Answers are on the bottom of this post.
==================================================================
1) Which of the following items are included in the Compensating Controls worksheet:
A. Constraints, assumptions, identified risks and definition of compensating controls
B. Constraints, objectives, identified risks and definition of compensating controls
C. Constraints, assumptions, mitigated risks and definition of compensating controls
D. Constraints, objectives, mitigated risks and maintenance
E. None of the above items are included in the Compensating Controls worksheet.
2) Which of the following items CANNOT be stored:
A. Cardholder name
B. Service code
C. PIN
D. Personal Account Number
E. All of the above items may be stored
F. None of the above items may be stored
3) The process of isolating the cardholder data environment from the remainder of an entity’s network is called:
A. Network segmentation
B. Network virtualization
C. Data isolation
D. Access controls
E. None of the above is correct
4) For those entities that outsource storage, processing or transmission of cardholder data to third party service providers which of the following must be completed:
A. Report on Compliance (ROC)
B. PCI Forensics Investigation
C. Compensation Controls worksheet
D. All of the above
E. Since the processes have been outsourced, there is no further compliance obligation,
5) Which of the following are NOT a part of the Report on Compliance (ROC):
A. Executive summary
B. Contact information and report date
C. Findings and observations
D. All of the above are required
E. None of the above are required
6. The first step of a PCI assessment is to:
A. Define a comprehensive list of stakeholders
B. Assess risk
C. Develop a timeline of the assessment
D. Determine the scope of the review
7. Steps to reducing the scope of the cardholder data environment may include all items below EXCEPT:
A. Reducing the number of locations where cardholder data is present
B. Eliminate unnecessary data
C. Purge all data that is older than 1 week
D. Consolidation of necessary data
E. All the above items are correct
8. Before wireless technology is implemented:
A. Establish all WEP and WPA security keys and disseminate only on a "need to know" basis
B. An entity should carefully evaluate the need for the technology against the risk
C. Run penetration tests on the entity's network
D. Secure the locations of all Wireless Access Points
E. All the above items should be addressed and documented.
==========================================================
1) ANSWER: B
Constraints, objectives, identified risk, definition of compensating controls, validation of compensating controls and maintenance are all requirements from Appendix C of the PCI Data Security Standard.
2) ANSWER: C
PCI Data Security Standard page 8 tells us that cardholder name, service code and Personal Account Number and expiration date may be stored.
Full magnetic stripe data, CAV2/CVC2/CVV2/CID and PIN/PIN block cannot be stored per requirement 3.2
3) ANSWER: A
PCI Data Security Standard page 10 states that network segmentation is not a requirement but is e strongly recommended
4) ANSWER: A
Per the PCI Data Security Standard page 11, a Report on Compliance must document the role of each service provider.
5. ANSWER: D
The Report on Compliance (ROC) includes (1) Executive summary, (2) description of scope of work and approach taken, (3) details about reviewed environment, (4) contact information and report date, (5) quarterly scan results and (6) findings and observations. This information is in the PCI Data Security Standard pages 14 - 17
6. ANSWER: D
Identify all locations and flows and ensure that they are included in scope. This information is in the PCI Data Security Standard page 10
7. ANSWER: C
Reducing the number of locations where cardholder data is present, Eliminate unnecessary data and Consolidation of necessary data are all steps in reducing scope or "Network Segmentation" per the PCI Data Security Standard page 11
8. ANSWER: B
The PCI Data Security Standard states on page 11 an entity should carefully evaluate the need for the wireless technology against the risk. Also, consider deploying wireless technology only for non-sensitive data transmission.
No comments:
Post a Comment