nerdexam
EC-Council

312-50V11 · Question #264

A security consultant is trying to bid on a large contract that involves penetration testing and reporting. The company accepting bids wants proof of work so the consultant prints out several audits t

The correct answer is B. The consultant may expose vulnerabilities of other companies.. Sharing actual audit reports from previous clients to demonstrate work quality violates confidentiality obligations and exposes those clients' security weaknesses to unauthorized parties.

Information Security and Ethical Hacking Fundamentals

Question

A security consultant is trying to bid on a large contract that involves penetration testing and reporting. The company accepting bids wants proof of work so the consultant prints out several audits that have been performed. Which of the following is likely to occur as a result?

Options

  • AThe consultant will ask for money on the bid because of great work.
  • BThe consultant may expose vulnerabilities of other companies.
  • CThe company accepting bids will want the same type of format of testing.
  • DThe company accepting bids will hire the consultant because of the great work performed.

How the community answered

(39 responses)
  • A
    10% (4)
  • B
    82% (32)
  • C
    3% (1)
  • D
    5% (2)

Why each option

Sharing actual audit reports from previous clients to demonstrate work quality violates confidentiality obligations and exposes those clients' security weaknesses to unauthorized parties.

AThe consultant will ask for money on the bid because of great work.

The consultant requesting payment based on prior work quality is unrelated to the primary consequence of distributing confidential client security reports to outside parties.

BThe consultant may expose vulnerabilities of other companies.Correct

Security audit and penetration testing reports contain detailed findings about an organization's vulnerabilities, misconfigurations, and security gaps, all of which are highly sensitive. Presenting these reports to a third party without the original client's authorization breaches confidentiality agreements and could enable attackers to exploit the disclosed weaknesses. This is both an ethical violation under professional security codes of conduct and a potential legal liability for the consultant.

CThe company accepting bids will want the same type of format of testing.

The prospective company preferring a specific testing format is a minor and unlikely consequence compared to the serious ethical and legal breach of exposing client vulnerability data.

DThe company accepting bids will hire the consultant because of the great work performed.

While the work quality might impress the prospective client, the more likely and significant outcome is the ethical violation and potential harm caused by disclosing other organizations' security vulnerabilities.

Concept tested: Confidentiality obligations in security consulting engagements

Source: https://www.isc2.org/ethics

Topics

#ethics#confidentiality#professional conduct#penetration testing

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice