Re: Pen Test--France and Belgium

[Stefan <netfortius () gmail com>]

I would - personally - seek legal advice in the country/ies you are
going to carry out the services. While such a mailing list is probably
very good for technical issues, *I* think it should only be used to
source, not rely upon legal matters. I have done and serviced IT
issues globally, and I wouldn't feel comfortable about "walking" into
a different country's legally bound systems analysis, (e.g.
security/pen-testing) if not with the help of local legal experts ...
in fact I even had to use my foreign language skills to double-check
issues, sometimes.

Stefan

On 12/7/09, Michael Daveler <mdaveler () yahoo com> wrote:
> Hi List:
>
> We are a USA security company and have been asked by our client to perform a
> two-phase project of the client's third-party vendors/suppliers located in
> France and Belgium.  Phase one will be a vuln scan, and Phase two will be a
> penetration test.  Both phases will have scans/pen tests originating across
> the Internet.
>
> We will be securing the appropriate contracts/agreements/etc. with client,
> client's third-party vendors, consent forms from third-party vendor's ISP's
> (to allow scans through their networks to third-party vendor, etc.).  And
> most importantly, will have all contract/agreement work done by legal
> counsel well-versed in this type of work, and knowledgeable of laws in
> France and Belgium.
>
> In the interim, for the initial fact-finding, looking to see if anyone has
> put together any checklists, guidance documents or has feedback on things
> you should/should NOT do while doing scans/pen tests against entities in
> France and Belgium, what specific laws can be referenced/reviewed, etc.
>
> As an example, I have heard that if doing pen tests of entities in France,
> you need to follow their crypto laws; had to have lawyers approve the crypto
> algorithms used for setting up encrypted connections going to and from the
> country; and some other algorithms required registration with the government
> to use, etc.
>
> So any and all details are much appreciated.  If appropriate, once I have
> collected all feedback, I can prepare a summary and post back to the list.
>
> Thanks in advance,
>
> --Mike
>
>
>
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually
> do a proper penetration test. IACRB CPT and CEPT certs require a full
> practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

-- 
Sent from my mobile device

***Stefan Mititelu
http://twitter.com/netfortius
http://www.linkedin.com/in/netfortius

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------