Re: [PEN-TEST] Help defining job scope

["T. Barrick" <tbarrick () HOME COM>]

Steven,

Unless I have mis-interpreted what you said, you are basically looking for the
same thing that our team is seeking from upper management - a "get out of jail
free card."

That said, I am curious how other members of this list in the corporate world,
rather than the security consultancy side of the house (that is a separate
discussion entirely) have dealt with this. Do others have this "get out of jail
free card" written in a document, or is it just an assumed immunity or expectation
of corporate backed defense should trouble arise?

Our team's concern is that we operate an a world-wide basis - - many countries
with varying laws and tolerances for network weakness discovery. Additionally we
sometimes have to deal with 3rd party hosted installations that may or may not
know that we are the good guys.

I suppose I really could have just said "me too" but I wanted to expand on your
topic a bit. :-)

Toby

"Steven W. Smith" wrote:

>   I'm transitioning from systems management and programming into a "site
> security person" role.  We don't even have an appropriate job title, yet.
>
>   I've read horror stories about security people prosecuted for performing
> their jobs and I don't want to follow in their footsteps.  I'd like to write a
> document alluding to job duties that I'm authorized to perform: port scans,
> probing for vulnerabilities, etc. and get a hardcopy signed by my boss and
> his boss.
>
>   I'm not looking for a laundry list of what I can do, rather, a "this guy is
> *supposed* to be doing scary stuff" doc.  I'd really appreciate any
> suggestions toward this goal and/or pointers to net resources.  Thanks much!
> If this is off-topic for the list I trust it won't make it past the moderator.
>
> Steve
>
> Steven W. Smith, Systems Programmer
> Glendale Community College. Glendale Az.
> syssws () gc maricopa edu