Firewall Wizards mailing list archives

Re: Off-Topic: Memo of Understanding for Using an Ethical Hacker

From: Matt Curtin <cmcurtin () interhack net>
Date: Thu, 26 Aug 2004 07:32:48 -0400

Bruce Platt <Bruce () ei3 com> writes:

Have any of you used a "Memo of Understanding" or "Contract"
(shudder) when asked to do some "ethical hacking" for a company on
their resources, systems, and networks?


We do for penetration testing, much like we do for any other kind of
service that we perform.

Anyone doing this kind of thing should address several key issues:

 o Get your contract drafted by an attorney who understands
   appropriate areas of law (e.g., what you're doing, technology,
   contracts, local/state statutes).  Do not try to skimp on this.  If
   you're not willing to spend a few hundred bucks to get your
   contract right, to give your client(s) the appropriate notification
   of their terms and conditions, to give yourself appropriate
   protection against litigious clients whose ancient VMS system you
   kicked over without having any chance to discover its presence
   first, etc., you're not really in the business.

 o After you get your standard terms and conditions drafted, be sure
   that you have an appropriate level of insurance, for both liability
   and E&O purposes.  Make sure that your underwriter sees your
   standard terms and conditions.  Be prepared to pay out the wazoo
   for coverage that is worth having, and expect that your rates will
   get jacked up significantly every year even though you don't have
   any claim made.  This is a high risk business, and worse, insurers
   don't have a lot of data on these policies yet, so they're looking
   at all of the unknowns as risks.

 o Be prepared for contract negotiations with almost every client who
   will want to change a word or two here or there for no good
   reason.  The same attorney renegotiating a contract that has
   expired might well want to start with the old contract and then
   tweak the language so it goes back to what you had in the first
   place.  It's completely insane, but that's part of the deal --
   comfort of the client is very important in this business, so if you
   have to wear a party hat and play a kazoo to keep people
   comfortable, that's part of the deal.  Have an attorney handle all
   contract negotiations -- perhaps not directly, but don't agree to
   anything without getting your attorney's blessing or understanding
   what risks you're taking on by not taking the attorney's advice.

   Sometimes you won't be able to start with your standard terms and
   conditions, but will need to start with the client's standard terms
   and conditions.  I've seen this work well and I've seen it be
   ugly.  Again, make sure an attorney who understands your standard
   terms is working contract negotiation to get the language you want
   in there.

 o You don't need your terms and conditions to be a book.  We have a
   plain-language preamble that explains what we're after (in a
   nutshell, it says that we're going to do as good a job as can be
   done, which is why you've hired us, but there are lots of
   unknowns...) in the engagement.  That is just under one page long,
   and it is followed by four pages of legalese that covers all of the
   services we offer from penetration testing to application
   development and regulatory compliance to information infrastructure
   management.  Something that is focused solely on a single
   engagement of penetration testing shouldn't be huge.  Just say what
   you're both trying to get out of the engagement, what you'll do,
   and what you are on the hook for.  The longer it is, the bigger the
   risk of having language that conflicts with other language, and it
   can just turn into a big mess. 

 o You might want also to ensure that you get some part of the payment
   up front, anything in the neighborhood of ten to fifty percent,
   depending on the size of the engagement.  This will have several
   other benefits, but having a check in-hand also allows you to have
   some reasonable verification that the money is actually coming from
   someone who is authorized to engage you, as opposed to a piece of
   paper that someone signed that warrants it with nothing to stand
   behind it. 

-- 
Matt Curtin, CISSP, IAM, INTP.  Keywords: Lisp, Unix, Internet, INFOSEC.
Founder, Interhack Corporation +1 614 545 HACK http://web.interhack.com/
Author of /Developing Trust: Online Privacy and Security/ (Apress, 2001)
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Off-Topic: Memo of Understanding for Using an Ethical Hacker Bruce Platt (Aug 26)
- Re: Off-Topic: Memo of Understanding for Using an Ethical Hacker Kerry Thompson (Aug 27)
- Re: Off-Topic: Memo of Understanding for Using an Ethical Hacker Paul D. Robertson (Aug 28)
- Re: Off-Topic: Memo of Understanding for Using an Ethical Hacker Devdas Bhagat (Aug 28)
- Re: Off-Topic: Memo of Understanding for Using an Ethical Hacker Matt Curtin (Aug 28)