Certified in Risk and Information Systems Control (CRISC) — Question 257

When using a third party to perform penetration testing, which of the following is the MOST important control to minimize operational impact?

Answer options

• A. Require the vendor to have liability insurance.
• B. Perform a background check on the vendor.
• C. Require the vendor to sign a nondisclosure agreement.
• D. Clearly define the project scope.

Correct answer: D

Explanation

Clearly defining the project scope is essential because it sets clear boundaries and expectations for the penetration test, which helps to prevent unforeseen disruptions. While liability insurance, background checks, and nondisclosure agreements are important for trust and security, they do not directly address the operational impact during the testing process.