- tl;dr sec
- Posts
- Contracting security assessments
Contracting security assessments
Table of Content
The Security Assessment Industry:
Procuring a Security Assessment:
Executing a Security Assessment:
Contracting security assessments
After the Security Assessment:
Contracting security assessments
The amount of paperwork involved in buying an assessment can be surprising. Especially so for technical people buying or selling their first engagement. This section will provide a survey of the elements to expect in the contracting process. However, I recommend consulting a lawyer before signing any document!
PSA: German pentesting outfit Cure53 has open-sourced a set of standard contract templates for penetration testing
Mutual) Non-Disclosure Agreement - (m)NDA
A mutual NDA is typically signed early in the process. This allows the client to candidly share sensitive information for scoping and procurement. The vendor can also confidentially share their proprietary methodologies and other internal information. Depending on the relative size of the companies, either party may provide standard language. For more on NDAs, see bitmovin’s Universal NDA project.
Master Service Agreement - MSA
The MSA is the overarching document establishing the terms and conditions for the deal. This document will often be red-lined and negotiated. It is referenced in all future Statements of Work (SOWs). For an example, see Secureworks’ MSA - available publicly at secureworks.com/msa.
Significant terms include:
Service Fees; Taxes; Invoicing and Payment
Termination
Proprietary Rights
Confidentiality
Warranties; Limitation of Liability; Insurance
Indemnification
The vendor will frequently draft the MSA and provide it for review. Some enterprise clients require negotiations to start from their own standard MSA terms.
Statement of Work - SOW
A Statement of Work is the main legal document and serves as the formal contract for a specific engagement. Once you’ve gone through your RFP and selected a vendor, you’ll execute the SOW. The folks at Triaxiom Security have provided a good breakdown of what elements you should expect:
A detailed scope for the proposed assessment, including level of effort
Agreed deliverables for the project, including report formats and any retests or revisions
Key dates for kickoff, completion, and delivery
Price, including payment terms (superseding the MSA)
Rules of engagement
The statement of work may also contain rules of engagement, or it may be a separate document. These will be more stringent when the client is a regulated organization. The rules of engagement can define:
Sensitive data handling
Country of operation
Country of data residency
Data retention period
Security of data storage
Secure communication mechanisms
Escalation and pivoting
Red-line out-of-scope systems
Prohibited activities such as social engineering and targeting employee desktops
Emergency contact/notification protocols (contact for functional issues, logic issues)
Common clauses
The security services industry has a standard set of specific risks and implications that drive common contractual clauses. Any vendor you receive a proposal from should have standard language. Clauses commonly include:
Indemnity
Report sharing/Intellectual Property
Insurance
Change orders
If the customer wants to modify the scope or scale mid-assessment, a change order would be required. However, it is important to consider that the vendor may not be able to accommodate an immediate expansion. Due to scheduling requirements extra time may require a delay or even re-engagement. Work with your vendor to plan a flexible engagement if you expect to require a change in mid-flight.
Check out Adam Caudill’s “Checklist: Starting a Security Consulting Firm” for detailed, complementary information on the vendor side of the deal