Re: How to Tackle the Legal Tangle?

[Sameer Saxena <sameer () pt com sg>]

Hi Biju,

A) You could refer to the fllwg link for a Sample Pentest Contract

http://www.pwcrack.com/Penetration_Testing/Penetration_Testing_Contract/pene
tration_testing_contract.html


B) You wil also need to check in the Indian CyberLaw about clauses needed to
protect an organization's network and computing resources. I dont think we
have a Privacy Law in India (which protects private information on
individuals). If we had, you would also need to look up the same. Penalties
for the unauthorized release of protected information, as well as specific
access authorization criteria should be documented in the legal document.

There is also a personal liability issue. Down time to get an organization's
network back on-line, or to simply recover data after a virus attack can be
very expensive. Costs can also be high if certain types of data is
manipulated to show other than actual information. Therefore, it is
important for the tester to understand that unauthorized use of any software
for the purpose of manipulating or otherwise destroying data can result in
personal legal responsibility for organizational financial loss.

Lets examine closely what a penetration test tool really does. Remember that
the tool works by actually attacking a network. If the attack is successful,
the information can also be used as an initial step in the monitoring
process. Look out for the Clause that  applies to those who knowingly access
a computer without authorization, or to those who exceed their
authorization. Additionally, the site users should be normally pre-warned,
the actual testing of a particular user's machine must be accomplished with
sensitivity to both the user and the system manager responsible for the
network being tested to avoid any misunderstandings.

C) One more links for you:
http://www.sans.org/infosecFAQ/legal/business.htm

http://www.sans.org/infosecFAQ/legal/liability.htm


Cheers,
Sameer Saxena

----- Original Message -----
From: Biju Mukund <bmukund () mielesecurity com>
To: <pen-test () securityfocus com>
Sent: Sunday, September 09, 2001 9:13 PM
Subject: How to Tackle the Legal Tangle?


> There is a lot of confusion on the Legal Documents that we need to sign
and
> protect ourselves (I.e Pen Testing Company)before we accept a Assignment.
> Consultants and legal 'experts' dump loads of papers which no one really
> understands.
> Is any one aware of a web resource where one can find all/some documents
> which we might use before and after Pen-testing assignment?
> Or is there some one who can guide us on "How to Tackle the Legal Tangle?"
>
> Regards
> Biju Mukund
>
> BS 7799 Certified Auditor
> MIEL e-Security Pvt. Ltd
> bmukund () mielesecurity com
> www.mielesecurity.com
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/