Structuring a Penetration Testing Agreement

When performing penetration tests, the signed agreements you have in place may be your best friend or worst enemy. The following documents apply.

Statement of Work

Most organizations use a Statement of Work (SOW) when contracting outside work. The format of the SOW is not as important as its content. Normally, the contractor (in this case, the penetration tester) prepares the SOW and presents it to the client as part of the proposal. If the client accepts, the client issues a purchase order or task order on the existing contract. There are some things you want to ensure you have in the SOW:
• Purpose of the assessment
• Type of assessment
• Scope of effort
• Limitations and restrictions
• Any systems explicitly out of scope
• Time constraints of the assessment
• Preliminary schedule
• Communication strategy
• Incident handling and response procedures

• Description of the task to be performed
• Deliverables
• Sensitive data handling procedures
• Required manpower
• Budget (to include expenses)
• Payment terms
• Points of contact for emergencies

Get-Out-of-Jail-Free Letter

Whenever possible, have the client give you a “get-out-of-jail-free letter.” The letter should say something like

To whom it may concern,

Although this person looks like they are up to no good, they are actually part of a security assessment, authorized by The Director of Security…

Please direct any questions to…

A letter of this sort is particularly useful when crawling around dumpsters in the middle of the night.