Vendor Contracts and Legal Requirements for Penetration Testing and Vulnerability Assessments

Woman making expressive hand movements at computer during pen testing and vulnerability assessment

More and more frequently, penetration testing (a.k.a. pen tests) and vulnerability assessments are making it into news headlines and advertisements. Let’s examine a few questions you should ask before signing up for a penetration test or vulnerability assessment:

‍What is the Difference Between Penetration Testing and Vulnerability Assessments?

Penetration tests assess cybersecurity from the outside or inside. Some regulations require them, such as the New York State Cybersecurity Regulation (23 NYCRR500; the “Regulation”). The Regulation defines penetration testing as a “methodology in which assessors attempt to circumvent or defeat the security features of an Information System by attempting penetration of databases or controls from outside or inside” the system. Imagine it’s a basketball practice or hockey scrimmage and the coach’s focus is on gauging the strength and reliability of the defense in preventing goals or baskets. The intention is to identify the team's security vulnerabilities and then try to exploit them, the system, or security controls.

By contrast, a vulnerability assessment is a systematic review of information systems in order to identify cybersecurity vulnerabilities, quantify and/or consider the reasonable risk posed by vulnerabilities and potentially prioritize the levels of threat. The goal is to identify potential security risks. The Regulation defines a vulnerability assessment as “systematic scans or reviews of Information Systems reasonably designed to identify publicly known cybersecurity vulnerabilities” in the Information Systems. This applies to computer systems, web applications, databases, and other information systems that could be at risk of SQL injection or another malicious method of attack.

How Often Should Organizations Perform Penetration Tests and Vulnerability Assessments?

Under the Regulation, penetration testing must take place annually, focusing on the relevant risks identified in your Risk Assessment.

Vulnerability assessments must be performed biannually, based on the Risk Assessment results.

NIST (National Institute for Standards and Technology) provides various vulnerability validation techniques, which include pen testing and vulnerability assessments.

Who Offers Pen Tests and Vulnerability Assessments?

Who doesn’t? Nearly every company in any way related to technology will offer this service. Why? It is inexpensive, a good first step to understanding a company, and the tests are relatively easy to perform. It is important to find trusted, experienced vendors who know the purpose and goals of these tests. Some parts of the tests are automated, and others require a sufficient degree of skill. Experience and knowledge will be important in selecting a vendor.

Contractual Terms to Consider

During penetration testing and vulnerability assessments, an organization must share a lot about its business and expose its computer systems. Businesses should select vendors thoughtfully, including a thorough and critical review of contracts before signing.

Initially, what is the purpose of performing a penetration test or vulnerability assessment? Are the tests legally required, and are they part of a larger risk assessment and analysis? What should the end product report look like?

Confidentiality is a must-have provision. The scope of the project should be very clear with a plan in place, so it does not cause harm to business operations or create new exploitable vulnerabilities. Make sure the vendor has the appropriate insurance in place. Most importantly, there must be well-defined risk allocation provisions. Plan also for what the end of the project will look like and the results and next steps.

Again, key ingredients of a vendor contract are confidentiality, scope, vendor insurance, risk allocation provisions, and results/next steps.

Conclusion

The bottom line? Know your vendor, get referrals from trusted persons in the space, and make sure the proper legal obligations are in place to meet compliance requirements. The cybersecurity attorneys at Octillo can help you navigate through penetration testing and vulnerability assessment from drafting the vendor agreement to performing a gap analysis of your current practices and policies and updating them accordingly.

If you have any questions regarding penetration testing or vulnerability assessments, please contact a member of our team.

*Attorney advertising. Prior results do not guarantee a similar outcome.