Re: [PEN-TEST] Help defining job scope

["Missy, E" <freehold () EROLS COM>]

>   I've read horror stories about security people prosecuted for performing
> their jobs and I don't want to follow in their footsteps.
(CUT)

> I'm not looking for a laundry list of what I can do, rather, a "this guy is
> *supposed* to be doing scary stuff" doc.

I hope I understood your question.....IMO a 'laundry list' approach is
actually not a bad idea, rather than a blanket 'this guy is our
representative and has our permission to do anything he sees fit in
order to preserve/protect corporate resources' etc.  One problem with
blanket approval is blanket responsibility - and potential lack of
accountability upstream.  If you think you've got permission to scan,
and someone else raises hell over it, corporate could possibly hang you
out by saying that scanning isn't protecting, it's attacking - or
something like that.  I *know* there are better examples than the above,
I'm just not thinking right now.  :)

The 'best' security job descriptions IMO, just like the policies, are
pretty specific.  For example, under what circumstances if any you can
access individual user files?  If there's no policy against
'unauthorized software', and you suspect that one of your users
downloaded something that's having/might have a negative impact, what
can/should you do about it?  How much documentation is required from you
in case of an incident?  Where's your logbook, who has custody when
you're gone?  How much containment can you do?  Under what circumstances
is scanning/probing conducted?  How are software audits conducted?
etc., etc., etc.

****************************

"A verbal contract isn't worth the paper it's printed on."
--- Sam Goldwyn