312-50V11 · Question #235
As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external security assessment through penetration testing. What document describes the specifics of the testing, the a
The correct answer is C. Rules of Engagement. Rules of Engagement is the formal document that governs the conduct of a penetration test, specifying permitted actions, legal boundaries, and liability protections for both parties.
Question
As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external security assessment through penetration testing. What document describes the specifics of the testing, the associated violations, and essentially protects both the organization's interest and your liabilities as a tester?
Options
- AService Level Agreement
- BProject Scope
- CRules of Engagement
- DNon-Disclosure Agreement
How the community answered
(45 responses)- A4% (2)
- C93% (42)
- D2% (1)
Why each option
Rules of Engagement is the formal document that governs the conduct of a penetration test, specifying permitted actions, legal boundaries, and liability protections for both parties.
A Service Level Agreement defines performance metrics and uptime expectations between a service provider and a client, and has no role in governing the legal framework or permitted actions of a security test.
Project Scope outlines the boundaries of work to be performed but does not address associated violations, liability protections, or the legal authorization required for offensive security testing.
Rules of Engagement (RoE) is a legally binding document used in penetration testing engagements that defines exactly what systems may be targeted, which techniques are authorized, the testing timeline, and the consequences for violations. It explicitly protects the organization's assets and infrastructure while also shielding the tester from criminal liability by documenting written authorization.
A Non-Disclosure Agreement governs the confidentiality of information exchanged between parties but does not define testing specifics, permitted attack methods, or the liability protections required during an engagement.
Concept tested: Penetration testing Rules of Engagement documentation
Source: https://csrc.nist.gov/publications/detail/sp/800-115/final
Topics
Community Discussion
No community discussion yet for this question.