informa
Commentary

Get Your Pentesting Permission Slip

As infosec professionals, we are often tasked with performing duties that would be considered illegal if we did not receive proper authorization beforehand. For example, if you were performing a penetration test against a system that you or your employer doesn't own, or for which you don't have authorization to access, then you could be violating a number of laws leading to termination and possible criminal prosecution.
As infosec professionals, we are often tasked with performing duties that would be considered illegal if we did not receive proper authorization beforehand. For example, if you were performing a penetration test against a system that you or your employer doesn't own, or for which you don't have authorization to access, then you could be violating a number of laws leading to termination and possible criminal prosecution.So what do you need to proceed?

At the very least, you need some type of authorization form. I've seen various "get out of jail free" forms that pertain to pentesting and vulnerability assessment; a good example I've seen used as a basis for other forms is located at CounterHack.net. It includes the names of the testers and approvers, their signatures, and an area for additional permissions and/or restrictions. The beginning of the document also includes a basic justification for why the testing needs to be done.

For infosec professionals who perform vulnerability assessments and penetration tests on a regular basis, it's also a good idea to make sure these activities are spelled out in your job description. In the SANS SEC560 course, it was recommended that a permission letter like be completed and signed by the CSO so questions don't arise later about your activities -- especially if your testing inadvertently takes down a production server.

That said, don't simply copy the text from the above authorization form and think you're all set. No doubt you'll want to modify it to fit your organization, and then get it approved by your general counsel. Once that happens, get the necessary personnel to sign it. Keep it on file and renew it every year as a reminder to you and the higher ups of your responsibility in keeping your network safe.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Recommended Reading: