Structuring a Penetration Testing Agreement
When performing penetration tests, the signed agreements you have in place may be your best friend or worst enemy. The following documents apply.
Statement of Work
Most organizations use a Statement of Work (SOW) when contracting outside work. The format of the SOW is not as important as its content. Normally, the contractor (in this case, the penetration tester) prepares the SOW and presents it to the client as part of the proposal. If the client accepts, the client issues a purchase order or task order on the existing contract. There are some things you want to ensure you have in the SOW:
• Purpose of the assessment
• Type of assessment
• Scope of effort
• Limitations and restrictions
• Any systems explicitly out of scope
• Time constraints of the assessment
• Preliminary schedule
• Communication strategy
• Incident handling and response procedures
• Description of the task to be performed
• Deliverables
• Sensitive data handling procedures
• Required manpower
• Budget (to include expenses)
• Payment terms
• Points of contact for emergencies
Get-Out-of-Jail-Free Letter
Whenever possible, have the client give you a “get-out-of-jail-free letter.” The letter should say something like
To whom it may concern,
Although this person looks like they are up to no good, they are actually part of a security assessment, authorized by The Director of Security…
Please direct any questions to…
A letter of this sort is particularly useful when crawling around dumpsters in the middle of the night.
