nerdexam
(ISC)2

CISSP · Question #705

A security professional has been requested by the Board of Directors and Chief Information Security Officer (CISO) to perform an internal and external penetration test. What is the BEST course of acti

The correct answer is D. With notice to the organization, perform an external penetration test first, then an internal test.. Security best practice is to start with an external penetration test because it simulates how an outside attacker would first attempt to breach the organization’s perimeter (firewalls, public‑facing servers, VPNs, etc.). Once external findings are understood and remediated, an in

Submitted by brentm· Mar 5, 2026Security Assessment and Testing

Question

A security professional has been requested by the Board of Directors and Chief Information Security Officer (CISO) to perform an internal and external penetration test. What is the BEST course of action?

Options

  • AReview data localization requirements and regulations.
  • BReview corporate security policies and procedures,
  • CWith notice to the Configuring a Wireless Access Point (WAP) with the same Service Set
  • DWith notice to the organization, perform an external penetration test first, then an internal test.

How the community answered

(34 responses)
  • A
    3% (1)
  • B
    18% (6)
  • C
    9% (3)
  • D
    71% (24)

Explanation

Security best practice is to start with an external penetration test because it simulates how an outside attacker would first attempt to breach the organization’s perimeter (firewalls, public‑facing servers, VPNs, etc.). Once external findings are understood and remediated, an internal penetration test can then assess what an attacker could do if they gained a foothold inside the network, such as privilege escalation and lateral movement.

Topics

#penetration testing#ethical hacking#authorization#testing methodology

Community Discussion

No community discussion yet for this question.

Full CISSP Practice