Penetration Testing mailing list archives
Re: How to Tackle the Legal Tangle?
From: Sameer Saxena <sameer () pt com sg>
Date: Tue, 11 Sep 2001 10:38:16 -0700
Hi Biju, A) You could refer to the fllwg link for a Sample Pentest Contract http://www.pwcrack.com/Penetration_Testing/Penetration_Testing_Contract/pene tration_testing_contract.html B) You wil also need to check in the Indian CyberLaw about clauses needed to protect an organization's network and computing resources. I dont think we have a Privacy Law in India (which protects private information on individuals). If we had, you would also need to look up the same. Penalties for the unauthorized release of protected information, as well as specific access authorization criteria should be documented in the legal document. There is also a personal liability issue. Down time to get an organization's network back on-line, or to simply recover data after a virus attack can be very expensive. Costs can also be high if certain types of data is manipulated to show other than actual information. Therefore, it is important for the tester to understand that unauthorized use of any software for the purpose of manipulating or otherwise destroying data can result in personal legal responsibility for organizational financial loss. Lets examine closely what a penetration test tool really does. Remember that the tool works by actually attacking a network. If the attack is successful, the information can also be used as an initial step in the monitoring process. Look out for the Clause that applies to those who knowingly access a computer without authorization, or to those who exceed their authorization. Additionally, the site users should be normally pre-warned, the actual testing of a particular user's machine must be accomplished with sensitivity to both the user and the system manager responsible for the network being tested to avoid any misunderstandings. C) One more links for you: http://www.sans.org/infosecFAQ/legal/business.htm http://www.sans.org/infosecFAQ/legal/liability.htm Cheers, Sameer Saxena ----- Original Message ----- From: Biju Mukund <bmukund () mielesecurity com> To: <pen-test () securityfocus com> Sent: Sunday, September 09, 2001 9:13 PM Subject: How to Tackle the Legal Tangle?
There is a lot of confusion on the Legal Documents that we need to sign
and
protect ourselves (I.e Pen Testing Company)before we accept a Assignment. Consultants and legal 'experts' dump loads of papers which no one really understands. Is any one aware of a web resource where one can find all/some documents which we might use before and after Pen-testing assignment? Or is there some one who can guide us on "How to Tackle the Legal Tangle?" Regards Biju Mukund BS 7799 Certified Auditor MIEL e-Security Pvt. Ltd bmukund () mielesecurity com www.mielesecurity.com --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- How to Tackle the Legal Tangle? Biju Mukund (Sep 10)
- Re: How to Tackle the Legal Tangle? matt (Sep 10)
- RE: How to Tackle the Legal Tangle? Dan Ryan (Sep 10)
- RE: How to Tackle the Legal Tangle? Steve (Sep 10)
- RE: How to Tackle the Legal Tangle? Dom De Vitto (Sep 12)
- RE: How to Tackle the Legal Tangle? matt (Sep 12)
- Re: How to Tackle the Legal Tangle? Sameer Saxena (Sep 12)
- <Possible follow-ups>
- RE: How to Tackle the Legal Tangle? IA Manager (Sep 13)