Читать книгу CompTIA Pentest+ Certification For Dummies - Glen E. Clarke - Страница 52

Before starting the penetration test and typically before you start scoping out the project, you need to take care of the legal concepts by ensuring the correct contracts are in place. You will receive a signed contract that is essentially hiring you for the pentest service. These contracts are designed to protect the contractor from liability if something goes wrong with the penetration test, and protect the customer from sensitive data leakage on the part of the contractor.

The CompTIA PenTest+ certification exam refers to the following types of contracts and agreements:

 SLA: A service-level agreement (SLA) is a contract between a service provider and the customer as to the expected level of service that should be received. The level of service could be measured in bandwidth, uptime, or quality of service expected.

 Confidentiality: A confidentiality agreement is an agreement to keep details private between the two parties. The confidentiality agreement identifies information that should be kept private to the two parties involved and for how long the information is to be kept private. As it relates to penetration testing, the customer may have the pentester sign a confidentiality agreement that indicates the pentester is not to disclose information about the customer’s environment and the results of the penetration test to anyone. A confidentiality agreement is also known as a non-disclosure agreement (NDA).

 SOW: A statement of work (SOW) is a contract created by the penetration testing company that specifies the type of work its pentesters are providing, the timeline for performing the work, the cost of the work, the payment schedule, and any terms and conditions covering the work.

 MSA: A master service agreement (MSA) is a useful contract if you are performing repeat work for a company. The MSA acts as a standard boiler plate contract for the business relationship between the contractor and customer saving time when repeat work is needed from the contractor. With the MSA, you can define the terms of the work in the MSA and then refer to that from the SOW for each reoccurring engagement. Examples of terms in the MSA include payment terms, working conditions, remediation processes, and ownership of intellectual property.

 NDA: A non-disclosure agreement (NDA) is a common document outlining the importance of confidentiality in regard to the relationship of the two parties and the work performed. It identifies what information should be kept confidential and how confidential information should be handled. The NDA is created by the customer and given to the contractor to sign. The NDA is designed to protect the confidentiality of sensitive information that the contractor may come across while doing the penetration test.

For the PenTest+ certification exam, be familiar with the different types of contracts and agreements, and know that they are usually signed before the scoping discussion.