Effective CISSP Questions

Your company sells toys online worldwide. A web-based E-Commerce system developed in-house and deployed to a public cloud supports the business. As a security professional, you suggest penetration testing should be conducted. Which of the following is your most concern?
A. The decision of employment of internal or external penetration test team
B. The capability and experience of the penetration test team
C. The procedure that the penetration test team asks for permission to conduct penetration testing
D. The escalation path to the senior management if testing takes down the system

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. The procedure that the penetration test team asks for permission to conduct penetration testing.

Incident Prioritization and Notification

When conducting penetration tests, the attack should be detected and responded to by the IR team. An incident should be prioritized and notified to appropriate parties and levels according to the incident response (IR) plan.

NOT all incidents, including the system breakdown, are required to be reported to senior management. It’s the core concept of incident prioritization.

Legal Ramifications

However, pen-testing teams must always ask for permission to conduct the testing. If not, it’s common to trap the pen-testing teams into legal cases.
I included many legal cases in this post.


The question appears to be written from the perspective of the company that wants to hire a penetration tester. Do they really care more about the potential tester’s engagement process than their compentency?

Source: @GS from

The competency of the pentesting team is crucial. It’s an excellent answer to this question. I suggest “C. The procedure that the pentesting team asks for permission to conduct pentesting” as the answer to overstress the importance of engagement rules for pentesting teams.

  • Competency is evaluated in almost every procurement of pentesting services if they are outsourced. It is nearly a routine selection criteria, and the acquisition is typically conducted by procurement staff, not the security professional. That’s why it won’t be the most concern as far as I am concerned.
  • However, the engagement process and rules can be project-based (vary from project to project) and have a higher risk. They are often overlooked in practice.

We had a real case of pentesting leading to the disruption of the banking system in Taiwan. A pentesting team was authorized to start testing at 03:00 PM, but it starts one hour earlier. Unfortunately, the exploitation results in a system disruption. The senior management was really upset about this incident. The pentesting team was dismissed, and the project manager was blamed.

I revised the question from “Which of the following is the most concern?” to “Which of the following is your most concern?” so that it looks more consultative and reflects my suggested answer is just a suggestion.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

  • It is available on Amazon.
  • Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.


Leave a Reply