to the vendor to test based on the scope and rules of engagement. Consider having BAA if HIPAA is to be accessed along with confidentiality/Non-disclosure agreement. Discuss what happens to the results and how they are protected at rest and in transfer. Make sure you understand the difference between security audit, vulnerability scan, red teaming, and penetration test. If PCI is in scope, check this guideline https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf. Overall document for selecting vendor, preparing for, and managing pen test outcomes can be found here https://www.crest-approved.org/wp-content/uploads/CREST-Penetration-Testing-Guide.pdf. Feel free to shoot me an email if you need more information. Best wishes. Vel Pavlov | Coordinator, IT Security M.Sc. ISM, CISSP, C|HFI, C|EH, C)PTE, Security+, CNA, MPCS, ITILv3F, A+ Big Rapids, MI 49307 VelPavlov () ferris edu<mailto:VelPavlov () ferris edu> [cid:image001.png@01D24414.DC8BCD70] Notice:This email message and any attachments are for the confidential use of the intended recipient. If that isn’t you, please do not read the message or attachments, or distribute or act in reliance on them. If you have received this message by mistake, please immediately notify VelPavlov () ferris edu<mailto:VelPavlov () ferris edu> and delete this message and any attachments. Thank you. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Stack Sent: Tuesday, July 11, 2017 1:27 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Legalities and Penetration Testing I’m new to the list, so I apologize if this has been discussed already. I did a scan of the group archives and did not find anything directly relevant. We are on the verge of contracting with a vendor to do some penetration testing and have run into concerns about how penetration testing could get us and/or the vendor in legal trouble. http://www.techrepublic.com/article/dont-let-a-penetration-test-land-you-in-legal-hot-water/<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.techrepublic.com%2Farticle%2Fdont-let-a-penetration-test-land-you-in-legal-hot-water%2F&data=01%7C01%7CVelislavPavlov%40ferris.edu%7C93fd197299174cbf7f2808d4c8836ce6%7C64b0362e85c04e95a4ce5651d96cb739%7C1&sdata=Ks8gup8PBvzF%2F8MWP865%2BLP6VEHHmfEWTge6%2FSMpXlM%3D&reserved=0> Could any point me to a more concrete list of best practices regarding legal terms and conditions for penetration testing contracts? Thanks in advance! — David David Stack Interim Associate VP & CIO University of Wisconsin System dstack () uwsa edu<mailto:dstack () uwsa edu>
Current thread:
- Legalities and Penetration Testing David Stack (Jul 11)
- Re: Legalities and Penetration Testing Velislav K Pavlov (Jul 11)
- Re: Legalities and Penetration Testing David Stack (Jul 11)
- Re: Legalities and Penetration Testing Velislav K Pavlov (Jul 11)