Before allowing someone to test sensitive data, companies normally take measures regarding the availability, confidentiality, and integrity of data. For this agreement to be in place, legal compliance is a necessary activity for an organization.
The most important legal regulations which have to be observed when establishing and maintaining security and authorization systems are presented below in context for using in implementing penetration tests.
Following are some of the issues which may arise between a tester and his client −
The tester is unknown to his client – so, on what ground, he should be given access of sensitive data
Who will take the guarantee of security of the lost data?
The client may blame for the loss of data or confidentiality to tester
Penetration testing may affect system performance, and can raise confidentiality and integrity issues; therefore, this is very important, even in an internal penetration testing, which is performed by an internal staff to get permission in writing. There should be a written agreement between a tester and the company/organization/individual to clarify all the points regarding the data security, disclosure, etc. before commencing testing.
A statement of intent should be drawn up and duly signed by both the parties prior to any testing work. It should be clearly outlined that the scope of the job and that, you may and may not be doing while performing vulnerability tests.
For the tester, it is important to know who owns the business or systems which are being requested to work on, and the infrastructure between testing systems and their targets that may be potentially affected by pen testing. The idea is to make sure;
the tester has the permission in writing, with clearly defined parameters.
the company has the details of its pen tester and an assurance that he would not leak any confidential data.
A legal agreement is beneficial for both the parties. Remember, regulations change from country to country, so keep yourself abreast with the laws of your respective country. Sign an agreement only after considering the respective laws.