An organization has implemented a change-detection mechanism on their systems. How often must critical file comparisons be performed?
Correct Answer: A
Explanation PCI DSS Requirement 11.5 states that entities must deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly1. This is to ensure that any unauthorized or malicious changes to the files are detected and reported in a timely manner, and that the integrity and security of the files are maintained. Critical files are those that affect the security of the cardholder data environment (CDE), such as system files, application executables, configuration files, database files, and log files2. Therefore, the correct answer is option A. The other options are not true regarding the frequency of critical file comparisons for a change-detection mechanism. Option B is not true because PCI DSS does not allow the entity to define the periodicity of the file comparisons, as it specifies a minimum frequency of at least weekly1. Option C is not true because PCI DSS does not limit the file comparisons to only after a valid change is installed, as it requires the file comparisons to be performed at least weekly regardless of the change status1. Option D is not true because PCI DSS does not allow the file comparisons to be performed at least monthly, as it requires a higher frequency of at least weekly1. References: PCI DSS v3.2.1 File Integrity Monitoring Tools For PCI DSS
Question 2
An organization wishes to implement multi-factor authentication for remote access, using the user's individual password and a digital certificate. Which of the following scenarios would meet PCI DSS requirements for multi-factor authentication?
Correct Answer: D
Explanation According to the PCI DSS v3.2.1 Quick Reference Guide1, a different certificate is assigned to each individual user account, and certificates are not shared. This is one of the requirements for preventing unauthorized access to cardholder data using digital certificates.
Question 3
Security policies and operational procedures should be?
Correct Answer: D
Explanation According to the PCI DSS v3.2.1 Quick Reference Guide1, security policies and operational procedures should be distributed to and understood by all affected parties, such as management, staff, contractors, vendors, and service providers. This is one of the requirements for ensuring that security policies and operational procedures are communicated and followed consistently.
Question 4
If disk encryption is used to protect account data what requirement should be met for the disk encryption solution?
Correct Answer: A
Explanation when disk encryption is used to protect account data, access to the disk encryption must be managed independently of the operating system access control mechanisms, which means it should not be affected by changes in the operating system settings or permissions. This is one of the requirements for ensuring that disk encryption is secure and effective.
Question 5
What is the intent of classifying media that contains cardholder data?
Correct Answer: A
Explanation classifying media that contains cardholder data is intended to ensure that media is property protected according to the sensitivity of the data it contains, which means it should be marked with labels or tags that indicate its level of confidentiality or integrity. This is one of the requirements for ensuring that media containing cardholder data is properly labeled.
