Contracting security assessments

The amount of paperwork involved in buying an assessment can be surprising. Especially so for technical people buying or selling their first engagement. This section will provide a survey of the elements to expect in the contracting process. However, I recommend consulting a lawyer before signing any document!

PSA: German pentesting outfit Cure53 has open-sourced a set of standard contract templates for penetration testing

Mutual) Non-Disclosure Agreement - (m)NDA

A mutual NDA is typically signed early in the process. This allows the client to candidly share sensitive information for scoping and procurement. The vendor can also confidentially share their proprietary methodologies and other internal information. Depending on the relative size of the companies, either party may provide standard language. For more on NDAs, see bitmovin’s Universal NDA project.

Master Service Agreement - MSA

The MSA is the overarching document establishing the terms and conditions for the deal. This document will often be red-lined and negotiated. It is referenced in all future Statements of Work (SOWs). For an example, see Secureworks’ MSA - available publicly at secureworks.com/msa.

Significant terms include:

1. Service Fees; Taxes; Invoicing and Payment

2. Termination

3. Proprietary Rights

4. Confidentiality

5. Warranties; Limitation of Liability; Insurance

6. Indemnification

The vendor will frequently draft the MSA and provide it for review. Some enterprise clients require negotiations to start from their own standard MSA terms.

Statement of Work - SOW

A Statement of Work is the main legal document and serves as the formal contract for a specific engagement. Once you’ve gone through your RFP and selected a vendor, you’ll execute the SOW. The folks at Triaxiom Security have provided a good breakdown of what elements you should expect:

1. A detailed scope for the proposed assessment, including level of effort

2. Agreed deliverables for the project, including report formats and any retests or revisions

3. Key dates for kickoff, completion, and delivery

4. Price, including payment terms (superseding the MSA)

Rules of engagement

The statement of work may also contain rules of engagement, or it may be a separate document. These will be more stringent when the client is a regulated organization. The rules of engagement can define:

1. Sensitive data handling

   1. Country of operation

   2. Country of data residency

   3. Data retention period

   4. Security of data storage

   5. Secure communication mechanisms

2. Escalation and pivoting

3. Red-line out-of-scope systems

4. Prohibited activities such as social engineering and targeting employee desktops

5. Emergency contact/notification protocols (contact for functional issues, logic issues)

Common clauses

The security services industry has a standard set of specific risks and implications that drive common contractual clauses. Any vendor you receive a proposal from should have standard language. Clauses commonly include:

1. Indemnity

2. Report sharing/Intellectual Property

3. Insurance

Change orders

If the customer wants to modify the scope or scale mid-assessment, a change order would be required. However, it is important to consider that the vendor may not be able to accommodate an immediate expansion. Due to scheduling requirements extra time may require a delay or even re-engagement. Work with your vendor to plan a flexible engagement if you expect to require a change in mid-flight.

Check out Adam Caudill’s “Checklist: Starting a Security Consulting Firm” for detailed, complementary information on the vendor side of the deal