Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] "Get out of Jail Free"
From: "Gallicchio, Florindo (2007)" <florindo.gallicchio () ESAVIO COM>
Date: Tue, 31 Oct 2000 17:48:36 -0500

Gary:

Depending on how the contract is written with the appropriate legalese, we
ask the client to give us their Get Out of Jail Free document for physical
penetration tests.

In other words, the contract itself has the legal wording that gives us
permission to do the security assessment, and we get a separate document for
our auditors to carry with them when they're doing the social
engineering/physical penetration test portion.  A clearly written
authorization letter from the client's CIO does the trick.

Florindo

-----Original Message-----
From: Gary Warner
To: PEN-TEST () SECURITYFOCUS COM
Sent: 10/31/00 4:35 PM
Subject: [PEN-TEST] "Get out of Jail Free"

We are being challenged by a client's legal department to get better
"get out of
jail free" documentation.

I wondered what other professional penetration testers are doing for
their
"liability" coverage.  Language to the effect that we are going to
access your
boxes, steal your passwords, root your boxes, view confidential
information,
trick your employees, walk into secure areas without authorization, and
if
anyone has a problem with that, we show our "Get out of Jail Free" card.

We have a little two-pager, but I've been advised by legal counsel for
one of
our potential customers that its not worth the paper its written on.

Would love to hear opinions, or better yet see a sample doc that we
could
template.

_-_
gar


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]