EH-Net

So Im drafting a few LOAs (letter of authorization) for employers for some Penetration Tests.  I havent ever drafted one from scratch before, and with just a few minutes of digging around I find several very rough outlines, generally with information like: make sure you include parameters, systems, etc. - good so far.

I was surprised that I could not find a few samples on line.  Maybe Im a poor google hacker, but I found samples for all sorts of stuff, except LOAs.

So, does anyone know of a site or reference point with some good sample letters in it - I am looking to bounce what I have against a standard of some sort, or at least take some formatting and inclusion tips.

Thanks to all.

Yeah I figured there would be more too, I found alot of sample policies but not many actual sample forms. Here's a few, hope they help

http://alertsite.com/AlertSite_Security_Scan_Authorization.pdf
http://www.auxs.umn.edu/files/SecurityScanPolicy.pdf

Thanks, the second one is ballpark of my first draft.

I went back and added some additional stuff though, as it read like it was scanner permission as opposed to a full on pen test.

Thanks for the assist amigo.

Sounds like a good project for the members of EH...

I here you.

Fenris,

Would you be willing to contribute a sample form for publication?

Don

Sure,

Hows about I draft a copy, removing all incriminating evidence, post it up here, and get some feedback.   Once we get some good feedback, we make a template out of it, and have it as a resource.

Im sure we could do other type forms as well as we go along.

Awesome. I love it.

Good suggestion Hug_It.

Don

Yes, let's have it. I'm sure we'll have some good feedback for you...

Heres a draft of whats currently in use by my employer all specific info dropped:


The "Insert authority here" has authorized "Insert Tester Here" to operate and conduct A&P testing within Company's environment.  All A&P program activities must be approved in advance, in writing, by the "Insert Authority Position here" or Executive responsible for the system to be tested. 


Affected Business Unit(s) or Department(s)


Testing Dates


Targeted System(s) - (insert very specific information here, detailing the specific systems that you will target, and potentially what may NOT be targeted.


Objectives (insert what you are trying to test for here.  This is a reasonable general statement attached)

Authorized testing personnel will assess physical and logical network/system security and privacy controls in systems identified.  The assessment will entail both passive and active means of information gathering. 

Authorized personnel will attempt to gain access to sensitive private or proprietary information in an effort to evaluate the security measures currently enacted, and provide recommendations for improvement.


Authorized Exectuive
Name:
Title


Signature                                                                                  Date


Affected Business Unit / Department Authorization
Name:         
Title:         



Signature   / SOA               Date



Suggestions welcome.

was it that good?

Fenris (been out of town for a couple weeks)

Do we want to have a section that states whether it is a white, gray or black box test? How about something in regards to whether those in the affected business units / departments will be aware of the test?

How about a check box kind of form?

Type of Test

_ White Box
_ Gray Box
_ Black Box

What to Test

_ Entire Network
_ Wired Network
_ Wireless Network
_ Remote Access

Level of Penetration

_ Vulnerability Assessment
_ Penetrate DMZ Only
_ Penetrate Servers
_ Penetrate Workstations
_ Gather Files From Vulnerable Systems For Proof of Penetration

Etc, etc...

This way, it can be like a Sushi menu where the Executive can pick and choose what they want and/or specifically what the don't want.

Thoughts?

Don