Penetration Testing mailing list archives

RE: Papers prior to pen-test

From: "Bud Gordon" <bud.gordon () hughes net>
Date: Tue, 19 Sep 2006 17:06:33 -0400

I am no lawyer, but how about this?

Memorandum for File

Subject: Information Technology Security Testing Authorization

Date: MMDDYY

To properly secure its information technology assets, the <Company> is
required to assess its security stance periodically by conducting
information security testing.  These activities involve testing
<Company> computer systems to discover vulnerabilities present on these
systems. Only with knowledge of these vulnerabilities can the <Company>
apply security fixes or other compensating controls to improve the
security of the <Company> information infrastructure.

It is understood that information security testing involves manipulating
system processes and services, and that this process may cause a host to
become unstable.  Even though the likelihood of a system failure is
small, critical or sensitive data should be backed up prior to testing.

The purpose of this memo is to grant authorization <pen tester> to
conduct security testing of the <Company>'s assets.  To that end, the
undersigned attests to the following:

1) The personnel named below have permission to scan / test the
<Company>'s computer equipment to find vulnerabilities.  This permission
is granted for from [date] until [date]. 

2) <CIO> has the authority to grant this permission for testing the
organization's Information Technology assets.

Bud

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Maxime Ducharme
Sent: Tuesday, September 19, 2006 11:47 AM
To: pen-test () securityfocus com
Subject: Papers prior to pen-test

Hello guys

I'm looking for examples of a kind of "contract" prior
to a pen-test, I mean writing down responsabilities
for each parties before doing a pen-test in case anything
goes wrong.

Any ideas ?

TIA

Maxime Ducharme

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

Current thread:

Papers prior to pen-test Maxime Ducharme (Sep 19)
- RE: Papers prior to pen-test Bud Gordon (Sep 19)
  - RE: Papers prior to pen-test jgervacio (Sep 19)
  - Re: Papers prior to pen-test Eoin (Sep 20)
- RE: Papers prior to pen-test Steve Armstrong (Sep 19)
- RE: Papers prior to pen-test Maxime Ducharme (Sep 21)