Domain 6: Regulation/Policy
Which of the following best describes a non-disclosure agreement?
A common legal contract outlining confidential material that will be shared during the assessment.
Which of the following best describes a master service agreement?
A contract where parties agree to the terms that will govern future actions.
Which of the following best describes the scope of work (SOW) document?
A detailed document that defines exactly what is going to be included in the penetration test.
Heather is working for a cybersecurity firm based in Florida. She will be conducting a remote penetration test for her client, who is based in Utah. Which state's laws and regulations will she need to adhere to?
A lawyer should be consulted on which laws to adhere to and both parties agree.
Heather has been hired to work in a firm's cybersecurity division. Her role will include performing both offensive and defensive tasks. Which of the following roles applies to Heather?
A member of the purple team.
Hannah is working on the scope of work with her client. During the planning, she discovers that some of the servers are cloud-based servers. Which of the following should she do?
Add the cloud host to the scope of work.
Which of the following best describes the Wassenaar Arrangement?
An agreement between 41 countries to enforce similar export controls for weapons, including intrusion software.
Yesenia was recently terminated from her position, where she was using her personal cell phone for business purposes. Upon termination, her phone was remotely wiped. Which of the following corporate policies allows this action?
BYOD policy
Which of the following laws is designed to regulate emails?
CAN-SPAM Act
Which type of penetration test is required to ensure an organization is following federal laws and regulations?
Compliance-based
What are the rules and regulations defined and put in place by an organization called?
Corporate policies
Which of the following best describes the rules of engagement document?
Defines if the test will be a white box, gray box, or black box test and how to handle sensitive data.
United States Code Title 18, Chapter 47, Section 1029 deals with which of the following?
Fraud and related activity involving access devices.
Miguel is performing a penetration test on his client's web-based application. Which penetration test frameworks should Miguel utilize?
OWASP
Which of the following defines the security standards for any organization that handles cardholder information for any type of payment card?
PCI DSS
Which of the following is a common corporate policy that would be reviewed during a penetration test?
Password policy
During a penetration test, Dylan is caught testing the physical security. Which document should Dylan have on his person to avoid being arrested?
Permission to test
Which of the following policies would cover what you should do in case of a data breach?
Sensitive data handling policy
Which of the following is a limitation of relying on regulations?
They rely heavily on password policies.
Charles is updating the policy that affects security patches. Which of the following policies is he updating?
Update policy
