The Importance of Consent Forms When Carrying Out a Penetration Test
Penetration tests are an essential tool in ensuring that your computer systems are secure from known threats, and it’s important to carry them out on a regular basis or after any significant changes have been made. Forewarned is forearmed, and knowing about common pitfalls can ensure your tests run smoothly and avoid any delays or additional costs.
What’s the big deal with consent forms?
While consent can be a tedious process, it is one of the most important parts of a test and is an essential protection that allows the penetration test to take place. Without consent, the penetration tester is breaking the Computer Misuse Act and could also be liable under various other Acts, depending on data which is discovered during the test.
The best way of managing consent is to begin the process early and communicate with the testing provider. Make sure you have an accurate inventory of targets as well as an understanding of how your applications function. Knowledge of any hosting provider requirements will also ensure you are able to speak to your testing provider and receive the correct information in a timely manner.
What are my hosting provider requirements?
It is common nowadays to see businesses moving their infrastructure into the cloud, most prominently with web and mail servers. Hosting such servers with third-parties, while convenient and potentially cheaper, means you’re subject to their terms and conditions when it comes to usage.
Some companies, such as Amazon Web Services (AWS) or Rackspace, require their own consent forms to be completed prior to any testing taking place. This is because the environment is shared amongst several companies, and exploitation of a server could affect entities that are independent of the organisation being tested.
Problems arise when companies are not aware of the third-party (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Tripwire Guest Authors. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/consent-forms-carrying-penetration-test/