Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

PCI ISA Training2024/25 Questions and Answers, Exams of Computer Security

Systems Providing Security Services: Systems providing security services as required by PCI DSS, or that may be contributing to how an entity meets PCI DSS requirements may include: -Authentication servers (e.g. LDAP) -Time management (e.g. NTP) servers -Patch deployment servers -Audit log storage and correlation servers -Anti-virus management servers -Routers and firewalls filtering network traffic -Systems performing cryptographic and/or key management functions -Systems controlling and/or monitoring physical access 2. PCI DSS scope includes:: -People

Typology: Exams

2023/2024

Available from 11/20/2024

tizian-kylan
tizian-kylan šŸ‡ŗšŸ‡ø

2.7

(21)

3.8K documents

1 / 45

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1 / 23
PCI ISA Training2024/25 Questions and Answers
Systems Providing Security Services: Systems providing security services as
required by PCI DSS, or that may be contributing to how an entity meets PCI
DSS requirements may include:
-Authentication servers (e.g. LDAP)
-Time management (e.g. NTP) servers
-Patch deployment servers
-Audit log storage and correlation servers
-Anti-virus management servers
-Routers and firewalls filtering network traffic
-Systems performing cryptographic and/or key management functions
-Systems controlling and/or monitoring physical access
2. PCI DSS scope includes:: -People
-Processes
-Technology
3. Scoping: People: Examples of roles that may be included in scope of assess-
ment:
-Cashiers and sales clerks
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d

Partial preview of the text

Download PCI ISA Training2024/25 Questions and Answers and more Exams Computer Security in PDF only on Docsity!

PCI ISA Training2024/25 Questions and Answers

Systems Providing Security Services: Systems providing security servicesas required by PCI DSS, or that may be contributing to how an entity meets PCI DSS requirements may include:

  • Authentication servers (e.g. LDAP)
  • Time management (e.g. NTP) servers
  • Patch deployment servers
  • Audit log storage and correlation servers
  • Anti-virus management servers
  • Routers and firewalls filtering network traffic
  • Systems performing cryptographic and/or key management functions
  • Systems controlling and/or monitoring physical access
  1. PCI DSS scope includes:: - People
  • Processes
  • Technology
  1. Scoping: People: Examples of roles that may be included in scope of assess- ment:
  • Cashiers and sales clerks
  • Back-office clerks
  • Call center operators
  • Systems and network administrators
  • IT support personnel
  • Application developers
  • Key custodians
  • Human resources
  • Information security officers
  • Physical security officers
  • Customer support
  • Accounting/finance personnel
  • Supervisors/managers for each area
  • Senior management and executives
  1. Scoping: Processes: Examples of processes related to payment processing:
  • Regular payment processing channels
  • Telecommunications: POTS vs. VoIP
  • Management systems
  • Remote access systems
  1. Sampling: Sampling is an option for assessors to facilitate the assessment process.
  • Sampling is NOT used to implement PCI DSS requirements or to select requirements to be assessed Principles of sampling:
  • Sample must be representative of the entire population
  • Consider business facilities and system components
  • Samples of system components must include all combinations
  • Samples must be large enough to provide assurance that controls are imple-

mented as expected

  • Assessor's sampling methodology documented in ROC
  1. Planning for the Assessment: Pre-assessment planning may include:
  • List of interviewees, system components, documentation, facilities
  • Ensure assessor is familiar with technologies included in assessment
  • If sampling, verify sample selection and size is representative of the entire popu- lation
  • Identify the roles and the individuals within each role to be interviewed as part of the assessment
  1. Sampling Scenario: What to consider?
  • What are the different OS/database combinations at each facility?
  • Is each OS/database combination used for the same purpose?
  • Is each OS/database combination configured the same way?
  • If they are configured the same way, how is this verified?
  • Do the different locations follow one single set of operational and security proce- dures, or do they each have their own?
  • If they follow the same procedures, how is this verified?
  • Which facilities/components were reviewed in the previous assessment? Sampling is not just about technology
  1. Assessment Time and Duration: Allow enough time to perform the assess- ment
  • Size and complexity of environment

