Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: bank audit pen test

from [Mike Bailey] Network Security [Permanent Link]
Subject: RE: bank audit pen test
Date: Sun, 30 Oct 2005 13:58:45 -0500 

Most certainly you can be sued! However, prior to entering into the
contract, the bank is supposed to perform their due diligence on you (The
tester) as well as require certain statements in your contract regarding
your ability to support their legal and regulatory compliance needs. You
should have the standard "new exploits come out everyday and testing should
not be considered to cover 100% of all potential threats" type statements as
well. The banks regulatory requirements covering contractual obligations of
3rd parties ends up protecting both you and them.  It generally would not be
in the banks favor to sue anyone in the case you mention as it would bring
about a more negative public image of their ability to protect themselves as
well as make a more obvious case for heightened regulator scrutiny.  

Speaking for US banks, The FFIEC website (www.ffiec.gov) has handbooks on
outsourcing and vendor contracts that you can use for guidance on what you
need to make sure you account for. Both in the contract as well as what
controls to make sure you verify. Depending on the bank you may also want to
search the OTS, FDIC, OCC, NUCA (credit unions) and even the federal reserve
for guidance on what to include to protect yourself.  Outside of that, Make
sure you have insurance for errors and omissions and your underwriter
understands you perform the testing that you do.  

You got it right in the end though, Even with all the I's dotted and T's
crossed you can still be sued and it will depend on the prowess of your
legal representation to protect you. 


--Mike 




-----Original Message-----
From: Keenen Milner [mailto:kmilner@ghcllc.com] 
Sent: Saturday, October 29, 2005 12:03 PM
To: Coreappsecurity Mailing List; 
security-management@securityfocus.com
Subject: bank audit pen test

I have a different twist on the bank audit question.

If as part of the audit, you perform a pen test and the bank 
gets hack the day after you deliver your results, can you be 
sued? I know anyone can sue anyone for anything but how can 
you realistically reduce the chance you get sued.

Best Regards,
Keenen
____________________________________________________
Keenen Milner
Lead Partner - Computer Forensics and Technology Consulting 
GHC Information Systems, LLC Grobstein Horwath and Company, LLP
15233 Ventura Boulevard, 9th Floor
Sherman Oaks, California 91403
(818) 325-8466 - voice
(818) 325-8566 - fax
____________________________________________________
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: bank audit pen test, Louie
Next by Date:  Re: bank audit pen test, Pete Soderling
Previous by Thread:  Re: bank audit pen test, Subscriptions
Next by Thread:  Re: bank audit pen test, Larry Marin
Indexes:  [Date] [Thread] [Top] [All Lists]