CompTIA CySA+ (CS0-001) — Question 146

While preparing for a third-party audit, the vice president of risk management and the vice president of information technology have stipulated that the vendor may not use offensive software during the audit. This is an example of:

Answer options

• A. organizational control.
• B. service-level agreement.
• C. rules of engagement.
• D. risk appetite

Correct answer: C

Explanation

The correct answer is C, as 'rules of engagement' refer to the guidelines that dictate how parties should interact during an audit or operation. The other options do not apply in this context; A refers to internal processes, B relates to service expectations, and D describes the level of risk an organization is willing to accept.