A security team is planning to conduct a social engineering test as part of an organization's security assessment. Which THREE of the following should be included in the test plan to ensure ethical and legal compliance?
Written consent provides legal authorization and clarifies expectations.
Why this answer
Option A is correct because explicit written consent from management is a foundational ethical and legal requirement for social engineering tests. Without documented authorization, the test could be construed as unauthorized access or harassment, violating laws such as the Computer Fraud and Abuse Act (CFAA) or GDPR. This consent ensures the test is conducted under the organization's official risk management framework and provides legal protection for the testers.
Exam trap
The trap here is that candidates may think 'obtain consent' is optional if the test is internal, or they may confuse 'informed consent' with 'blanket approval' and fail to recognize that explicit written consent from management is mandatory to avoid legal and ethical violations.