According to the CRISC Review Manual, notifying network administrators before testing is the best mitigating control to reduce the risk introduced when conducting penetration tests, because it helps to avoid any disruption or damage to the network services and systems. Penetration testing is a technique that simulates an attack on the network to identify and exploit the vulnerabilities and weaknesses. Notifying network administrators before testing allows them to prepare for the test, monitor the test activities, and respond to any incidents or issues that may arise during the test. The other options are not the best mitigating controls, because they do not address the risk of network disruption or damage. Requiring the vendor to sign a nondisclosure agreement is a legal measure that protects the confidentiality of the network information, but it does not prevent the vendor from causing any harm to the network. Clearly defining the project scope is a planning activity that sets the boundaries and objectives of the test, but it does not ensure the safety and availability of the network. Performing background checks on the vendor is a due diligence activity that verifies the vendor’s credentials and reputation, but it does not guarantee the vendor’s performance or behavior. References = CRISC Review Manual, 7th Edition, Chapter 4, Section 4.2.2, page 181.