Writing Permission Forms for Network Analysis?

Jacob asks: " I have recently left a consulting/training firm to work in the public sector as a contractor. Part of my job functionality includes analyzing network traffic and security. This of course includes using products such as ethereal, snort, ntop and other network sniffers/analyzers. While working as a consultant I was legally covered by the company in which I worked for. Since I am no longer working for that company I do not have that same protection and I am worried about the possibility of being accused of 'sniffing passwords' or 'viewing confidential data' as a result of a normal network analysis. What is your experience in creating a legally binding contract or permission forms to perform network analysis and/or security audits?"

IANAL, but...

[Jester998]

IMHO, talk to a real lawyer. That way you can be sure the contract is legally binding, as well as probably closing up some legal loopholes that you might overlook yourself.

In situations where you might incur large amounts of liability, it's usually well worth the money to talk to a lawyer.

Something actually USEFUL to you

[Jeremiah+Cornelius]

Jeesh, guys!

The guy is asking a question here!

You will find most of what you want to know at the SANS Reading Room site. This is an invaluable resource for your line of work.

SANS briefly used an obnoxious password scheme to access this archive, but this has been - thankfully - removed.

Specific to your needs is a "waiver" style document, to be signed by the technical and management authorities resposible for the network you are testing. It defines the behaviors to expect from a consultant and the expectation of impact by the client. A good example, by GIAC candidate Nancy Simpson, is provided here: PENETRATION TEST SAMPLE RULES OF BEHAVIOR .

This is in the Reading Room, under the section Penetration Testing.

You can adapt some of this to your needs - keeping a Lawyer on retainer is a bit steep for a single, independant contractor these days, with contracts like provebial hen's teeth. Insurance isn't probably a bad idea though.