Off-Topic: Memo of Understanding for Using an Ethical Hacker

[Bruce Platt <Bruce () ei3 com>]

Without starting a huge flaming thread ...

Have any of you used a "Memo of Understanding" or "Contract" (shudder) when
asked to do some "ethical hacking" for a company on their resources,
systems, and networks?

I'd like to skip over the topic of Certification for Ethical Hackers and get
to the issue of what one might want to include in such a document to protect
both oneself and the company.

What comes to mind quickly are many of the same sorts of indemnifications,
hold-harmless, and liability issues which would apply for a non security
related consulting agreement, but with the various sorts of damage which can
be done by mistake or carelessness and so forth when asking one to assess a
company's security profile, I would think that some of you might have used a
document with which you are comfortable in the past, or have a pointer to
one.

I know what I have done when I was a full-time employee within my own
company, but have yet to find a document which seems comfortable for use
with an external consultant.

(And no, I am not looking to start yet another new career :-)  sigh )

Thanks and regards

Bruce
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards