Unauthorised Access: Physical Penetration Testing For IT Security Teams by Wil Allsopp

8.1. The "Get of Jail Free" Card

If you're only going to take one item with you let it be this. What we call The "Get of Jail Free" Card is a letter or form signed by the client formally and categorically acknowledging and authorizing you to perform the test. It should be signed by at least one (and preferably two) senior company officers, and if the rules of engagement permit it, by the CIO or most senior security staff member as well. Their contact details must be present and they must be reachable during the test! In addition, information about the testing team such as names, the testing company, and the stated goals are also recommended. A sample form is supplied later in this chapter. One more point, don't carry just one. You might lose it or it might get confiscated. Admit to having one copy and show duplicates only to law enforcement if you're unfortunate enough to be in the position of having to do so. Every team member should have at least two copies and they should be originals, not photocopies. Before embarking on the test and preferably at the culmination of scoping requirements, present the forms to the client and ensure they are signed in situ and never, ever p.p.ed (per procurationem) on the behalf of someone else. The last thing you want is to find yourself working for a company officer who has overstepped his authority and is denying he's ever met you. Consider this case study to illustrate the points I've made.