Module 03: Planning and Scoping
True
Before any hands-on pen-testing activities take place, the entire pen-testing engagement must be carefully and completely planned. A. True B. False
GDPR
Data security and privacy rights are requirements of which compliance standard? A. PCI DSS B. GDPR C. FIPS D. ISO 27001
72 hours
In the event of a data breach, how long does an organization have to report the breach according to GDPR requirements? A. 24 hours B. 72 hours C. 48 hours D. 5 business days
False
Nmap is a globally recognized pen-testing tool that pen testers are allowed to use without restriction. A. True B. False
False
Obtaining authorized permission to attack from an organization automatically provides permission to attack any resources that may be hosted by third-party service providers. A. True B. False
SOW
What document is a contractual agreement between two or more parties that covers details such as scope, deliverables, price and payment schedule, project schedule, change management handling rules, locations of work, and liability disclaimers? A. NDA B. MSA C. SLA D. SOW
SLA
What document is a contractual agreement between two or more parties, where one party is the customer and the other a service provider, and outlines the services to be provided to the customer? A. NDA B. MSA C. SLA D. SOW
NDA
What document is a legally enforceable agreement between pen testers and clients that states that any confidential or sensitive information disclosed by the client to the pen tester, or discovered during pen testing, will not be disclosed to parties outside of the agreement? A. NDA B. MSA C. SLA D. SOW
ROE
What documented part of pen-test planning defines the dos and don'ts, such as the types of tests that are being performed and the types of tests that are disallowed? A. SOW B. ROE C. SLA D. NDA
Practices that ensure organizational activities are aligned to support the organization's business goals.
What is governance? A. Government regulations that must be taken into consideration during pen testing. B. Practices that ensure organizational activities are aligned to support the organization's business goals. C. Governance is what the "G" in "GDPR" stands for. D. Confirming that all organizational activities meet organizational policies, jurisdictional laws, and regulations.
PCI DSS GDPR
Which of the following are examples of regulatory compliances standards? Choose all that apply. A. PCI DSS B. GDPR C. PCI SCC D. DPO
The MITRE ATT&CK framework
Which of the following is a free, globally accessible service that offers comprehensive and current cybersecurity threat information detailing threat activities, techniques, and models? A. The Penetration Testing Execution Standard (PTES) B. The MITRE ATT&CK framework C. The CVE website D. OWASP
Implementing security changes to address GDPR requirements
Which of the following is not a DPO responsibility? A. Educating the company and employees on important compliance requirements B. Conducting audits to ensure compliance and address potential issues proactively C. Maintaining comprehensive records of all data processing activities conducted by the company, including the purposes of all processing activities, which must be made public on request D. Implementing security changes to address GDPR requirements
