Re: [PEN-TEST] Help defining job scope

[Thomas Hayward <thayward () SAGENT COM>]

That said.... Never assume immunity!

   Depending on the scope of your test, communication with the corporate
management is key.  Make sure in the contract and scope that you worked out
with the corporate management, that they know you will be simulating real
world penetration.  Depending on when you have agreed to communicate with
them, you should let them know what you are doing.  If you plan on having a
"black out" period, where you do not want to tell Management (in case they
are going to blab to their IT staff that someone might be prying....), then
make sure that "Management knows" the scope of the tests, and the report
they will later receive.
    The most important thing is to keep good documentation, and a log book
of when you tested what, and the results.  So that if the corporate backed
legal defense becomes necessary, your covered as well as possible!

just 2 cents worth

Tom

-----Original Message-----
From: T. Barrick [mailto:tbarrick () HOME COM]
Sent: Wednesday, August 23, 2000 08:51 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] Help defining job scope


Steven,

Unless I have mis-interpreted what you said, you are basically looking for
the
same thing that our team is seeking from upper management - a "get out of
jail
free card."

That said, I am curious how other members of this list in the corporate
world,
rather than the security consultancy side of the house (that is a separate
discussion entirely) have dealt with this. Do others have this "get out of
jail
free card" written in a document, or is it just an assumed immunity or
expectation
of corporate backed defense should trouble arise?

Our team's concern is that we operate an a world-wide basis - - many
countries
with varying laws and tolerances for network weakness discovery.
Additionally we
sometimes have to deal with 3rd party hosted installations that may or may
not
know that we are the good guys.

I suppose I really could have just said "me too" but I wanted to expand on
your
topic a bit. :-)

Toby

"Steven W. Smith" wrote:

>   I'm transitioning from systems management and programming into a "site
> security person" role.  We don't even have an appropriate job title, yet.
>
>   I've read horror stories about security people prosecuted for performing
> their jobs and I don't want to follow in their footsteps.  I'd like to
write a
> document alluding to job duties that I'm authorized to perform: port
scans,
> probing for vulnerabilities, etc. and get a hardcopy signed by my boss and
> his boss.
>
>   I'm not looking for a laundry list of what I can do, rather, a "this guy
is
> *supposed* to be doing scary stuff" doc.  I'd really appreciate any
> suggestions toward this goal and/or pointers to net resources.  Thanks
much!
> If this is off-topic for the list I trust it won't make it past the
moderator.
> Steve
>
> Steven W. Smith, Systems Programmer
> Glendale Community College. Glendale Az.
> syssws () gc maricopa edu