Certified in Risk and Information Systems Control (CRISC) — Question 196

To reduce the risk introduced when conducting penetration tests, the BEST mitigating control would be to:

Answer options

• A. clearly define the project scope
• B. perform background checks on the vendor
• C. notify network administrators before testing
• D. require the vendor to sign a nondisclosure agreement (NDA)

Correct answer: A

Explanation

Clearly defining the project scope is critical as it sets boundaries and expectations, which helps mitigate risks. While performing background checks, notifying administrators, and requiring NDAs are important, they do not comprehensively address the potential risks associated with the testing process itself.