A client evaluating a penetration testing company requests examples of its work. Which of the following represents the BEST course of action for the penetration testers?
A client evaluating a penetration testing company requests examples of its work. Which of the following represents the BEST course of action for the penetration testers?
The best course of action for penetration testers when a client requests examples of their work is to determine which reports are no longer under a period of confidentiality. This ensures that the confidentiality and privacy of previous clients are respected while still providing the potential client with relevant examples of the testers' work. Redacting identifying information alone may still risk exposing sensitive details, and sharing raw output or only allowing on-site viewing may not be as practical or helpful.
Redacting identifying information and providing a previous customer's documentation, would be the best course of action for the penetration testers in this scenario. This approach would allow the client to review actual examples of the penetration testing company's work without compromising the privacy and confidentiality of previous clients.
Ok I change to C for this reason: Showing confidential information, even after redacting sensitive information, can still be a breach of confidentiality agreements or ethical standards, unless you have obtained explicit permission from the owner of the information to do so. Redaction alone may not be enough to guarantee the confidentiality of the information. There may be other details within the documentation that could identify the previous customer or reveal sensitive information. Additionally, there may be legal or contractual obligations that prevent the disclosure of confidential information without explicit permission from the owner.
aaaaaaaaaaaa
A does not address the confidentiality agreement, by providing client's information even if redacted, you are still violating your terms of agreement & NDA
clients infomation would be REDACTED no?
even if redacted
Nah, it's definitely A. Even if a report is no longer under a confidentiality agreement, it may still contain sensitive information that should not be shared without explicit permission from the client who owns that report.
i think C, to make sure there is no nda on those documents
Share your idea to other new questions
I'm sorry but you as a pen tester can't just "decide" to redact any identifying information from a previous customer to support another "potential" customer.
Redacting is not full proof. In a lot of cases, it is possible to reverse the redaction and see what is underneath. The safest bet is to see what is no longer under NDA.
Answer is C. See Cy_Analyst8's comment. Very good response: Showing confidential information, even after redacting sensitive information, can still be a breach of confidentiality agreements or ethical standards, unless you have obtained explicit permission from the owner of the information to do so. Redaction alone may not be enough to guarantee the confidentiality of the information. There may be other details within the documentation that could identify the previous customer or reveal sensitive information. Additionally, there may be legal or contractual obligations that prevent the disclosure of confidential information without explicit permission from the owner.
A. Redact identifying information and provide a previous customer's documentation. By redacting (removing) all identifying information, you can demonstrate the quality and thoroughness of your work without exposing any sensitive or confidential information. This approach respects the privacy of previous clients while still giving the prospective client a sense of what they can expect from your services. The other options either don't address the privacy and confidentiality concerns adequately or might not provide the client with a clear and comprehensive understanding of the quality of work they can expect.
C is correct Penetration testing reports contain sensitive information about the vulnerabilities and risks of a customer's systems and networks. Therefore, penetration testers should respect the confidentiality and privacy of their customers and only share their reports with authorized parties. Penetration testers should also follow the terms and conditions of their contracts with their customers, which may include a period of confidentiality that prohibits them from disclosing any information related to the testing without the customer's consent.
C is the correct answer
A. Redact identifying information and provide a previous customer’s documentation: • Providing examples of previous work is a common request, but it is crucial to protect the confidentiality and privacy of past clients. By redacting any identifying information (such as company names, specific system details, IP addresses, and other sensitive data) from the documentation, the penetration testing company can share meaningful examples of their work without violating confidentiality agreements or exposing sensitive information.
Not C. Determine which reports are no longer under a period of confidentiality: • While it’s important to respect confidentiality periods, the relevance of older reports might be questionable. Additionally, this approach does not ensure that sensitive information is protected unless the reports are thoroughly reviewed and redacted.
C. Determine which reports are no longer under a period of confidentiality. The BEST course of action for the penetration testing company to provide examples of its work to a potential client would be to determine which reports are no longer under a period of confidentiality. It is important to protect the confidentiality and privacy of previous clients, so redacting identifying information and providing a previous customer's documentation may not be appropriate. Allowing the client to only view the information while in secure spaces may not be practical, and providing raw output from penetration testing tools may not be useful for the client. Therefore, determining which reports are no longer under a period of confidentiality and providing redacted versions of those reports would be the most appropriate course of action.
C i would say. I see the argument for A but wether you hide the company's name or not , that wouldn't change the fact you're breaching confidentiality guidlines if restrictions are in place. A "smaller" breach, is stil a breach.
I Think C is the answer but not 100% sure
I think C is correct