RE: International Penetration Testing Law (United Kingdom)

From: Greg (gregat_private)
Date: Fri May 24 2002 - 09:58:22 PDT

Next message: Tomás F. Serna: "RV: [NGSEC] ngGame #1 - Web Authentication"

Previous message: Philipp Buehler: "Re: generating own customized http requests, fragmenting, determing sequence"
Next in thread: pete: "RE: International Penetration Testing Law (United Kingdom)"
Reply: pete: "RE: International Penetration Testing Law (United Kingdom)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Assuming a generic remote pen test, you will be dealing with the UK Computer
Misuse Act (1990). You will need written permission from the system owners
and a well defined scope which must also be agreed and signed off before you
start (but I guess that's the same everywhere.)

If client data is to be or may be exposed during the test you should also
consider the UK Data Protection Act which governs the handling of personal
data and the like.

Your engagement letter/contract may need to be re-worded if is designed for
use within the US. For instance, I don't beleive there is the concept of the
data protection act in the US although I'm not entirely sure about that one.

CMA 1990 : http://www.hmso.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm
DPA 1998 : http://www.hmso.gov.uk/acts/acts1998/19980029.htm

enjoy

Greg




> -----Original Message-----
> From: M W [mailto:crackthis22at_private]
> Sent: 22 May 2002 23:12
> To: crackthis22at_private
> Subject: International Penetration Testing Law (United Kingdom)
>
>
> Does anybody have any insight (website/links) as to laws/restrictions on
> international pen testing, specifically from the United States to
> a client
> in the United Kingdom?
>
> Thanks in Advance
>
> _________________________________________________________________
> Join the world’s largest e-mail service with MSN Hotmail.
> http://www.hotmail.com
>
>
> ------------------------------------------------------------------
> ----------
> This list is provided by the SecurityFocus Security Intelligence
> Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities
> please see:
> https://alerts.securityfocus.com/
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Tomás F. Serna: "RV: [NGSEC] ngGame #1 - Web Authentication"
Previous message: Philipp Buehler: "Re: generating own customized http requests, fragmenting, determing sequence"
Next in thread: pete: "RE: International Penetration Testing Law (United Kingdom)"
Reply: pete: "RE: International Penetration Testing Law (United Kingdom)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 24 2002 - 15:14:15 PDT