Re: Pen Test--France and Belgium

[Koen Bossaert <koen.bossaert () gmail com>]

Hello Michael,

As for Belgium, there are no such special concerns. Just the regular
stuff, as mentioned in your post, and complying with the local
implementation of EU Data Protection Act.

Regards,
Koen

On Mon, Dec 7, 2009 at 10:31 PM, Michael Daveler <mdaveler () yahoo com> wrote:
> Hi List:
>
> We are a USA security company and have been asked by our client to perform a two-phase project of the client's 
> third-party vendors/suppliers located in France and Belgium.  Phase one will be a vuln scan, and Phase two will be a 
> penetration test.  Both phases will have scans/pen tests originating across the Internet.
>
> We will be securing the appropriate contracts/agreements/etc. with client, client's third-party vendors, consent 
> forms from third-party vendor's ISP's (to allow scans through their networks to third-party vendor, etc.).  And most 
> importantly, will have all contract/agreement work done by legal counsel well-versed in this type of work, and 
> knowledgeable of laws in France and Belgium.
>
> In the interim, for the initial fact-finding, looking to see if anyone has put together any checklists, guidance 
> documents or has feedback on things you should/should NOT do while doing scans/pen tests against entities in France 
> and Belgium, what specific laws can be referenced/reviewed, etc.
>
> As an example, I have heard that if doing pen tests of entities in France, you need to follow their crypto laws; had 
> to have lawyers approve the crypto algorithms used for setting up encrypted connections going to and from the 
> country; and some other algorithms required registration with the government to use, etc.
>
> So any and all details are much appreciated.  If appropriate, once I have collected all feedback, I can prepare a 
> summary and post back to the list.
>
> Thanks in advance,
>
> --Mike
>
>
>
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------