When penetration testing is conducted within the UK, there are a number of laws that govern the activities that form part of a penetration test.
For the majority of tests, these laws include the following:
- UK Computer Misuse Act 1990
- UK Data Protection Act 1998
- Human Rights Act 1998
- Police and Justice Act 2006
In order to ensure that penetration testing is conducted in line with UK law and also to ensure that the test is conducted as efficiently as possible, a testing consent form must always be used to capture the exact scope of the test and provides those responsible for an organisation’s infrastructure with a means of providing their consent.
Typically, a testing consent form will capture the following information:
- Name & Position of the individual who is providing their consent
- Authorised Testing Period – both the date range and hours that testing is permitted
- Contact information for members of technical staff, who may provide assistance during the test
- IP addresses or URL that are in scope of testing
- Exclusions to certain hosts, services or areas within applications
- Credentials that may be required as part of authenticated application testing
Consent forms should always be signed by someone who is in a position of legal authority within an organisation (for example one of the company directors), in order to indemnify the testing company (and the individuals performing the test) from all applicable laws for the duration of the test. It is important that consent is also obtained from any owners of 3rd party hosting environments or equipment, which may also come under the scope of testing.
At SecureTeam, no testing activities are ever performed until a fully-completed and signed consent form has been returned by our customers. This ensures that we remain compliant with the relevant UK laws and that the scope of testing is fully understood by both our client and the consultants who will be conducting the test.
Lastly, due to a completed testing consent form containing potentially sensitive information, it should be handled in accordance with the client and testing organisation’s data handling procedures.