Penetration Testing mailing list archives

Re: [PEN-TEST] Help defining job scope

From: Steven Kastl <skastl () NEOHAPSIS COM>
Date: Thu, 24 Aug 2000 13:09:09 -0500

On Wed, 23 Aug 2000, T. Barrick wrote:

Unless I have mis-interpreted what you said, you are basically looking
for the same thing that our team is seeking from upper management - a
"get out of jail free card."

That said, I am curious how other members of this list in the
corporate world, rather than the security consultancy side of the
house (that is a separate discussion entirely) have dealt with this.
Do others have this "get out of jail free card" written in a document,
or is it just an assumed immunity or expectation of corporate backed
defense should trouble arise?


You should have a written agreement stating the limitation of liability
and, at a minimum, a loose definition of the project scope.  The agreement
can be drawn up either by your own lawyer/legal dept. or the client's
lawyer/legal dept.  Part of the contract negotiation project should
include the haggling out of the contract terms and conditions.

In the end, this somewhat equates to a "get out of jail free" so long as
you have not violated the terms of the written agreement -- and it should
stand up in any country where you are working with/at a client's office,
since the original agreement was with the parent company.  If you don't
feel comfortable with that arrangement, or if you're just unsure of the
realtionship between the offices, involve your legal resources to assess
the situation (again, as part of the contract negotiation process).

Understand that in the end, you're wrangling with legal issues pertaining
to what you can do, what you must deliver, and what the company will allow
you to do that would otherwise be illegal.  Failure to involve a lawyer or
legal dept. on either end is a grave error.  The protection that such a
document provides is for both parties.


--Steve Kastl
==========================================================================
skastl () neohapsis com   |
==========================================================================

Current thread:

[PEN-TEST] Help defining job scope Steven W. Smith (Aug 22)
- Re: [PEN-TEST] Help defining job scope Missy, E (Aug 23)
- Re: [PEN-TEST] Help defining job scope Drew Simonis (Aug 24)
- Re: [PEN-TEST] Help defining job scope T. Barrick (Aug 24)
  - Re: [PEN-TEST] Help defining job scope Steven Kastl (Aug 24)
- <Possible follow-ups>
- Re: [PEN-TEST] Help defining job scope Tonick, Mike (Aug 24)
- Re: [PEN-TEST] Help defining job scope Thomas Hayward (Aug 24)
- Re: [PEN-TEST] Help defining job scope Tonick, Mike (Aug 26)