From: Martin Murray-Brown (Martin.Murray-Brown@derivco.com)
Date: Tue Jun 22 2004 - 02:50:08 EDT
Hi all,
In helping set up the documentation for our new security testing team,
we found the OSSTMM manual very helpful... specifically the rules of
engagement.
Take a look here... http://www.isecom.org/osstmm/
-----Original Message-----
From: Yonatan Bokovza
We usually sign Non-Disclosure Agreements, so the client is assured his
sensitive
information is safe with us.
The client is also signed on a legal paper saying we take no
responsibility for any
loss that occurs due to the penetration-test, though we promise to do
our best to
minimize it.
As for the liability issue you mentioned, I know there are insurance
solutions for
that.
Regards,
Yonatan Bokovza
Senior IT Security Consultant, CISSP
Xpert Systems
-----Original Message-----
From: anonyguard-pentest@yahoo.com
Hello, everyone. I'm looking at the possibility of
striking out on my own with a network vulnerability
assessment / penetration test consulting firm. My
question is more towards the administrative side of the
business, rather than the technical. For those of you
who do this kind of consulting, what sorts of contracts,
statements of work or other legal documents do you use
with your customers? I'm particularly concerned about
the liability issue of probing and/or breaking into
other peoples' networks. What sort of waivers do you
ask your customers to sign, or what reasonable amount
of liability are you willing to accept?
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:56 EDT