nerdexam
EC-Council

312-50V11 · Question #235

As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external security assessment through penetration testing. What document describes the specifics of the testing, the a

The correct answer is C. Rules of Engagement. Rules of Engagement is the formal document that governs the conduct of a penetration test, specifying permitted actions, legal boundaries, and liability protections for both parties.

Information Security and Ethical Hacking Fundamentals

Question

As a Certified Ethical Hacker, you were contracted by a private firm to conduct an external security assessment through penetration testing. What document describes the specifics of the testing, the associated violations, and essentially protects both the organization's interest and your liabilities as a tester?

Options

  • AService Level Agreement
  • BProject Scope
  • CRules of Engagement
  • DNon-Disclosure Agreement

How the community answered

(45 responses)
  • A
    4% (2)
  • C
    93% (42)
  • D
    2% (1)

Why each option

Rules of Engagement is the formal document that governs the conduct of a penetration test, specifying permitted actions, legal boundaries, and liability protections for both parties.

AService Level Agreement

A Service Level Agreement defines performance metrics and uptime expectations between a service provider and a client, and has no role in governing the legal framework or permitted actions of a security test.

BProject Scope

Project Scope outlines the boundaries of work to be performed but does not address associated violations, liability protections, or the legal authorization required for offensive security testing.

CRules of EngagementCorrect

Rules of Engagement (RoE) is a legally binding document used in penetration testing engagements that defines exactly what systems may be targeted, which techniques are authorized, the testing timeline, and the consequences for violations. It explicitly protects the organization's assets and infrastructure while also shielding the tester from criminal liability by documenting written authorization.

DNon-Disclosure Agreement

A Non-Disclosure Agreement governs the confidentiality of information exchanged between parties but does not define testing specifics, permitted attack methods, or the liability protections required during an engagement.

Concept tested: Penetration testing Rules of Engagement documentation

Source: https://csrc.nist.gov/publications/detail/sp/800-115/final

Topics

#Rules of Engagement#pen test documentation#scope#legal agreement

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice