Contracts and agreements
One page summary of typical contracts usually signed before scoping.
Service-level agreement (SLA)
A service-level agreement (SLA) is a contract between a service provider and the customer as to the expected level of service that should be received. The level of service could be measured in bandwidth, uptime, or quality of service expected.
A confidentiality agreement is an agreement to keep details private between the two parties. The confidentiality agreement identifies information that should be kept private to the two parties involved and for how long the information is to be kept private. As it relates to penetration testing, the customer may have the pentester sign a confidentiality agreement that indicates the pentester is not to disclose information about the customer’s environment and the results of the penetration test to anyone. A confidentiality agreement is also known as a non-disclosure agreement (NDA).
Statement of work (SOW)
A statement of work (SOW) is a contract created by the penetration testing company that specifies the type of work its pentesters are providing, the timeline for performing the work, the cost of the work, the payment schedule, and any terms and conditions covering the work. The statement of work typically addresses:
Purpose: Reason for the project
Scope of work: Describes the work activities to be completed
Location of work: Where the work will be performed
Period of performance: The timeline for the project
Deliverables schedule: Defines the project artifacts and due dates
Applicable industry standards: Relevant criteria that must be followed
Acceptance criteria: Conditions that must be satisfied
Special requirements: Travel, workforce requirements (certifications, education)
Payment schedule: Negotiated schedule of payment (possibly derived from MSA)
During the initial discussions and in the Statement of Work (SOW), it is important to include two disclaimers that outline two important points about the penetration test.
Master service agreement (MSA)
A master service agreement (MSA) is a useful contract if performing repeat work for a company. The MSA acts as a standard boilerplate contract for the relationship between the contractor and customer saving time when repeat work is needed. The agreement will cover conditions such as:
Payment terms: Negotiated schedule of payment
Product warranties: Assurance that a product meets certain conditions
Intellectual property ownership: Copyrights, patents, and trademarks
Dispute resolution: Defines a process for resolving differences
Allocation of risk: Provision that defines levels of responsibility between each party
Indemnification: Parties agree to be financially responsible in certain circumstances
With an MSA, the terms of the work can be defined and then referred from the SOW for each reoccurring engagement.
Non-disclosure agreement (NDA)
A non-disclosure agreement (NDA) is a common document outlining the importance of confidentiality in regard to the relationship of the two parties and the work done. It identifies what information should be kept confidential and how confidential information should be handled. The NDA is created by the customer and given to the contractor to sign. The NDA is designed to protect the confidentiality of sensitive information (proprietary information and intellectual property) that the contractor may come across while doing the penetration test.
Rules of engagement (ROE)
The rules of engagement (RoE) document contains the guidelines and constraints of the execution of a pentest - what is and is not authorised for testing. The RoE can be part of the SOW or treated as a separate deliverable.
Permission to test
Documents that grant permission to test must be signed by someone with authority over the assets being tested. This authority must be legally able to bless the terms of testing on behalf of the asset owners in all contracts and documentation. These documents grant permission for testing activities to occur and set clear expectations that penetration testers are not held liable for system instability or crashes and that the tester will perform due diligence to avoid damage to systems as part of testing. Pentesters must do their own due diligence to verify that the person who is requesting the testing has the authority over tested assets in order to approve the test or that additional permission has been acquired.