Hi Biju, A) You could refer to the fllwg link for a Sample Pentest Contract http://www.pwcrack.com/Penetration_Testing/Penetration_Testing_Contract/pene tration_testing_contract.html B) You wil also need to check in the Indian CyberLaw about clauses needed to protect an organization's network and computing resources. I dont think we have a Privacy Law in India (which protects private information on individuals). If we had, you would also need to look up the same. Penalties for the unauthorized release of protected information, as well as specific access authorization criteria should be documented in the legal document. There is also a personal liability issue. Down time to get an organization's network back on-line, or to simply recover data after a virus attack can be very expensive. Costs can also be high if certain types of data is manipulated to show other than actual information. Therefore, it is important for the tester to understand that unauthorized use of any software for the purpose of manipulating or otherwise destroying data can result in personal legal responsibility for organizational financial loss. Lets examine closely what a penetration test tool really does. Remember that the tool works by actually attacking a network. If the attack is successful, the information can also be used as an initial step in the monitoring process. Look out for the Clause that applies to those who knowingly access a computer without authorization, or to those who exceed their authorization. Additionally, the site users should be normally pre-warned, the actual testing of a particular user's machine must be accomplished with sensitivity to both the user and the system manager responsible for the network being tested to avoid any misunderstandings. C) One more links for you: http://www.sans.org/infosecFAQ/legal/business.htm http://www.sans.org/infosecFAQ/legal/liability.htm Cheers, Sameer Saxena ----- Original Message ----- From: Biju Mukund <bmukundat_private> To: <pen-testat_private> Sent: Sunday, September 09, 2001 9:13 PM Subject: How to Tackle the Legal Tangle? > There is a lot of confusion on the Legal Documents that we need to sign and > protect ourselves (I.e Pen Testing Company)before we accept a Assignment. > Consultants and legal 'experts' dump loads of papers which no one really > understands. > Is any one aware of a web resource where one can find all/some documents > which we might use before and after Pen-testing assignment? > Or is there some one who can guide us on "How to Tackle the Legal Tangle?" > > Regards > Biju Mukund > > BS 7799 Certified Auditor > MIEL e-Security Pvt. Ltd > bmukundat_private > www.mielesecurity.com > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Sep 12 2001 - 10:13:36 PDT