312-50V9 · Question #37
A security consultant is trying to bid on a large contract that involves penetration testing and reporting. The company accepting bids wants proof of work so the consultant prints out several audits t
The correct answer is B. The consultant may expose vulnerabilities of other companies.. Sharing prior audit reports with a prospective client violates confidentiality obligations and exposes the vulnerabilities of the organizations that commissioned those audits.
Question
A security consultant is trying to bid on a large contract that involves penetration testing and reporting. The company accepting bids wants proof of work so the consultant prints out several audits that have been performed. Which of the following is likely to occur as a result?
Options
- AThe consultant will ask for money on the bid because of great work.
- BThe consultant may expose vulnerabilities of other companies.
- CThe company accepting bids will want the same type of format of testing.
- DThe company accepting bids will hire the consultant because of the great work performed.
How the community answered
(48 responses)- A2% (1)
- B83% (40)
- C10% (5)
- D4% (2)
Why each option
Sharing prior audit reports with a prospective client violates confidentiality obligations and exposes the vulnerabilities of the organizations that commissioned those audits.
Receiving a higher bid amount does not address or mitigate the primary problem of having already violated client confidentiality by sharing the reports.
Penetration test and audit reports contain highly sensitive details about the vulnerabilities, configurations, and weaknesses of the client organizations that commissioned them. Sharing these documents with a third party - even to demonstrate competence - violates confidentiality agreements and non-disclosure obligations, directly exposing other companies' security weaknesses to unauthorized parties. This is both an ethical violation and a potential legal liability for the consultant.
The prospective company requesting a specific test format is a secondary and unlikely outcome compared to the immediate confidentiality breach caused by sharing private audit reports.
Being hired is an unlikely outcome if the prospective company recognizes that the consultant violated client confidentiality - it signals the consultant cannot be trusted with their own sensitive data.
Concept tested: Confidentiality obligations in security consulting engagements
Topics
Community Discussion
No community discussion yet for this question.