PCI-DSS ISA exam

avatar
Created by
Patrick Forrest

Subdecks (6)

Cards (2203)

  • Perimeter firewalls installed ______________________________.
    between all wireless networks and the CHD environment.
  • Where should firewalls be installed?
    At each Internet connection and between any DMZ and the internal network.
  • Review of firewall and router rule sets at least every __________________.
    6 months
  • If disk encryption is used
    logical access must be managed separately and independently of native operating system authentication and access control mechanisms
  • Manual clear-text key-management procedures specify processes for the use of the following:
    Split knowledge AND Dual control of keys
  • What is considered "Sensitive Authentication Data"?
    Card verification value
  • When a PAN is displayed to an employee who does NOT need to see the full PAN, the minimum digits to be masked are: All digits between the ___________ and the __________.
    first 6; last 4
  • Regarding protection of PAN...
    PAN must be rendered unreadable during the transmission over public and wireless networks.
  • Under requirement 3.4, what method must be used to render the PAN unreadable?
    Hashing the entire PAN using strong cryptography
  • Weak security controls that should NOT be used
    WEP, SSL, and TLS 1.0 or earlier
  • Per requirement 5, anti-virus technology must be deployed_________________
    on all system components commonly affected by malicious software.
  • Key functions for anti-vius program per Requirement 5:
    1) Detect
    2) Remove
    3) Protect
  • Anti-virus solutions may be temporarily disabled only if

    there is legitimate technical need, as authorized by management on a case-by-case basis
  • When to install "critical" applicable vendor-supplied security patches? ---> within _________ of release.
    1 month
  • When to install applicable vendor-supplied security patches?
    within an appropriate time frame (for example, within three months).
  • When assessing requirement 6.5, testing to verify secure coding techniques are in place to address common coding vulnerabilities includes:
    Reviewing software development policies and procedures
  • Requirements 7 restricted access controls by:
    Need-to-know and least privilege
  • Inactive accounts over _____________days need to be removed or disabled.
    90 days
  • To verify user access termination policy, an ISA need to select a sample of user terminated in the past _______________ months, and review current user access lists—for both local and remote access—to verify that their IDs have been deactivated or removed from the access lists.
    6 months
  • How many logon attempts should be allowed until resulting temporarily account locked-out?
    6 attempts
  • Once user account is locked-out, it will remain locked for a minimum of ________________________ or until a system administrator resets the account.
    30 minutes
  • System/session idle time out must be set to_________ minutes or less.
    15 minutes
  • What are the methods to authenticate users?
    - "Something you know", such as a password or passphrase
    - "Something you have", such as a token device or smart card, or
    - "Something you are", such as a biometric.
  • Where passwords or pass-phrases are used, they must be at least _______ characters long and contain both numeric and alphabetic characters.
    7
  • Passwords must be changed at least once every__________________.
    90 days
  • Password history must also be in place to ensure that users' ________ previous passwords can't be re-used.
    4
  • An example of a "one-way" cryptographic function used to render data unreadable is:

    SHA-2
  • Data from video cameras and/or access control mechanisms is reviewed, and that data is stored for at least ________________.
    3 months
  • The visitor logs must contain the relevant information and be retained for at least_________________.
    3 months
  • Verify that the storage location security is reviewed at least ____________________ to confirm that backup media storage is secure.
    annually
  • Review media inventory logs to verify that logs are maintained and media inventories are performed at least______________.
    annually
  • Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for:
    acquiring, distributing, and storing time
  • All security events and logs of (a) all system components that store, process, or transmit CHD; (b) critical system components; (c) components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.) to be reviewed at least ______________.
    daily
  • Audit logs must be immediately available for analysis for a period of ________ and must be retained for a period of _________.
    3 months; 1 year
  • Detection and identification of authorized and unauthorized wireless access points must occur _________________.
    quarterly
  • Run internal and external network vulnerability scans at least ____________________ and after any significant change in the network
    quarterly
  • "External" vulnerability scans must be run by ____________ and perform ________________.
    an ASV; quarterly
  • For external scans, no vulnerabilities exist that are scored _____________ by the CVSS.
    4.0 or higher
  • Penetration testing for "Service Provider" in which targeting segmentation controls must be perform every __________________.
    6 months
  • FIM tools must be configured to perform critical file comparisons check at least_______________,
    weekly