Re: What is your policy on customers particapating in a pen test?

["David Rosenthal" <DRosent () pcmh com>]

I am in the process of reviewing various proposals for a future A&P testing engagement at my organization.  I have 
specifically inquired about the possibility of "observing" the work of the pen-testers as they conduct their testing 
and all the vendors we are considering have agreed to this.  
Speaking strictly as a potential "client" for this type of service, I feel strongly that the testing per se should be 
left to the experts (YOU), and we as clients should stay out of the way and let you do your jobs.  But again, I feel 
that observing the actions of the pen-testers as they are working is entirely appropriate.
That's my 2 cents....

David 

> > > Joe Klein <jsklein () mindspring com> 6/19/01 1:59:45 AM >>> 
All: 

I am hearing customers request ( and some times demand ) that they be part of a 
pen test. 

Currently, we offer the customer 4 - 8 hours of time to review findings and show 
them what we did, to access there systems. But we do this after the pen test is 
complete. 

I was wondering how other companies deal with this issue? 

J

Attachment: TEXT.htm
Description: