RE: Papers prior to pen-test

[jgervacio () seguridad unam mx]

PENETRATION TESTING CONTRACT
http://www.pwcrack.com/penetration_contract.shtml

Penetration Testing Contract
http://infosecond.com/store/library/Security/Penetration%20Testing%20Contract.pdf
http://72.14.209.104/search?q=cache:-zzf2czXgKEJ:infosecond.com/store/library/Security/Penetration%2520Testing%2520Contract.pdf+Penetration%2520Testing%2520Contract.pdf&hl=es&gl=ar&ct=clnk&cd=1
http://infosecond.com/store/library/Security/Penetration%20Test%20Parameters%20Questionnaire.pdf
http://72.14.209.104/search?q=cache:r11mSks3qkUJ:infosecond.com/store/library/Security/Penetration%2520Test%2520Parameters%2520Questionnaire.pdf+Penetration%2520Test%2520Parameters%2520Questionnaire.pdf&hl=es&gl=ar&ct=clnk&cd=1

Contract drafting for an engagement
http://www.networksecurityarchive.org/html/Pen-Test/2006-05/msg00253.html

--g3--
Quoting Bud Gordon <bud.gordon () hughes net>:

> I am no lawyer, but how about this?
>
> Memorandum for File
>
> Subject: Information Technology Security Testing Authorization
>
> Date: MMDDYY
>
> To properly secure its information technology assets, the <Company> is
> required to assess its security stance periodically by conducting
> information security testing.  These activities involve testing
> <Company> computer systems to discover vulnerabilities present on these
> systems. Only with knowledge of these vulnerabilities can the <Company>
> apply security fixes or other compensating controls to improve the
> security of the <Company> information infrastructure.
>
> It is understood that information security testing involves manipulating
> system processes and services, and that this process may cause a host to
> become unstable.  Even though the likelihood of a system failure is
> small, critical or sensitive data should be backed up prior to testing.
>
> The purpose of this memo is to grant authorization <pen tester> to
> conduct security testing of the <Company>'s assets.  To that end, the
> undersigned attests to the following:
>
> 1) The personnel named below have permission to scan / test the
> <Company>'s computer equipment to find vulnerabilities.  This permission
> is granted for from [date] until [date].
>
> 2) <CIO> has the authority to grant this permission for testing the
> organization's Information Technology assets.
>
> Bud
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Maxime Ducharme
> Sent: Tuesday, September 19, 2006 11:47 AM
> To: pen-test () securityfocus com
> Subject: Papers prior to pen-test
>
>
> Hello guys
>
> I'm looking for examples of a kind of "contract" prior
> to a pen-test, I mean writing down responsabilities
> for each parties before doing a pen-test in case anything
> goes wrong.
>
> Any ideas ?
>
> TIA
>
> Maxime Ducharme
>
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> ------------------------------------------------------------------------
>
>
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> ------------------------------------------------------------------------



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------