Penetration Test - Planning and Scoping(6)

Penetration Test - Planning and Scoping(6)

LEGAL CONCEPTS

• Statement of Work(SOW)
  • Clearly states what tasks are to be accomplished
• Master Service Agreement (MSA)
  • Specifies details of the business arrangement
• Non-Disclosure Agreement (NDA)
  • An agreement that defines confidentiality, restrictions and/or sharing information

ENVIRONMENTAL DIFFERENCES

• Export restrictions - restrictions on shipments, transfer of technology, or services outside the U.S.
  • See U.S. State Department resource - https://www.state.gov/strategictrade/overview
• National or local restrictions
  • Differ among countries
  • Local customs differ
• Corporate policies
  • Differ between most organizations

WRITTEN AUTHORIZATION

• Obtain signature from the proper signing authority
  • "Get out of jail free" card
  • Pen tests can reveal sensitive or confidential information
  • Activities may be illegal without proper permission
  • Signed permission makes you a white hat pen tester
• Third-party authorization when necessary
  • Ex: from a Cloud service provider
  • Get permission for any outside resources used
    • Cloud, Internet (ISP usage), etc.

QUICK REVIEW

• Understand common contract types
• Pay attention to localization restrictions
• Always get written permission
• Find out if you need third-party permission as well