der when

  • Do providers have an impact on how the entity meets PCI DSS requirements?
  • Do providers have access to CDE?
  • Identify scope of service
  • Identify applicable requirements
  • Review evidence to determine if requirements are met 11. What pre-assessment activities should an assessor consi preparing for an assessment? (choose all that apply):
  1. PCI DSS Format: The following defines the column headings for the PCI DSS Requirements and Security Assessment Procedures: PCI DSS Requirements - This column defines the Data Security Standard re- quirements; PCI DSS compliance is validated against these requirements. Testing Procedures - This column shows processes to be followed by the asses- sor to validate that the PCI DSS requirements have been met and are "in place". Guidance - This column describes the intent or security objective behind each of the PCI DSS requirements. This column contains guidance only, and is intended to assist understanding of the intent of each requirement. The guidance in this column does not replace or extend the PCI DSS Requirements and Testing Procedures.
  2. Requirement 1 - Assessor Recommendations: Typical Documentation Used:
  • Firewall and router configuration standards
  • Firewall and router change control process and change records
  • Network diagrams
  • Data flow diagrams
  • Documented roles and responsibilities
  • Firewall/Router rule sets
  • Records of firewall reviews
  • Vulnerability scans and penetration test results
  • Firewall/router vendor documentation
  • Information security policy and operational procedures
  • Configuration standards for remote computers Typical testing activities for Requirement 1
  • Review of firewall/router configuration standards, rule sets, network diagrams, and

Typical Testing Activities for Requirement 2:

  • Select samples of network devices, systems, and wireless access points and at- tempt (or observe attempts) to authenticate to the devices with default passwords.
  • Select samples of wireless components and confirm all default configurations have been changed and devices are configured to enforce strong encryption for authentication and transmission.
  • Review configuration standards for all in network devices, operating systems, databases, Web servers and other system components.
  • Validate the documented standards are consistent with industry-accepted best practices.
  • Select samples of systems components and validate the configuration standards are applied.
  • Review internal and external vulnerability scans to ensure results match with

enabled services and protocols and there are no "unknown" services or ports detected.

  • Observe non-console log on processes to verify that strong encryption is in place for all authentication attempts.
  1. Requirement 3 - Assessor Recommendations: Typical Documentation to Assess Requirement 3:
  • Information security policy
  • Data retention policy
  • Data disposal policy Inventory of all locations and displays of cardholder data
  • Samples of all types of printed displays including receipts, if applicable
  • Process for identifying and securely deleting stored cardholder data
  • Vendor manuals and system configuration documentation
  • Output of database tables, t-logs, trace files, debug files, flat files, etc.
  • Evidence of the strength of encryption algorithms used
  • Storage locations for encryption and decryption keys
  • User access lists for cryptographic keys
  • Documented key management procedures
  • Sample of forms signed by key custodians Typical testing activities for Requirement 3:
  • Review policies and procedures and confirm they cover all requirements
  • Review data flows and system configurations to identify all locations where card- holder data is stored,processed, or transmitted
  • Review a sample of CHD locations and confirm CHD storage is within the data
  • System configuration standards for wireless access points
  • Information Security Policies and operational procedures
  • End-User Messaging Policies Typical Testing Activities for Requirement 4
  • Validate strong encryption is used
  • Confirm the implementation of strong encryption protocols by reviewing system configuration and certificates
  • Observe transmissions as they occur, and validate using a sniffing tool or other testing that all packets transmitted over untrusted networks are encrypted
  • Review system configurations to verify that:
  • Only trusted keys and/or certificates are accepted
  • The protocol implementation does not support insecure versions or configurations
  • Identify encryption strength used
  • Review wireless access point configuration(s) to verify industry best practices are used to secure wireless authentication and transmission
  • Interview personnel and observe system configurations and outbound transmis- sions to confirm policies for sending PAN data via end-user messaging technolo- gies are implemented
  1. Case Study - Lolcat Direct: RBTODO: Study Case Study
  2. Requirement 6 - Assessor Recommendations: Typical Documentation to Assess Requirement 6:
  • Patch management procedures
  • System inventory
  • Vulnerability alerting procedures
  • Vendor vulnerability lists
  • Software development policy and procedures
  • Test/Development Processes and Procedures
  • Change Control Documentation, policies and procedures
  • Sample of change requests
  • Test/Development access control lists
  • Database output from test/development systems
  • Current Network Diagram
  • Secure coding procedures
  • Evidence of secure code training
  • Either web application vulnerability assessment results, or web application firewall (or other technology) configurations Typical testing activities for Requirement 6:

