.

LOA Samples

<<

Fenris

Post Tue Aug 01, 2006 12:13 pm

LOA Samples

So Im drafting a few LOAs (letter of authorization) for employers for some Penetration Tests.  I havent ever drafted one from scratch before, and with just a few minutes of digging around I find several very rough outlines, generally with information like: make sure you include parameters, systems, etc. - good so far.

I was surprised that I could not find a few samples on line.  Maybe Im a poor google hacker, but I found samples for all sorts of stuff, except LOAs.

So, does anyone know of a site or reference point with some good sample letters in it - I am looking to bounce what I have against a standard of some sort, or at least take some formatting and inclusion tips.

Thanks to all.
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Tue Aug 01, 2006 12:44 pm

Re: LOA Samples

Yeah I figured there would be more too, I found alot of sample policies but not many actual sample forms. Here's a few, hope they help

http://alertsite.com/AlertSite_Security ... zation.pdf
http://www.auxs.umn.edu/files/SecurityScanPolicy.pdf
<<

Fenris

Post Tue Aug 01, 2006 12:58 pm

Re: LOA Samples

Thanks, the second one is ballpark of my first draft.

I went back and added some additional stuff though, as it read like it was scanner permission as opposed to a full on pen test.

Thanks for the assist amigo.
<<

Hug_It

Newbie
Newbie

Posts: 28

Joined: Thu Feb 23, 2006 4:21 pm

Post Tue Aug 01, 2006 1:30 pm

Re: LOA Samples

Sounds like a good project for the members of EH...
CISSP
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Aug 01, 2006 3:21 pm

Re: LOA Samples

I here you.

Fenris,

Would you be willing to contribute a sample form for publication?

Don
CISSP, MCSE, CSTA, Security+ SME
<<

Fenris

Post Wed Aug 02, 2006 10:56 am

Re: LOA Samples

Sure,

Hows about I draft a copy, removing all incriminating evidence, post it up here, and get some feedback.  Once we get some good feedback, we make a template out of it, and have it as a resource.

Im sure we could do other type forms as well as we go along.
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Wed Aug 02, 2006 11:06 am

Re: LOA Samples

Awesome. I love it.

Good suggestion Hug_It.

Don
CISSP, MCSE, CSTA, Security+ SME
<<

tmartin

Recruiters
Recruiters

Posts: 46

Joined: Tue Sep 20, 2005 9:36 pm

Post Wed Aug 02, 2006 1:26 pm

Re: LOA Samples

Yes, let's have it. I'm sure we'll have some good feedback for you...
<<

Fenris

Post Fri Aug 04, 2006 11:51 am

Re: LOA Samples

Heres a draft of whats currently in use by my employer all specific info dropped:

Attack & Penetration Authorization Form


The "Insert authority here" has authorized "Insert Tester Here" to operate and conduct A&P testing within Company's environment.  All A&P program activities must be approved in advance, in writing, by the "Insert Authority Position here" or Executive responsible for the system to be tested. 


Affected Business Unit(s) or Department(s)


Testing Dates


Targeted System(s) - (insert very specific information here, detailing the specific systems that you will target, and potentially what may NOT be targeted.


Objectives (insert what you are trying to test for here.  This is a reasonable general statement attached)

Authorized testing personnel will assess physical and logical network/system security and privacy controls in systems identified.  The assessment will entail both passive and active means of information gathering. 

Authorized personnel will attempt to gain access to sensitive private or proprietary information in an effort to evaluate the security measures currently enacted, and provide recommendations for improvement.


Authorized Exectuive
Name:
Title


Signature                                                                                  Date


Affected Business Unit / Department Authorization
Name:    
Title:    



Signature / SOA Date



Suggestions welcome.
<<

Fenris

Post Tue Aug 22, 2006 12:45 pm

Re: LOA Samples

was it that good?

Fenris (been out of town for a couple weeks)
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Aug 22, 2006 3:38 pm

Re: LOA Samples

Do we want to have a section that states whether it is a white, gray or black box test? How about something in regards to whether those in the affected business units / departments will be aware of the test?

How about a check box kind of form?

Type of Test

_ White Box
_ Gray Box
_ Black Box

What to Test

_ Entire Network
_ Wired Network
_ Wireless Network
_ Remote Access

Level of Penetration

_ Vulnerability Assessment
_ Penetrate DMZ Only
_ Penetrate Servers
_ Penetrate Workstations
_ Gather Files From Vulnerable Systems For Proof of Penetration

Etc, etc...

This way, it can be like a Sushi menu where the Executive can pick and choose what they want and/or specifically what the don't want.

Thoughts?

Don
CISSP, MCSE, CSTA, Security+ SME

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software