medium
Single Answer
0Maeve is preparing to sign a penetration testing contract with a third-party security service provider. The security service provider provides a questionnaire that asks the scope of sys- tems that can and cannot be tested, the schedule and times that penetration testing can and cannot occur, and what to do if a preexisting compromise is discovered. What document is the third-party service provider assembling?
Answer Options
A
A right- to- audit clause
B
A service-level agreement
C
A memorandum of understanding
D
Rules of engagement
Correct Answer: D
Explanation
Rules of engagement are created for penetration testing efforts that include a wide variety of information, including scope, schedules, what to do if a preexisting compromise is dis- covered, requirements for how to handle third-party-hosted tools and environments, how sensitive data and data related to the penetration test will be handled, and who to contact in emergencies. A right-to-audit clause is included in contracts, allowing audits to occur as part of the contract. SLAs are used to set service levels and penalties if they are not met, and MOUs document organizations’ interest and willingness to work together.