Exam PT0-002 topic 1 question 3 discussion

C. determining the efficacy of a specific set of security standards. A compliance-based penetration test is primarily concerned with determining whether a specific set of security standards are being met by the organization. The main goal is to assess the organization's compliance with these standards and identify any vulnerabilities or weaknesses that could potentially put sensitive data at risk. This could include testing for compliance with regulations such as HIPAA, PCI-DSS, SOX, etc. It does not focus on obtaining personal identifiable information (PII) or specific information from the protected network, or bypassing protection on edge devices.

A. obtaining PII from the protected network. A compliance-based penetration test focuses on assessing an organization's adherence to specific security standards and regulatory requirements. The primary concern of this type of test is to identify vulnerabilities and weaknesses in the organization's security controls and processes, especially those related to compliance with relevant regulations and standards. Option A, obtaining PII (Personally Identifiable Information), aligns with the goal of a compliance-based penetration test. The test aims to determine whether the organization adequately protects sensitive data, such as PII, in compliance with applicable data protection laws and regulations. While options B, C, and D might be relevant in some types of penetration tests, they are not the primary focus of a compliance-based test. The main objective is to assess compliance with specific security standards and regulatory requirements, rather than actively bypassing edge devices or obtaining specific information from the protected network.