Legal
Security Testing Authorization
Mandatory before any engagement
Introduction
Security testing is a critical component of our cybersecurity strategy. It helps identify vulnerabilities, assess risks, and ensure compliance with security standards and regulations. However, such testing must be conducted in a controlled and authorized manner to prevent unintended disruptions, unauthorized access, or data breaches.
Unauthorized testing can lead to severe consequences, including system outages, data loss, and legal liabilities. This document outlines the authorization requirements and procedures we follow for every form of security testing — penetration testing, vulnerability assessments, and security audits.
Scope
This policy applies to all individuals and entities — employees, contractors, consultants, partners, and third-party service providers — who intend to conduct security testing on our clients' digital assets. These assets include, but are not limited to, websites, web and mobile applications, servers, network infrastructure, databases, and cloud services.
Authorization Requirements
1. Written authorization
All security testing activities must be explicitly authorized in writing by the Chief Information Security Officer (CISO) or a designated representative of the client. This authorization ensures that testing activities are aligned with our and the client's security policies and do not interfere with business operations.
2. Scope definition
The authorization request must clearly define the scope of the testing, including specific systems, applications, and network segments to be tested. Any deviation from the defined scope is strictly prohibited unless further approval is obtained.
3. Testing schedule
The timing of the security testing must be scheduled in coordination with the IT and security teams. Testing during peak business hours or critical operational periods is generally discouraged to avoid potential disruptions.
4. Testing methodology
The testing methodology, tools, and techniques must be documented and approved as part of the authorization process. This ensures that the testing is conducted using industry-standard practices and does not inadvertently introduce risks.
5. Confidentiality and data protection
Testers must adhere to confidentiality agreements and data protection regulations. Any sensitive data accessed during the testing must be handled securely and not disclosed to unauthorized parties.
6. Reporting and documentation
Upon completion of the testing, a comprehensive report detailing the findings, identified vulnerabilities, and recommended remediation actions must be submitted to the CISO. This report will be used to inform security improvements and risk management strategies.
7. Remediation and follow-up
Identified vulnerabilities must be addressed promptly according to the risk level assigned by the security team. Follow-up testing may be required to verify the effectiveness of remediation efforts. We provide one free retest within 30 days as part of every penetration testing engagement.
Consequences of unauthorized testing
Unauthorized security testing is a violation of policy and applicable law, and may result in:
- Disciplinary actions: personnel found conducting unauthorized testing may face termination of employment or contract.
- Legal consequences: unauthorized access or testing may be considered illegal under EU and national law. Individuals involved may face fines and criminal liability.
- Reputational damage: unauthorized activities damage the trust of customers, partners, and stakeholders.
Conclusion
Security testing is a vital practice for safeguarding digital infrastructure. However, it must be conducted responsibly and with proper authorization. We adhere to this policy on every engagement and require our clients to do the same.
For questions or to request a Rules of Engagement template, contact us at [email protected].