CISSP · Question #752
The three PRIMARY requirements for a penetration test are
The correct answer is A. A defined goal, limited time period, and approval of management. A penetration test must be properly scoped and authorized to be legal and effective. The three primary requirements ensure the test is purposeful, bounded, and sanctioned.
Question
The three PRIMARY requirements for a penetration test are
Options
- AA defined goal, limited time period, and approval of management
- BA general objective, unlimited time, and approval of the network administrator
- CAn objective statement, disclosed methodology, and fixed cost
- DA stated objective, liability waiver, and disclosed methodology
How the community answered
(19 responses)- A95% (18)
- C5% (1)
Why each option
A penetration test must be properly scoped and authorized to be legal and effective. The three primary requirements ensure the test is purposeful, bounded, and sanctioned.
A defined goal establishes the scope and success criteria of the test, a limited time period ensures the engagement is controlled and distinguishable from an actual attack, and management approval provides the legal authorization that transforms the activity from criminal intrusion into a sanctioned security assessment. Without all three, a penetration test lacks proper governance and legal standing.
An 'unlimited time period' is incorrect because penetration tests must be time-bounded to control risk, contain costs, and distinguish authorized testing from persistent unauthorized access; additionally, approval must come from management (or system owner), not just a network administrator who may lack authority to authorize such testing.
While an objective statement and disclosed methodology are relevant concepts, 'fixed cost' is a contractual/financial consideration, not a primary technical or governance requirement for conducting a penetration test, and methodology disclosure is not always required (black-box tests intentionally limit this).
A liability waiver and disclosed methodology are contractual and procedural considerations, but a liability waiver alone does not replace the requirement for explicit management approval, and disclosed methodology is not always a primary requirement since blind or black-box testing deliberately withholds methodology details.
Concept tested: Core requirements and authorization for penetration testing
Source: https://csrc.nist.gov/publications/detail/sp/800-115/final
Topics
Community Discussion
No community discussion yet for this question.