Security Assessment Agreement Outsourcing
My work as security engineer for Schuberg Philis often requires me to deal with the following situation. A customer of our requires us to facilitate a security assessment or the infrastructure we manage on their behalf.
More of often then not, the contractual agreements between assessor and client and client and service provider together with a “third party waivers” or similar documents do not cover everything that the three parties want to commonly agree upon. After reviewing quite a number of these documents, I decided to write a template agreement (which can be downloaded below) for exactly this situation. This document is not a replacement for the agreement between the client and the assessor, but as an additional agreement between all three parties.
Madison Gurkha and ITsec have both reviewed and contributed to this agreement and we will use it in our future dealings.
The agreement covers the following topics.
Scope of the assessment:
- What will be tested?
- When will the test take place?
- What kind of tests will be conducted?
Contractual agreements:
- Does the assessor have a contract with the client?
- Does the client have a contract with the service provider?
Legal liability:
- Do both the client and the service provider waive prosecution of the assessor?
Risks:
- Are all parties aware of and agree to the risks of a security assessment?
Practical matters:
- The client requests the service provider to support the assessment
- Who are the points of contact?
- Where will the assessment take place?
- How will the results be reported?
Confidentiality:
- All parties agree to confidentiality
The agreement template is released without any reservations of rights. This means you can use and adapt this agreement as you see fit, but completely at your own risk.
You can download the agreement here:
- Security Assessment Agreement Outsourcing v1.0 (Word document)
- Security Assessment Agreement Outsourcing v1.0 (PDF)
I would like to thank the following people for their contribution:
- Madison Gurkha: Hans van de Looy and Arjan de Vet
- ITsec: Tjerk Nan and Jan van Ek
- Fox-It: Mark Koek
- Arron Finnon (aka @f1nux)
- Colin McLean
- Robert Ladyman
Frank, A nice piece of work!
These matters are often overlooked when conducting these assessments.
I would like to suggest one more item: The situation where the service provider is using some infrastructure of some other provider to provide the services that are under assessment. That second provider might take legal steps against the assessor when his infrastructure is under attack. The primary service provider should state that all providers involved are bound by agreements that make this assessment legally possible.
Regards,
Karel.