312-50V10 · Question #482
You are about to be hired by a well known Bank to perform penetration tests. Which of the following documents describes the specifics of the testing, the associated violations, and essentially protect
The correct answer is C. Terms of Engagement. The Terms of Engagement (also called Rules of Engagement) is the document that outlines testing specifics, permitted actions, associated violations, and liability protections for both the tester and the client organization.
Question
You are about to be hired by a well known Bank to perform penetration tests. Which of the following documents describes the specifics of the testing, the associated violations, and essentially protects both the bank's interest and your liabilities as a tester?
Options
- AService Level Agreement
- BNon-Disclosure Agreement
- CTerms of Engagement
- DProject Scope
How the community answered
(22 responses)- A5% (1)
- C95% (21)
Why each option
The Terms of Engagement (also called Rules of Engagement) is the document that outlines testing specifics, permitted actions, associated violations, and liability protections for both the tester and the client organization.
A Service Level Agreement defines performance metrics and service delivery expectations, not the legal boundaries or liability protections specific to penetration testing.
A Non-Disclosure Agreement covers confidentiality of information exchanged, but does not define testing specifics, permitted techniques, or liability protections.
The Terms of Engagement formally defines what tests are authorized, the methods allowed, legal boundaries, consequences for violations, and protections for both parties. It serves as the legal and operational contract that governs the entire penetration testing engagement, shielding the bank from unauthorized activity and the tester from liability.
A Project Scope document defines what systems or assets are in or out of scope but does not address violations, legal protections, or tester liability.
Concept tested: Penetration testing pre-engagement documentation and legal authorization
Source: https://www.pentest-standard.org/index.php/Pre-engagement
Topics
Community Discussion
No community discussion yet for this question.