Penetration Testing mailing list archives
Re: [PEN-TEST] Help defining job scope
From: Thomas Hayward <thayward () SAGENT COM>
Date: Thu, 24 Aug 2000 10:59:49 -0700
That said.... Never assume immunity! Depending on the scope of your test, communication with the corporate management is key. Make sure in the contract and scope that you worked out with the corporate management, that they know you will be simulating real world penetration. Depending on when you have agreed to communicate with them, you should let them know what you are doing. If you plan on having a "black out" period, where you do not want to tell Management (in case they are going to blab to their IT staff that someone might be prying....), then make sure that "Management knows" the scope of the tests, and the report they will later receive. The most important thing is to keep good documentation, and a log book of when you tested what, and the results. So that if the corporate backed legal defense becomes necessary, your covered as well as possible! just 2 cents worth Tom -----Original Message----- From: T. Barrick [mailto:tbarrick () HOME COM] Sent: Wednesday, August 23, 2000 08:51 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] Help defining job scope Steven, Unless I have mis-interpreted what you said, you are basically looking for the same thing that our team is seeking from upper management - a "get out of jail free card." That said, I am curious how other members of this list in the corporate world, rather than the security consultancy side of the house (that is a separate discussion entirely) have dealt with this. Do others have this "get out of jail free card" written in a document, or is it just an assumed immunity or expectation of corporate backed defense should trouble arise? Our team's concern is that we operate an a world-wide basis - - many countries with varying laws and tolerances for network weakness discovery. Additionally we sometimes have to deal with 3rd party hosted installations that may or may not know that we are the good guys. I suppose I really could have just said "me too" but I wanted to expand on your topic a bit. :-) Toby "Steven W. Smith" wrote:
I'm transitioning from systems management and programming into a "site security person" role. We don't even have an appropriate job title, yet. I've read horror stories about security people prosecuted for performing their jobs and I don't want to follow in their footsteps. I'd like to
write a
document alluding to job duties that I'm authorized to perform: port
scans,
probing for vulnerabilities, etc. and get a hardcopy signed by my boss and his boss. I'm not looking for a laundry list of what I can do, rather, a "this guy
is
*supposed* to be doing scary stuff" doc. I'd really appreciate any suggestions toward this goal and/or pointers to net resources. Thanks
much!
If this is off-topic for the list I trust it won't make it past the
moderator.
Steve Steven W. Smith, Systems Programmer Glendale Community College. Glendale Az. syssws () gc maricopa edu
Current thread:
- [PEN-TEST] Help defining job scope Steven W. Smith (Aug 22)
- Re: [PEN-TEST] Help defining job scope Missy, E (Aug 23)
- Re: [PEN-TEST] Help defining job scope Drew Simonis (Aug 24)
- Re: [PEN-TEST] Help defining job scope T. Barrick (Aug 24)
- Re: [PEN-TEST] Help defining job scope Steven Kastl (Aug 24)
- <Possible follow-ups>
- Re: [PEN-TEST] Help defining job scope Tonick, Mike (Aug 24)
- Re: [PEN-TEST] Help defining job scope Thomas Hayward (Aug 24)
- Re: [PEN-TEST] Help defining job scope Tonick, Mike (Aug 26)