nerdexam
EC-Council

312-50V10 · Question #235

As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external security assessment through penetration testing. What document describes the specifics of the testing, the a

The correct answer is C. Rules of Engagement. The Rules of Engagement (ROE) is the governing document in a penetration testing engagement that defines permitted actions, testing boundaries, legal protections, and the liabilities of both the tester and the organization.

Information Security and Ethical Hacking Fundamentals

Question

As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external security assessment through penetration testing. What document describes the specifics of the testing, the associated violations, and essentially protects both the organization's interest and your liabilities as a tester?

Options

  • AService Level Agreement
  • BProject Scope
  • CRules of Engagement
  • DNon-Disclosure Agreement

How the community answered

(48 responses)
  • A
    2% (1)
  • B
    4% (2)
  • C
    92% (44)
  • D
    2% (1)

Why each option

The Rules of Engagement (ROE) is the governing document in a penetration testing engagement that defines permitted actions, testing boundaries, legal protections, and the liabilities of both the tester and the organization.

AService Level Agreement

A Service Level Agreement defines measurable performance and availability commitments between a service provider and client; it does not govern testing methods, violations, or tester liabilities.

BProject Scope

Project Scope identifies which systems and assets are in-bounds for testing but does not address legal protections, permissible techniques, or the tester's liability framework.

CRules of EngagementCorrect

The Rules of Engagement document formally authorizes the penetration test, specifying permissible techniques, target systems, testing windows, escalation contacts, and the legal framework that defines what constitutes authorized versus unauthorized activity. It is the primary document that protects the tester from criminal liability and protects the organization by ensuring testing stays within agreed boundaries.

DNon-Disclosure Agreement

A Non-Disclosure Agreement protects the confidentiality of information exchanged during an engagement but does not define what testing actions are authorized or provide legal protection for the tester's activities.

Concept tested: Penetration testing Rules of Engagement legal protections

Source: https://csrc.nist.gov/publications/detail/sp/800-115/final

Topics

#Rules of Engagement#penetration testing#legal documentation#scope

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice