Section 1: Planning an Engagement

Question 1

Vulnerability vs Risk vs Threat

Answer 1

Question 2

Risk Handling Strategies

Answer 2

Risk Avoidance
Risk Transfer
Risk Mitigation
Risk Acceptance

Question 3

Risk Appetite vs Risk Tolerance

Answer 3

Risk Appetite - Overall generic level of risk the organization is willing to accept
Risk Tolerance - Specific maximum risk the organization is willing to takeabout a specific identified risk

Question 4

Access Control Types

Answer 4

Compensative - used in place of primary control
Corrective - reduces the effect (fire extinguishers)
Detective
Deterrent - discourages violation of security policies (security camera)
Directive - Acceptable Use Policy
Preventitive
Recovery

Question 5

Statement of Work

Answer 5

A formal document that details the tasks to be performed during an engagement
▪ The statement of work will usually contain the list of deliverables
● Final report
● Responsibilities of the penetration tester and the client
● Schedule
● Timelines for payments

Question 6

Master Service Agreement (MSA)

Answer 6

A specialized type of contract that is used to govern future transactions and agreements

Used if you do a lot of work for the same client repeatedly.

Question 7

Sarbanes-Oxley (SOX)

Answer 7

Affects publicly traded U.S. corporations

Question 8

Gramm-Leach-Bliley Act of 1999 (GLBA)

Answer 8

Affects banks, mortgage companies, loan offices, insurance companies, investment companies, and credit card providers

Question 9

Federal Information Security Management Act of 2002 (FISMA)

Answer 9

Affects federal agencies

Question 10

Family Educational Rights and Privacy Act (FERPA)

Answer 10

Protects the privacy of student education records