312-50V11 · Question #264
A security consultant is trying to bid on a large contract that involves penetration testing and reporting. The company accepting bids wants proof of work so the consultant prints out several audits t
The correct answer is B. The consultant may expose vulnerabilities of other companies.. Sharing actual audit reports from previous clients to demonstrate work quality violates confidentiality obligations and exposes those clients' security weaknesses to unauthorized parties.
Question
A security consultant is trying to bid on a large contract that involves penetration testing and reporting. The company accepting bids wants proof of work so the consultant prints out several audits that have been performed. Which of the following is likely to occur as a result?
Options
- AThe consultant will ask for money on the bid because of great work.
- BThe consultant may expose vulnerabilities of other companies.
- CThe company accepting bids will want the same type of format of testing.
- DThe company accepting bids will hire the consultant because of the great work performed.
How the community answered
(39 responses)- A10% (4)
- B82% (32)
- C3% (1)
- D5% (2)
Why each option
Sharing actual audit reports from previous clients to demonstrate work quality violates confidentiality obligations and exposes those clients' security weaknesses to unauthorized parties.
The consultant requesting payment based on prior work quality is unrelated to the primary consequence of distributing confidential client security reports to outside parties.
Security audit and penetration testing reports contain detailed findings about an organization's vulnerabilities, misconfigurations, and security gaps, all of which are highly sensitive. Presenting these reports to a third party without the original client's authorization breaches confidentiality agreements and could enable attackers to exploit the disclosed weaknesses. This is both an ethical violation under professional security codes of conduct and a potential legal liability for the consultant.
The prospective company preferring a specific testing format is a minor and unlikely consequence compared to the serious ethical and legal breach of exposing client vulnerability data.
While the work quality might impress the prospective client, the more likely and significant outcome is the ethical violation and potential harm caused by disclosing other organizations' security vulnerabilities.
Concept tested: Confidentiality obligations in security consulting engagements
Source: https://www.isc2.org/ethics
Topics
Community Discussion
No community discussion yet for this question.