ISA Training Slides Flashcards

1
Q

What does the PCI DSS scope include? (3)

A
  • People
  • Processes
  • Technology
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Give a couple examples of what people (roles) may be included in scope of an assessment

A
  • Cashiers and sales clerks
  • Back-office clerks
  • Call center operators
  • Systems and network administrators
  • IT support personnel
  • Application developers
  • Key custodians
  • Human resources
  • Information security officers
  • Customer support
  • Accounting/finance personnel
  • Supervisors/managers for each area
  • Senior management and executives
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which department might have information pertaining to details about payment channels and acquirer relationships?

A

Accounting and finance department

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

On the topic of PCI DSS, what is PAN?

A

Personal Account Number

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What processes may be related to payment processing?

A
  • Regular payment processing channels
  • Payment cancellations and chargebacks
  • Back-up and fail-over processes
  • Reconciliation, periodic reporting
  • Distribution and storage of paper reports and other physical media
  • Legacy processes and data stores
  • Onboarding processes for new personnel
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are some examples of supporting processes?

A
  • Authorizations and approvals for system access
  • Firewall review processes
  • Change management
  • Scheduling of security patch deployments
  • System building and configuration
  • Identifying and escorting visitors
  • Performing log reviews
  • Processes for reporting potential security incidents
  • Security policy updates
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What needs to be reviewed if a PAN is included in printed records?

A

The process for printing, collecting, transporting, storing, and destroying the reports will need to be reviewed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What piece of evidence can identify the systems from which cardholder data may be printed, as well as identify where alternative processes may be initiated if the usual system of method is unavailable?

A

Data- flow diagrams

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are some examples of technologies that might be in scope for a PCI DSS assessment?

A
  • Servers, application, networks, devices
  • Physical security systems
  • Logical security systems
  • Payment terminals and point of sale systems
  • Electronic communications
  • Backups and disaster recovery “hot” sites
  • Telecommunications
    • POTS vs VoIP
  • Management systems
  • Remote access systems
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the process of selecting a cross-section of a group that is representative of the entire group?

A

Sampling. Sampling may be used by assessors to reduce overall testing efforts, when it is validated that an entity has standard, centralized PCI DSS security and operational processes and controls in place. Sampling is not a PCI DSS requirement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the 5 principles of sampling?

A
  • The sample must be representative of the entire population
  • Consider business facilities and system components
  • Samples of system components must include all combinations
  • Samples must be large enough to provide assurance that controls are implemented as expected
  • Assessor’s sampling methodology documented in ROC
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are 4 things to include in pre-assessment planning?

A
  • List of interviewees, system components, documentation, facilities
  • Ensure assessor is familiar with technologies included in assessment
  • Identify the roles and the individuals within each role to be interviewed as part of the assessment
  • If sampling, verify the sample selection and size is representative of the entire population
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What pre-assessment activities should an assessor consider when preparing for an assessment? Choose all that apply
A) Consider size and complexity of the environment to be assessed
B) Ensure assessor(s) has competent knowledge of the technologies being assessed
C) Complete all ROC sections prior to commencement of the assessment
D) Identify types of system components and locations of facilities to be reviewed

A

A, B, and D.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the six main goals of PCI DSS?

Bob Protects Many Issues Regularly, Man

A
  1. Build and maintain a secure network and systems
  2. Protect cardholder data
  3. Maintain a vulnerability management program
  4. Implement strong access control measures
  5. Regularly monitor and test networks
  6. Maintain an information security policy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which requirements satisfy goal 1 “Build and maintain a secure network and systems”?

A

Requirements 1 and 2

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which requirements satisfy goal 2 “Protect cardholder data”?

A

Requirements 3 and 4

  1. Protect cardholder data
  2. Encrypt transmission of cardholder data across open, public networks
17
Q

Which requirements satisfy goal 4 “Implement strong access control measures”?

A

Requirements 7, 8, and 9.

  1. Restrict access to cardholder data by business need-to-know
  2. Identify and authenticate access to system components
  3. Restrict physical access to cardholder data
18
Q

Which requirements satisfy goal 3 “Maintain a vulnerability management program”?

A

Requirements 5 and 6.

  1. Protect all systems against malware and regularly update anti-virus software or programs
  2. Develop and maintain secure systems and applications
19
Q

Which requirements satisfy goal 5 “Regularly monitor and test networks”?

A

Requirements 10 and 11.

  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes
20
Q

Which requirement satisfies goal 6 “Maintain an information security policy”?

A

Requirement 12

  1. Maintain a policy that addresses information security for all personnel
21
Q

Which systems must be protected from unauthorized access from untrusted networks?

A

All systems.

22
Q

Requirement 1.1.4 requires that firewalls be located where?

A

At any DMZ or internet connection.

23
Q

Within PCI DSS, what is an untrusted network?

A

Any network that is external to the networks belonging to the entity under review

24
Q

Under which requirement would you be likely to use the following documents to assess?

  • Inventory of hardware and software system components
  • Information security policy and operational procedures
  • Wireless configuration standards
  • System configuration standards for all system types
  • Network diagrams (for location of system types)
  • Vendor documentation
  • Vulnerability scans and penetration test results
A

Requirement 2 - Do not use vendor-supplied defaults for system passwords and other security parameters

25
Q

Under which requirement would you be likely to use the following documents to assess?

  • Firewall and router configuration standards
  • Firewall and router change control process and change records
  • Network diagrams
  • Data flow diagrams
  • Documented roles and responsibilities
  • Firewall/Router rule sets
  • Records of firewall reviews
  • Vulnerability scans and penetration test results
  • Firewall/router vendor documentation
  • Information security policy and operational procedures
  • Configuration standards for remote computers
A

Requirement 1 - Install and maintain a firewall configuration to protect cardholder data

26
Q

Under which requirement would you be likely to use the following documents to assess?

  • Information security policy
  • Data retention policy
  • Data disposal policy
  • Inventory of all locations and displays of cardholder data
  • Samples of all types of printed displays including receipts, if applicable
  • Process for identifying and securely deleting stored cardholder data
  • Vendor manuals and system configuration documentation
  • Output of database tables, t-logs, trace files, debug files, flat files, etc.
  • Evidence of the strength of encryption algorithms used
  • Storage locations for encryption and decryption keys
  • User access lists for cryptographic keys
  • User access lists for cryptographic keys
  • Documented key management procedures
  • Sample of forms signed by key custodians
A

Requirement 3 - Protect stored cardholder data