Contractual Items

  1. Goals (examples:)
    1. Increased safety of technical systems
    2. Identification of weak points as a decision criterion (for example, for investments or the suitability of products)
    3. Increased security of the organizational / personal infrastructure
    4. Obtaining a certification / confirmation from an external third party
  2. Types of Penetration Tests
    1. Information Base (Blackbox / Whitebox)
    2. Aggressiveness (passive to aggressive)
    3. Scope (complete, limited or focused)
    4. Method (Concealed or obvious)
    5. Points of Contact (network access, other communication, physical access, social engineering)
    6. Starting point (from outside or inside)
  3. Techniques to be used and excluded
    1. Detailed description of the individual techniques (especially social engineering techniques and active tests against access controls)
    2. Exclusion of attack techniques, which may not be used, with justification
  4. Customer
    1. Contracting entity must be legally represented at the time of signing the contract (authorized representative)
    2. Pentester should be convinced by appropriate proof of authorization
  5. Contractor
    1. If a contractor wishes to hire a subcontractor, it should be named when the contract is concluded
  6. Font form clause
    1. Keep all terms and conditions in writing
    2. To expressly and compulsorily regulate the written form requirement for any subsequent agreements
  7. Obligations of the customer
    1. Providing information depending on the type of penetration test
    2. Information of potentially affected third parties
    3. Protection measures for unpredictable system failures (eg data backup, naming of contact persons)
  8. Obligations of the Contractor
    1. Confidentiality (Non-Disclosure Aggreement)
    2. Compliance with licensing regulations (licensing fees for security tools will be charged to the customer in the meantime - make the allocation of licensing fees transparent)
    3. Preparation of an inspection plan (procedure, contacts, dates)
    4. Documentation of the examination procedures and the results (type and scope)
    5. General due diligence (to list as hints)
  9. Contract execution
    1. Start and end dates
    2. Tests outside this timeframe are not authorized and therefore illegal
    3. Scope and form of the presentation of results
  10. Special right of termination
    1. Application of the general rules for the termination of business agreements with service character, in particular §627 paragraph 2 BGB
    2. In the event of a situation which prevents a continuation of the penetration test (for example, a system crash associated with lengthy clean-up work)
  11. Limitation of liability
    1. Limitation of liability only within the limits of the GTC-law
    2. Periodic limitation of liability on the part of the tester to gross negligence and intent, as well as for consequential or indirect damages, if there is no culpable breach of a material contractual obligation.

Use of General Terms and Conditions (GTC)

If the Contractor uses the GTCs, these must be effectively included in the contract. It must be acknowledged and accepted by the client.

results matching ""

    No results matching ""