I just had a blog post I wrote published at the SANS Pentest Blog entitled Avoiding Pentest DOOM: Protecting Customer Data where I discuss several ways you may be violating NDA's or mishandling customer data along with well defined solutions for addressing these very common failings. Check it out and tell me what you think.

http://pen-testing.sans.org/blog/2012/09/24/avoiding-pen-test-doom-protecting-customer-data

Agreed Hayabusa, but there are instances where the contract stipulates the pentester maintain copies of the report and associated notes for a predetermined period. We do this sometimes because we get 3 or 4 months into a remediation cycle and someone has a question about a particular finding and I know of some organizations that have to do this because remediation cycles are horrendously long, think Big Pharma for instance. Pentesters can't always remember why a particular finding wound up in the report, especially if it was a less than stellar report but if they can go back to tool output or notes, packet captures, etc they can provide additional clarification around the issue ar at least provide enough context where the organization can make a conscious risk decision regarding the finding. Ideally, sufficient context goes into the report to make this a a non-issue but ops will frequently look for any reason to not have to fix whatever it is we are telling them to fix. I'd prefer it always be like you said, but the reality is the operational side of the business doesn't always feel we are on the same side. Antagonistic relationships can develop especially when you are calling someone's baby ugly or asking them to do more work.

It's probably the best idea to have the pentest firm destroy all data and require all associated notes, pcaps, etc be delivered to customer as part of the deliverable package (but not in the report). I have been known to change requirements around depending on who was conducting the test or which assets were within the scope as a conscious risk decision. (external business partner stakeholders, scope too narrowly defined that doesn't take into account other contextual activities, etc)

Yep Andrew, like anything else requirements may vary from engagement to engagement. Some customers will want you to retain data for a year, others may require that it never leaves the customer site, all testing done from corp owned machines and pay more to allow you to write the report onsite and providing a machine to do so.

As for the RGE line, I think that came from a DR class I took several years ago when I worked in state govt. I've used it ever since.

Danged session timeouts...  yet another longer post lost...  (Retyped in wordpad, and transferred in)

@Andrew -it's signed off on by the highest level management at the customer, who is responsible for the contract negotiation, and ultimately, the pentest.  (Preferably the CEO / CIO, but if it's work being contracted below their level, then the highest level manager in the chain.

@tturner - I agree with you.  If a client explicitly requires I keep a copy of their data, so be it.  I'm not in the business of turning down business, over something like this.  I just strongly emphasize that my preference is to NOT retain ANY data.

I DO have reasons for being so adamant with my clients about this issue.  While I've NEVER had it come to a head over a pentest, or professional client data, of my own, I HAVE personally been involved with law enforcement cases, where the simple possession of digital / printed information, even remotely related to a case, was enough that law enforcement pointed fingers at an innocent party.  (Credit card fraud, child pornography case)

When I say possession of, I refer to, very literally, the sheer owership of a computer, and the fact that it COULD have been used to perpetrate a crime, with NO pre-existing evidence that it had.  Because the crime was IT-related, and the innocent party's name was even remotely involved (their credit card had been stolen, and used to open a child pornography site), I witnessed law enforcement confiscate EVERY piece of electronic equipment and media (including those that could NOT hold evidence), from them.  The innocent party was left to prove their own innocence, because law enforcement very literally had no clue what they were doing, in said investigation.  I watched the involved parties get dragged through the mud.  Even when I was brought into the investigation, by the authorities, in order to help them gather information, when I proved the party wasn't involved, they continued to hold the materials until their 'investigation' concluded.  Said investigation caused the innocent party's property to be held for almost 3 months, even when I showed, without a shadow of a doubt, that they could have had no involvement, by the end of day 3.  (I literally handed law enforcement the IP addresses and names of the real perpetrator, from ISP records, research, etc, and was later told that jurisdiction on the case, from that point on, took any and all visibility away, as to whether they arrested the real offender.  From what I have later learned from others in the law enforcement community, this isn't as uncommon as you'd hope.)

The point to my story is this...  While not all law enforcement are as anally remiss about how to investigate IT-related crimes, the less responsibility I or my company maintain, and the more that is LEGALLY left in the customer's possession / rsponsibility, the easier it is to defend, in the event of any issues.  That's not to say we STILL won't ever end up having to deal with a similar situation, nor that we absolutely won't hold data from a pentest, but it minimizes the chances of future headache, greatly, when all I's have been dotted and T's crossed, in a legally binding document.

PS - also to tturner's point, he mentioned being able to go back and review packet captures, etc., and I completely agree.  In all cases where I am handing over "ALL" data to the customer, said data includes encrypted storage, containing ALL captures, etc, which were taken / utilized in the test.

&@m0wgli - agreed with tturner on the great link.  Good share!

I sort of did at http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,9048.msg50370/#msg50370

Thanks for the repost though