Scope, Consent & Legal Framework
- Home
- How We Work
- Scope, Consent & Legal Framework
Purpose of This Framework
Cybersecurity assessment can create legal, operational, and reputational risk if performed without clear boundaries.
EH1-Infotech Cybersecurity operates under a defined Scope, Consent, and Legal Framework to ensure that every engagement is:
- Authorized
- Ethical
- Non intrusive
- Defensible
This framework exists to protect clients, their stakeholders, and EH1-Infotech Cybersecurity at every stage of an engagement.
Scope Definition
Every engagement begins with a formally defined and approved scope.
The scope clearly specifies:
- Assets permitted for assessment
- Systems and services included
- Explicit exclusions
- Testing boundaries and limitations
No assessment activity is performed outside the approved scope.
Scope is documented and confirmed before any work begins.
- 100 percent of assessment activity is performed within documented and approved scope
Authorization and Consent
EH1-Infotech Cybersecurity performs security assessments only with explicit authorization.
Authorization includes:
- Written consent from the asset owner or authorized representative
- Confirmation of ownership or control of the assets being reviewed
- Agreement on objectives, boundaries, and limitations
Testing without consent is not permitted.
EH1-Infotech Cybersecurity does not perform:
- Unauthorized probing
- Implicit or assumed testing
- Any form of gray area assessment
Consent is the foundation of every engagement.
- 100 percent of engagements require documented client authorization before any assessment begins
Legal Boundaries
EH1-Infotech Cybersecurity operates within applicable legal and regulatory boundaries.
Our engagements are designed to:
- Comply with relevant cybercrime and information technology laws
- Avoid actions that could be interpreted as intrusion or exploitation
- Preserve client compliance and regulatory obligations
We do not engage in:
- Exploitation of sensitive data
- Denial of service activities
- Credential brute force attempts
- Social engineering without explicit approval
- Any activity that could disrupt availability
This ensures that all assessments remains lawful and controlled.
Non Intrusive Operating Model
EH1-Infotech Cybersecurity follows a non intrusive operating model by default.
This means:
- No modification of systems
- No data extraction
- No persistence mechanisms
- No privilege escalation attempts
Our focus is on observation, exposure, and interpretation rather than exploitation.
This approach minimizes operational risk while still delivering meaningful security insight.
Responsibility and Accountability
Responsibility is clearly defined throughout every engagement.
EH1-Infotech Cybersecurity is accountable for:
- Operating strictly within the approved scope
- Preserving confidentiality
- Maintaining evidence integrity
- Reporting observations accurately and clearly
Clients remain responsible for:
- Providing correct authorization
- Defining business context and priorities
- Implementing remediation actions
This separation of responsibility ensures clarity and prevents assumption based risk.
Confidentiality and Data Handling
All information observed during an engagement is treated as confidential.
EH1-Infotech Cybersecurity applies strict controls for:
- Restricted access to engagement data
- Secure storage of evidence
- Controlled retention and disposal of information
No client information is reused, shared, or published without explicit approval.
Ethical Enforcement
If any activity falls outside approved scope or consent during an engagement:
- Testing is paused immediately
- The client is informed
- Written clarification is obtained before proceeding
EH1-Infotech Cybersecurity does not push boundaries to create findings.
Ethical restraint is a core part of our security philosophy.
Why This Framework Matters
This framework ensures that:
- Security work does not introduce new risk
- Leadership can rely on outcomes with confidence
- Legal and compliance teams are protected
- Trust is preserved throughout the engagement
Security without boundaries creates liability.
Security with discipline builds trust.
Final Note
EH1-Infotech Cybersecurity applies scope, consent, and legal discipline as a foundation of responsible security work.
By operating with clear authorization, legal awareness, and ethical restraint, we ensure that every assessment contributes to resilience without unintended consequences.