nerdexam
(ISC)2

CISSP · Question #287

An organization regularly conducts its own penetration tests. Which of the following scenarios MUST be covered for the test to be effective?

The correct answer is A. Third-party vendor with access to the system. Effective penetration testing must account for all entities with access to systems, including third-party vendors, as they represent a critical and often overlooked attack surface.

Submitted by packet_pusher· Mar 5, 2026Security Assessment and Testing

Question

An organization regularly conducts its own penetration tests. Which of the following scenarios MUST be covered for the test to be effective?

Options

  • AThird-party vendor with access to the system
  • BSystem administrator access compromised
  • CInternal attacker with access to the system
  • DInternal user accidentally accessing data

How the community answered

(65 responses)
  • A
    75% (49)
  • B
    6% (4)
  • C
    15% (10)
  • D
    3% (2)

Why each option

Effective penetration testing must account for all entities with access to systems, including third-party vendors, as they represent a critical and often overlooked attack surface.

AThird-party vendor with access to the systemCorrect

Third-party vendors with system access represent a mandatory coverage area in penetration testing because they introduce supply chain risk and trusted-access vectors that bypass perimeter defenses. Vendor accounts often have elevated or persistent access, making them high-value targets for attackers. Failing to test this scenario leaves a significant blind spot in the organization's security posture, as vendor compromise is a common real-world attack vector (e.g., SolarWinds-style supply chain attacks).

BSystem administrator access compromised

While testing compromised administrator access is valuable, it is not the single scenario that MUST be covered above all others, as admin compromise is typically included within broader internal threat modeling rather than being uniquely essential to penetration test effectiveness.

CInternal attacker with access to the system

Testing an internal attacker with system access (insider threat) is a useful scenario but is generally considered a subset of standard penetration testing scope; it does not uniquely define test effectiveness compared to the third-party vendor risk vector.

DInternal user accidentally accessing data

An internal user accidentally accessing data describes an unintentional misconfiguration or access control issue, which is more relevant to access control audits or data loss prevention reviews than to penetration testing, which focuses on deliberate exploitation of vulnerabilities.

Concept tested: Penetration testing scope covering third-party vendor access

Source: https://csrc.nist.gov/publications/detail/sp/800-115/final

Topics

#penetration testing#attack surface#third-party risk#vendor security

Community Discussion

No community discussion yet for this question.

Full CISSP Practice