ISA Training Slides Flashcards
What does the PCI DSS scope include? (3)
- People
- Processes
- Technology
Give a couple examples of what people (roles) may be included in scope of an assessment
- Cashiers and sales clerks
- Back-office clerks
- Call center operators
- Systems and network administrators
- IT support personnel
- Application developers
- Key custodians
- Human resources
- Information security officers
- Customer support
- Accounting/finance personnel
- Supervisors/managers for each area
- Senior management and executives
Which department might have information pertaining to details about payment channels and acquirer relationships?
Accounting and finance department
On the topic of PCI DSS, what is PAN?
Personal Account Number
What processes may be related to payment processing?
- Regular payment processing channels
- Payment cancellations and chargebacks
- Back-up and fail-over processes
- Reconciliation, periodic reporting
- Distribution and storage of paper reports and other physical media
- Legacy processes and data stores
- Onboarding processes for new personnel
What are some examples of supporting processes?
- Authorizations and approvals for system access
- Firewall review processes
- Change management
- Scheduling of security patch deployments
- System building and configuration
- Identifying and escorting visitors
- Performing log reviews
- Processes for reporting potential security incidents
- Security policy updates
What needs to be reviewed if a PAN is included in printed records?
The process for printing, collecting, transporting, storing, and destroying the reports will need to be reviewed.
What piece of evidence can identify the systems from which cardholder data may be printed, as well as identify where alternative processes may be initiated if the usual system of method is unavailable?
Data- flow diagrams
What are some examples of technologies that might be in scope for a PCI DSS assessment?
- Servers, application, networks, devices
- Physical security systems
- Logical security systems
- Payment terminals and point of sale systems
- Electronic communications
- Backups and disaster recovery “hot” sites
- Telecommunications
- POTS vs VoIP
- Management systems
- Remote access systems
What is the process of selecting a cross-section of a group that is representative of the entire group?
Sampling. Sampling may be used by assessors to reduce overall testing efforts, when it is validated that an entity has standard, centralized PCI DSS security and operational processes and controls in place. Sampling is not a PCI DSS requirement.
What are the 5 principles of sampling?
- The sample must be representative of the entire population
- Consider business facilities and system components
- Samples of system components must include all combinations
- Samples must be large enough to provide assurance that controls are implemented as expected
- Assessor’s sampling methodology documented in ROC
What are 4 things to include in pre-assessment planning?
- List of interviewees, system components, documentation, facilities
- Ensure assessor is familiar with technologies included in assessment
- Identify the roles and the individuals within each role to be interviewed as part of the assessment
- If sampling, verify the sample selection and size is representative of the entire population
What pre-assessment activities should an assessor consider when preparing for an assessment? Choose all that apply
A) Consider size and complexity of the environment to be assessed
B) Ensure assessor(s) has competent knowledge of the technologies being assessed
C) Complete all ROC sections prior to commencement of the assessment
D) Identify types of system components and locations of facilities to be reviewed
A, B, and D.
What are the six main goals of PCI DSS?
Bob Protects Many Issues Regularly, Man
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
Which requirements satisfy goal 1 “Build and maintain a secure network and systems”?
Requirements 1 and 2
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters