312-50V11 · Question #482
You are about to be hired by a well known Bank to perform penetration tests. Which of the following documents describes the specifics of the testing, the associated violations, and essentially protect
The correct answer is C. Terms of Engagement. The Terms of Engagement (also called Rules of Engagement) is the document that defines the scope, permitted actions, legal boundaries, and liabilities for both parties in a penetration test.
Question
You are about to be hired by a well known Bank to perform penetration tests. Which of the following documents describes the specifics of the testing, the associated violations, and essentially protects both the bank's interest and your liabilities as a tester?
Options
- AService Level Agreement
- BNon-Disclosure Agreement
- CTerms of Engagement
- DProject Scope
How the community answered
(63 responses)- A3% (2)
- B2% (1)
- C95% (60)
Why each option
The Terms of Engagement (also called Rules of Engagement) is the document that defines the scope, permitted actions, legal boundaries, and liabilities for both parties in a penetration test.
A Service Level Agreement (SLA) defines performance metrics and uptime guarantees for ongoing services; it does not govern the specific authorized actions and liabilities of a security test.
A Non-Disclosure Agreement (NDA) covers confidentiality of information shared between parties but does not define testing scope, permitted violations, or tester liabilities.
The Terms of Engagement formally establishes what systems may be tested, what techniques are authorized, the timeline, escalation procedures, and the legal protections for both the tester and the client. It is the primary document that prevents unauthorized activity from being classified as criminal and ensures the bank's assets are protected within agreed boundaries.
A Project Scope document outlines deliverables and boundaries of a project in general terms but lacks the legal authorization language, violation definitions, and liability protections specific to penetration testing engagements.
Concept tested: Penetration testing rules of engagement documentation
Source: https://csrc.nist.gov/publications/detail/sp/800-115/final
Topics
Community Discussion
No community discussion yet for this question.