Typical testing activities for Requirement 7

  • Review new user requests (paper or electronic) Interview system administers and users with access to systems and/or CHD
  • Confirm administration rights are required for users with such privilege
  • Confirm authorization forms or electronic processes are signed/approved by management
  • Ensure systems are configured and operating in accordance with documented access controls
  1. Requirement 8 - Assessor Recommendations: Typical Documentation to Assess Requirement 8
  • Access control and password policies
  • Access control processes and procedures
  • Procedures for issuing and resetting passwords and other authentication mecha- nism

render data ed within

  • System configuration standards
  • Vendor documentation
  • User access lists from all in scope network devices, systems, and applications
  • User access lists from all systems, applications, and databases with access to cardholder data Typical Measures to Test and Assess Requirement 8
  • Review a sample of systems and confirm all passwords are unreadable during transmission and storage
  • Observe remote login process and verify all remote access to in-scope networks require use of multi-factor authentication
  • Through interviews and a review of sample systems, ensure all password settings are configured correctly
  • Examine systems and/or screen shots as evidence of strong authentication
  • Compare user access lists on system components to authorization forms
  • Observe processes for granting access, changing passwords, etc.
  • Identify terminated user accounts and verify accounts disabled
  • Identify and observe use of vendor accounts **21. An example of a "one-way" cryptographic function used to unreadable is::
  1. Inactive user accounts should be either removed or disabl** .:
  • List of card-reading devices point-of-sale locations
  • Training materials for personnel at point-of-sale locations Typical testing activities for Requirement 9:
  • Visually verify physical security controls for locations where cardholder data is stored, transmitted or processed
  • Observe retention of access and monitoring device records
  • Through interview and observation, verify all media storage and distribution is done in a secure manner and according to requirements
  • Observe locations and access to physical network ports in public areas
  • Observe the use of visitor ID badges to verify that a visitor ID badge does not permit unescorted access to physical areas that store cardholder data
  • Onsite observation of visitors; completion of visitor log, use and return of badges
  • Review visitor logs and verify retention
  • Review latest media inventory and confirm that it is less than a year old and covers all media containing CHD including paper, CDs, disk drives, etc.
  • Observe secure destruction methods used for physical and electronic media
  • Examine devices to verify an up to date list of devices for Requirement 9.9 is maintained
  • Interview personnel to verify that devices are periodically inspected and personnel are aware of procedures for handling devices and reporting suspicious activity
  1. Requirement 10 - Assessor Recommendations: Typical Documentation to Assess Requirement 10:
  • Information security policy
  • Audit logging procedures
  • Logs from a sample of applications, databases, systems, and network devices
  • Network Time synchronization procedures
  • System configuration standards
  • Audit log retention policy
  • Audit log review procedures and follow-up activities Typical Measures to Test and Assess Requirement 10:
  • Observe system configurations to verify audit logs are enabled
  • Interview system administrators and observe system configurations and actual log files to identify what events are logged and the details recorded for each event
  • Review user access lists to audit logs - verify all access is justified
  • Observe system configurations and log files to verify logs are sent to a secured, centralized log server
  • Review log server settings to verify logs cannot be altered