Woman making expressive hand movements behind computer

Vendor Contracts and Legal Requirements Regarding Pen Testing and Vulnerability Assessments

More and more frequently, penetration testing and vulnerability assessments are making it into news headlines and advertisements.  Let’s examine a few questions you should ask before signing up for a pen test or vulnerability assessment:

·        What are they?

·        How frequently should they be run?

·        Who offers these tests?

·        Contractual terms to consider?

What Are They?

Pen tests test security from the outside or inside.  Some regulations require them, such as the New York State Cybersecurity Regulation (23 NYCRR500; the “Regulation”).  The Regulation defines penetration testing as a “methodology in which assessors attempt to circumvent or defeat the security features of an Information System by attempting penetration of databases or controls from outside or inside” the system.  Imagine it’s a basketball practice or hockey scrimmage and the coach’s focus is on gauging the strength and reliability of the defense in preventing the goals or baskets.  The intention is to identify the vulnerabilities and then try to exploit them, i.e., try to exploit the system.

By contrast, a vulnerability assessment is systematic review of information systems in order to identify cybersecurity vulnerabilities, quantify and/or consider the reasonable risk posed by vulnerabilities and potentially prioritize the levels of threat.  The goal is to identify potential risks.  The Regulation defines a vulnerability assessment as “systematic scans or reviews of Information Systems reasonably designed to identify publicly known cybersecurity vulnerabilities” in the Information Systems.

How Frequently Should They Be Run?

Under the Regulation, penetration testing must be performed annually, focusing on the relevant risks identified in your Risk Assessment.

Vulnerability assessments must be performed biannually, based on the Risk Assessment results.

NIST (National Institute for Standards and Technology) provides various vulnerability validation techniques, which include pen testing and vulnerability assessments.

Who Offers These Tests?

Who doesn’t?  Nearly every company in any way related to technology will offer this service.  Why?  It is inexpensive, a good first step to understanding a company, and the tests are relatively easy to perform.  It is important to find trusted, experienced vendors who know the purpose and goals of these tests.  Some parts of the tests are automated, and others require a sufficient degree of skill – so experience and knowledge will be important in selecting a vendor.

Contractual Terms to Consider

Because an organization must share a lot about their business and expose their systems during pen testing and vulnerability assessments, a vendor should be chosen thoughtfully, and contracts entered into carefully.

Initially, what is the purpose of performing the tests, are they legally required, are they part of a larger risk assessment and analysis?  What should the end product report look like?

Confidentiality is a must-have provision.  The scope of the project should be well defined and planned so as not to harm business operations or create new vulnerabilities.  Make sure the vendor has the appropriate insurance in place.  Most importantly, there must be well-defined risk allocation provisions.  Plan also for what the end of the project will look like and results and next steps.

Again, key ingredients of a vendor contract are confidentiality, scope, vendor insurance, risk allocation provisions and results/next steps.

The bottom line?  Know your vendor, get referrals from trusted persons in the space, and make sure the right legal obligations are in place.  The attorneys at Beckage PLLC can help you navigate through pen testing and vulnerability assessment from drafting the vendor agreement to performing a gap analysis of your current practices and policies and updating them accordingly.

DISCLAIMER:  This alert is for general information purposes only.  It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem.  Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.  If you have any questions, please contact an attorney at Beckage: www.beckage.com or info@beckage.com.

Attorney Advertising: Prior results do not guarantee a similar outcome.