Firewall Wizards mailing list archives
Re: Off-Topic: Memo of Understanding for Using an Ethical Hacker
From: Matt Curtin <cmcurtin () interhack net>
Date: Thu, 26 Aug 2004 07:32:48 -0400
Bruce Platt <Bruce () ei3 com> writes:
Have any of you used a "Memo of Understanding" or "Contract" (shudder) when asked to do some "ethical hacking" for a company on their resources, systems, and networks?
We do for penetration testing, much like we do for any other kind of service that we perform. Anyone doing this kind of thing should address several key issues: o Get your contract drafted by an attorney who understands appropriate areas of law (e.g., what you're doing, technology, contracts, local/state statutes). Do not try to skimp on this. If you're not willing to spend a few hundred bucks to get your contract right, to give your client(s) the appropriate notification of their terms and conditions, to give yourself appropriate protection against litigious clients whose ancient VMS system you kicked over without having any chance to discover its presence first, etc., you're not really in the business. o After you get your standard terms and conditions drafted, be sure that you have an appropriate level of insurance, for both liability and E&O purposes. Make sure that your underwriter sees your standard terms and conditions. Be prepared to pay out the wazoo for coverage that is worth having, and expect that your rates will get jacked up significantly every year even though you don't have any claim made. This is a high risk business, and worse, insurers don't have a lot of data on these policies yet, so they're looking at all of the unknowns as risks. o Be prepared for contract negotiations with almost every client who will want to change a word or two here or there for no good reason. The same attorney renegotiating a contract that has expired might well want to start with the old contract and then tweak the language so it goes back to what you had in the first place. It's completely insane, but that's part of the deal -- comfort of the client is very important in this business, so if you have to wear a party hat and play a kazoo to keep people comfortable, that's part of the deal. Have an attorney handle all contract negotiations -- perhaps not directly, but don't agree to anything without getting your attorney's blessing or understanding what risks you're taking on by not taking the attorney's advice. Sometimes you won't be able to start with your standard terms and conditions, but will need to start with the client's standard terms and conditions. I've seen this work well and I've seen it be ugly. Again, make sure an attorney who understands your standard terms is working contract negotiation to get the language you want in there. o You don't need your terms and conditions to be a book. We have a plain-language preamble that explains what we're after (in a nutshell, it says that we're going to do as good a job as can be done, which is why you've hired us, but there are lots of unknowns...) in the engagement. That is just under one page long, and it is followed by four pages of legalese that covers all of the services we offer from penetration testing to application development and regulatory compliance to information infrastructure management. Something that is focused solely on a single engagement of penetration testing shouldn't be huge. Just say what you're both trying to get out of the engagement, what you'll do, and what you are on the hook for. The longer it is, the bigger the risk of having language that conflicts with other language, and it can just turn into a big mess. o You might want also to ensure that you get some part of the payment up front, anything in the neighborhood of ten to fifty percent, depending on the size of the engagement. This will have several other benefits, but having a check in-hand also allows you to have some reasonable verification that the money is actually coming from someone who is authorized to engage you, as opposed to a piece of paper that someone signed that warrants it with nothing to stand behind it. -- Matt Curtin, CISSP, IAM, INTP. Keywords: Lisp, Unix, Internet, INFOSEC. Founder, Interhack Corporation +1 614 545 HACK http://web.interhack.com/ Author of /Developing Trust: Online Privacy and Security/ (Apress, 2001) _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Off-Topic: Memo of Understanding for Using an Ethical Hacker Bruce Platt (Aug 26)
- Re: Off-Topic: Memo of Understanding for Using an Ethical Hacker Kerry Thompson (Aug 27)
- Re: Off-Topic: Memo of Understanding for Using an Ethical Hacker Paul D. Robertson (Aug 28)
- Re: Off-Topic: Memo of Understanding for Using an Ethical Hacker Devdas Bhagat (Aug 28)
- Re: Off-Topic: Memo of Understanding for Using an Ethical Hacker Matt Curtin (Aug 28)