312-50V9 · Question #349
You are about to be hired by a well known Bank to perform penetration tests. Which of the following documents describes the specifics of the testing, the associated violations, and essentially protect
The correct answer is C. Terms of Engagement. The Terms of Engagement (Rules of Engagement) formally defines the scope, authorized activities, limitations, and liability boundaries for a penetration test engagement.
Question
You are about to be hired by a well known Bank to perform penetration tests. Which of the following documents describes the specifics of the testing, the associated violations, and essentially protects both the bank's interest and your liabilities as a tester?
Options
- AService Level Agreement
- BNon-Disclosure Agreement
- CTerms of Engagement
- DProject Scope
How the community answered
(18 responses)- C94% (17)
- D6% (1)
Why each option
The Terms of Engagement (Rules of Engagement) formally defines the scope, authorized activities, limitations, and liability boundaries for a penetration test engagement.
A Service Level Agreement defines expected service quality, uptime guarantees, and performance metrics between a service provider and customer, not the specifics of security testing authorization and liability.
A Non-Disclosure Agreement covers confidentiality of information exchanged between parties but does not define what testing is permitted, the associated violations, or liability protections for the tester.
The Terms of Engagement - sometimes called Rules of Engagement - is the legal and operational document that specifies exactly what systems can be tested, what techniques are authorized, the timeline, notification procedures, and the consequences for violations. It legally protects the bank by defining boundaries the tester cannot cross, and it protects the tester from liability by providing written authorization for activities that would otherwise be illegal. This document is the foundation of any authorized penetration test.
Project Scope defines the boundaries of what is included in a project but is not a legal document addressing violations, liabilities, or the formal authorization required to conduct offensive security testing.
Concept tested: Rules of Engagement and legal authorization for pen testing
Source: http://www.pentest-standard.org/index.php/Pre-engagement#Rules_of_Engagement
Topics
Community Discussion
No community discussion yet for this question.