PCI-DSS ISA Exam Q & A

PCI-DSS ISA Exam Q & A QSAs must retain work papers for a minimum of _______ years. It is a recommendation for ISAs to do the same. - ANSWER 3 According to PCI DSS requirement 1, Firewall and router rule sets need to be reviewed every _____ months. - ANSWER 6 At least ______________ and prior to the annual assessment the assessed entity: - Identifies all locations and flows of cardholder data to verify they are included in the CDE - Confirms the accuracy of their PCI DSS scope - Retains their scoping documentation for assessor reference - ANSWER annually scope includes - ANSWER ppl process, tech Evidence Retention It is recommended that the ISA secure and maintain digital and/or hard copies of case logs, audit results and work papers, notes, and any technical information that was created and/or obtained during the PCI Data Security Assessment for a minimum of ________ or as applicable to company data retention policies - ANSWER of three (3) years A (time) ______ process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements. - ANSWER quarterly Do not store SAD after ____________ (even if encrypted). (track data / cvc / pin) - ANSWER authorization manual clear-text key-management procedures specify processes for the use of the following - ANSWER Split knowledge.Dual control Dual control - ANSWER least two people are required to perform any keymanagement operations and no one person has access to the authentication materials (for example, passwords or keys) of another Split knowledge - ANSWER key components are under the control of at least two people who only have knowledge of their own key components PAN is rendered unreadable in which ways - ANSWER hash mask encrypt pad Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within _____ of release. - ANSWER one month Installation of all applicable vendor-supplied security patches within an ___________________ - ANSWER appropriate time frame (for example, within three months) makes sure change control has these 4 things - ANSWER impack testing (PCI review) backout approval Train developers at least ________ in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory. - ANSWER annually Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least ___________________ or automated technical solution that detects and prevents web-based attacks active _________ - ANSWER annually and after any changes all the time Observe user accounts to verify that any inactive accounts over __________ are either removed or disabled. - ANSWER 90 days old