Re: [PEN-TEST] Help defining job scope

["Tonick, Mike" <Mike.Tonick () PS NET>]

Steve,

What you need is a "Get Out of Jail - Free" card.  Write up a description of
the type of activities you will be performing, and then have your upper
management sign off on it.  Carry it with you.  Also, I think it is a good
practice to notify someone of authority, other than yourself, that you or
your team, is going to be doing XYZ during a certain time frame.  Especially
if the probes are friendly and to be used for internal direction and
improvement.

Regards,

Michael D. Tonick, CISSP
Senior Security Consultant
Perot Systems
Dallas, Texas

-----Original Message-----
From: Steven W. Smith [mailto:SYSSWS () GC MARICOPA EDU]
Sent: Tuesday, August 22, 2000 11:13 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Help defining job scope


  I'm transitioning from systems management and programming into a "site
security person" role.  We don't even have an appropriate job title, yet.

  I've read horror stories about security people prosecuted for performing
their jobs and I don't want to follow in their footsteps.  I'd like to write
a
document alluding to job duties that I'm authorized to perform: port scans,
probing for vulnerabilities, etc. and get a hardcopy signed by my boss and
his boss.

  I'm not looking for a laundry list of what I can do, rather, a "this guy
is
*supposed* to be doing scary stuff" doc.  I'd really appreciate any
suggestions toward this goal and/or pointers to net resources.  Thanks much!
If this is off-topic for the list I trust it won't make it past the
moderator.

Steve

Steven W. Smith, Systems Programmer
Glendale Community College. Glendale Az.
syssws () gc maricopa edu