[fw-wiz] Off-Topic: Memo of Understanding for Using an Ethical Hacker

From: Bruce Platt (Bruce_at_ei3.com)
Date: 08/25/04

  • Next message: Melson, Paul: "RE: [fw-wiz] Decrypted VPN traffic and access lists on outside interface of PIX" 
    To: firewall-wizards@honor.icsalabs.com
Date: Wed, 25 Aug 2004 17:30:11 -0400

    Without starting a huge flaming thread ...

    Have any of you used a "Memo of Understanding" or "Contract" (shudder) when
    asked to do some "ethical hacking" for a company on their resources,
    systems, and networks?

    I'd like to skip over the topic of Certification for Ethical Hackers and get
    to the issue of what one might want to include in such a document to protect
    both oneself and the company.

    What comes to mind quickly are many of the same sorts of indemnifications,
    hold-harmless, and liability issues which would apply for a non security
    related consulting agreement, but with the various sorts of damage which can
    be done by mistake or carelessness and so forth when asking one to assess a
    company's security profile, I would think that some of you might have used a
    document with which you are comfortable in the past, or have a pointer to
    one.

    I know what I have done when I was a full-time employee within my own
    company, but have yet to find a document which seems comfortable for use
    with an external consultant.

    (And no, I am not looking to start yet another new career :-) sigh )

    Thanks and regards

    Bruce
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Melson, Paul: "RE: [fw-wiz] Decrypted VPN traffic and access lists on outside interface of PIX"