The correct answer is Place a harmless "flag" file in the same location as the financial data, and inform the penetration testing team to download the flag. Explanation: A flag is a dummy file containing no regulated or sensitive data. It is placed in the same area of the system as the credit card data and protected with the same permissions. If the tester can read and/or write to that file, then they prove they could have done the same to the credit card data. Wrong Answer: Instruct the penetration testing team to conduct a thorough vulnerability assessment of the server containing financial data. - is a vulnerability test. Wrong answers "Instruct the penetration testing team to download financial data, redact it, and report accordingly. " and "Instruct the penetration testing team that they may only download financial data via an encrypted and authenticated channel." - are dangerous and could involve unauthorized access of regulated data, such as health care records ~ Source: 11th Hour CISSP 3rd Ed, Chapter 6, Page 142.