312-50V10 · Question #235
As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external security assessment through penetration testing. What document describes the specifics of the testing, the a
The correct answer is C. Rules of Engagement. The Rules of Engagement (ROE) is the governing document in a penetration testing engagement that defines permitted actions, testing boundaries, legal protections, and the liabilities of both the tester and the organization.
Question
As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external security assessment through penetration testing. What document describes the specifics of the testing, the associated violations, and essentially protects both the organization's interest and your liabilities as a tester?
Options
- AService Level Agreement
- BProject Scope
- CRules of Engagement
- DNon-Disclosure Agreement
How the community answered
(48 responses)- A2% (1)
- B4% (2)
- C92% (44)
- D2% (1)
Why each option
The Rules of Engagement (ROE) is the governing document in a penetration testing engagement that defines permitted actions, testing boundaries, legal protections, and the liabilities of both the tester and the organization.
A Service Level Agreement defines measurable performance and availability commitments between a service provider and client; it does not govern testing methods, violations, or tester liabilities.
Project Scope identifies which systems and assets are in-bounds for testing but does not address legal protections, permissible techniques, or the tester's liability framework.
The Rules of Engagement document formally authorizes the penetration test, specifying permissible techniques, target systems, testing windows, escalation contacts, and the legal framework that defines what constitutes authorized versus unauthorized activity. It is the primary document that protects the tester from criminal liability and protects the organization by ensuring testing stays within agreed boundaries.
A Non-Disclosure Agreement protects the confidentiality of information exchanged during an engagement but does not define what testing actions are authorized or provide legal protection for the tester's activities.
Concept tested: Penetration testing Rules of Engagement legal protections
Source: https://csrc.nist.gov/publications/detail/sp/800-115/final
Topics
Community Discussion
No community discussion yet for this question.