CompTIA CySA+ (CS0-001) — Question 65

An organization is performing vendor selection activities for penetration testing, and a security analyst is reviewing the MOA and rules of engagement, which were supplied with proposals. Which of the following should the analyst expect will be included in the documents and why?

Answer options

• A. The scope of the penetration test should be included in the MOA to ensure penetration testing is conducted against only specifically authorized network resources.
• B. The MOA should address the client SLA in relation to reporting results to regulatory authorities, including issuing banks for organizations that process cardholder data.
• C. The rules of engagement should include detailed results of the penetration scan, including all findings, as well as designation of whether vulnerabilities identified during the scanning phases are found to be exploitable during the penetration test.
• D. The exploitation standards should be addressed in the rules of engagement to ensure both parties are aware of the depth of exploitation that will be attempted by penetration testers.

Correct answer: C

Explanation

Option C is correct because the rules of engagement typically outline the findings of the penetration test, including whether vulnerabilities are exploitable. Option A is incorrect as it focuses solely on the scope rather than results. Option B is wrong because it relates to SLAs and regulatory reporting rather than the engagement specifics. Option D is also incorrect as it addresses exploitation standards rather than the results of the penetration scan.