Penetration Testing mailing list archives
Re: [PEN-TEST] Help defining job scope
From: "Missy, E" <freehold () EROLS COM>
Date: Wed, 23 Aug 2000 00:14:36 -0400
I've read horror stories about security people prosecuted for performing their jobs and I don't want to follow in their footsteps.
(CUT)
I'm not looking for a laundry list of what I can do, rather, a "this guy is *supposed* to be doing scary stuff" doc.
I hope I understood your question.....IMO a 'laundry list' approach is actually not a bad idea, rather than a blanket 'this guy is our representative and has our permission to do anything he sees fit in order to preserve/protect corporate resources' etc. One problem with blanket approval is blanket responsibility - and potential lack of accountability upstream. If you think you've got permission to scan, and someone else raises hell over it, corporate could possibly hang you out by saying that scanning isn't protecting, it's attacking - or something like that. I *know* there are better examples than the above, I'm just not thinking right now. :) The 'best' security job descriptions IMO, just like the policies, are pretty specific. For example, under what circumstances if any you can access individual user files? If there's no policy against 'unauthorized software', and you suspect that one of your users downloaded something that's having/might have a negative impact, what can/should you do about it? How much documentation is required from you in case of an incident? Where's your logbook, who has custody when you're gone? How much containment can you do? Under what circumstances is scanning/probing conducted? How are software audits conducted? etc., etc., etc. **************************** "A verbal contract isn't worth the paper it's printed on." --- Sam Goldwyn
Current thread:
- [PEN-TEST] Help defining job scope Steven W. Smith (Aug 22)
- Re: [PEN-TEST] Help defining job scope Missy, E (Aug 23)
- Re: [PEN-TEST] Help defining job scope Drew Simonis (Aug 24)
- Re: [PEN-TEST] Help defining job scope T. Barrick (Aug 24)
- Re: [PEN-TEST] Help defining job scope Steven Kastl (Aug 24)
- <Possible follow-ups>
- Re: [PEN-TEST] Help defining job scope Tonick, Mike (Aug 24)
- Re: [PEN-TEST] Help defining job scope Thomas Hayward (Aug 24)
- Re: [PEN-TEST] Help defining job scope Tonick, Mike (Aug 26)