CompTIA CySA+ (CS0-001) — Question 1

A company that is hiring a penetration tester wants to exclude social engineering from the list of authorized activities. Which of the following documents should include these details?

Answer options

• A. Acceptable use policy
• B. Service level agreement
• C. Rules of engagement
• D. Memorandum of understanding
• E. Master service agreement

Correct answer: C

Explanation

The correct answer is C, as the 'Rules of engagement' define the boundaries and scope of the penetration test, including what activities are permitted or prohibited. The other options, while important documents, do not specifically outline the permissions and restrictions relevant to the penetration testing activities.