Penetration Testing mailing list archives
Re: [PEN-TEST] Help defining job scope
From: "Tonick, Mike" <Mike.Tonick () PS NET>
Date: Thu, 24 Aug 2000 22:38:56 -0500
First of all - our "Get Out of Jail Free Cards" are only used internally for red-team testing. External Pen-testing authorization is written into a legal contract, and is quit different. Get Out of Jail Free Cards are not likely to work if someone catches a member of your team and the situation escalates to the point that someone actually gets turned over to the local police. Michael D. Tonick, CISSP Senior Security Consultant Perot Systems Dallas, Texas -----Original Message----- From: T. Barrick [mailto:tbarrick () HOME COM] Sent: Wednesday, August 23, 2000 9:51 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: Help defining job scope Steven, Unless I have mis-interpreted what you said, you are basically looking for the same thing that our team is seeking from upper management - a "get out of jail free card." That said, I am curious how other members of this list in the corporate world, rather than the security consultancy side of the house (that is a separate discussion entirely) have dealt with this. Do others have this "get out of jail free card" written in a document, or is it just an assumed immunity or expectation of corporate backed defense should trouble arise? Our team's concern is that we operate an a world-wide basis - - many countries with varying laws and tolerances for network weakness discovery. Additionally we sometimes have to deal with 3rd party hosted installations that may or may not know that we are the good guys. I suppose I really could have just said "me too" but I wanted to expand on your topic a bit. :-) Toby "Steven W. Smith" wrote:
I'm transitioning from systems management and programming into a "site security person" role. We don't even have an appropriate job title, yet. I've read horror stories about security people prosecuted for performing their jobs and I don't want to follow in their footsteps. I'd like to
write a
document alluding to job duties that I'm authorized to perform: port
scans,
probing for vulnerabilities, etc. and get a hardcopy signed by my boss and his boss. I'm not looking for a laundry list of what I can do, rather, a "this guy
is
*supposed* to be doing scary stuff" doc. I'd really appreciate any suggestions toward this goal and/or pointers to net resources. Thanks
much!
If this is off-topic for the list I trust it won't make it past the
moderator.
Steve Steven W. Smith, Systems Programmer Glendale Community College. Glendale Az. syssws () gc maricopa edu
Current thread:
- [PEN-TEST] Help defining job scope Steven W. Smith (Aug 22)
- Re: [PEN-TEST] Help defining job scope Missy, E (Aug 23)
- Re: [PEN-TEST] Help defining job scope Drew Simonis (Aug 24)
- Re: [PEN-TEST] Help defining job scope T. Barrick (Aug 24)
- Re: [PEN-TEST] Help defining job scope Steven Kastl (Aug 24)
- <Possible follow-ups>
- Re: [PEN-TEST] Help defining job scope Tonick, Mike (Aug 24)
- Re: [PEN-TEST] Help defining job scope Thomas Hayward (Aug 24)
- Re: [PEN-TEST] Help defining job scope Tonick, Mike (Aug 26)