Special Summer Sale Discount Flat 70% Offer - Ends in 0d 00h 00m 00s - Coupon code: 70diswrap

PCI SSC QSA_New_V4 Dumps

Page: 1 / 8
Total 75 questions

Qualified Security Assessor V4 Exam Questions and Answers

Question 1

Which of the following describes "stateful responses" to communication Initiated by a trusted network?

Options:

A.

Administrative access to respond to requests to change the firewall Is limited to one individual at a time.

B.

Active network connections are tracked so that invalid "response" traffic can be identified.

C.

A current baseline of application configurations is maintained and any mis-configuration is responded to promptly.

D.

Logs of user activity on the firewall are correlated to identify and respond to suspicious behavior.

Question 2

Passwords for default accounts and default administrative accounts should be?

Options:

A.

Changed within 30 days after installing a system on the network.

B.

Reset to the default password before installing a system on the network.

C.

Changed before installing a system on the network.

D.

Configured to expire in 30 days.

Question 3

Which scenario meets PCI DSS requirements for critical systems to have correct and consistent time?

Options:

A.

Each internal system is configured to be its own time server.

B.

Access to time configuration settings is available to all users of the system.

C.

Central time servers receive time signals from specific, approved external sources.

D.

Each internal system peers directly with an external source to ensure accuracy of time updates.

Question 4

Security policies and operational procedures should be?

Options:

A.

Encrypted with strong cryptography.

B.

Stored securely so that only management has access.

C.

Reviewed and updated at least quarterly.

D.

Distributed to and understood by ail affected parties.

Question 5

What do PCI DSS requirements for protecting cryptographic keys include?

Options:

A.

Public keys must be encrypted with a key-encrypting key.

B.

Data-encrypting keys must be stronger than the key-encrypting key that protects it.

C.

Private or secret keys must be encrypted, stored within an SCD, or stored as key components.

D.

Key-encrypting keys and data-encrypting keys must be assigned to the same key custodian.

Question 6

Which of the following is required to be included in an incident response plan?

Options:

A.

Procedures for notifying PCI SSC of the security incident.

B.

Procedures for responding to the detection of unauthorized wireless access points.

C.

Procedures for securely deleting incident response records immediately upon resolution of the incident.

D.

Procedures for launching a reverse-attack on the individual(s) responsible for the security incident.

Question 7

Which statement about PAN is true?

Options:

A.

It must be protected with strong cryptography for transmission over private wireless networks.

B.

It must be protected with strong cryptography for transmission over private wired networks.

C.

It does not require protection for transmission over public wireless networks.

D.

It does not require protection for transmission over public wired networks.

Question 8

What is the intent of classifying media that contains cardholder data?

Options:

A.

Ensuring that media is properly protected according to the sensitivity of the data it contains.

B.

Ensuring that media containing cardholder data is moved from secured areas on a quarterly basis.

C.

Ensuring that media is clearly and visibly labeled as "Confidential” so all personnel know that the media contains cardholder data.

D.

Ensuring that all media is consistently destroyed on the same schedule, regardless of the contents.

Question 9

An organization wishes to implement multi-factor authentication for remote access, using the user's individual password and a digital certificate. Which of the following scenarios would meet PCI DSS requirements for multi-factor authentication?

Options:

A.

Certificates are assigned only to administrative groups, and not to regular users.

B.

A different certificate is assigned to each individual user account, and certificates are not shared.

C.

Certificates are logged so they can be retrieved when the employee leaves the company.

D.

Change control processes are in place to ensure certificates are changed every 90 days.

Question 10

An internal NTP server that provides time services to the Cardholder Data Environment is?

Options:

A.

Only in scope if it provides time services to database servers.

B.

Not in scope for PCI DSS.

C.

Only in scope if it stores, processes or transmits cardholder data.

D.

In scope for PCI DSS.

Question 11

Which statement is true regarding the PCI DSS Report on Compliance (ROC)?

Options:

A.

The ROC Reporting Template and instructions provided by PCI SSC should be used for all ROCs.

B.

The assessor may use either their own template or the ROC Reporting Template provided by PCI SSC.

C.

The assessor must create their own ROC template for each assessment report.

D.

The ROC Reporting Template provided by PCI SSC is only required for service provider assessments.

Question 12

Where an entity under assessment is using the customized approach, which of the following steps is the responsibility of the assessor?

Options:

A.

Monitor the control.

B.

Derive testing procedures and document them in Appendix E of the ROC.

C.

Document and maintain evidence about each customized control as defined in Appendix E of PCI DSS.

D.

Perform the targeted risk analysis as per PCI DSS requirement 12.3.2.

Question 13

If disk encryption is used to protect account data, what requirement should be met for the disk encryption solution?

Options:

A.

Access to the disk encryption must be managed independently of the operating system access control mechanisms.

B.

The disk encryption system must use the same user account authenticator as the operating system.

C.

The decryption keys must be associated with the local user account database.

D.

The decryption keys must be stored within the local user account database.

Question 14

In the ROC Reporting Template, which of the following Is the best approach for a response where the requirement was "In Place’?

Options:

A.

Details of the entity's project plan for implementing the requirement.

B.

Details of how the assessor observed the entity's systems were compliant with the requirement.

C.

Details of the entity's reason for not implementing the requirement

D.

Details of how the assessor observed the entity's systems were not compliant with the requirement

Question 15

Where can live PANs be used for testing?

Options:

A.

Production (live) environments only.

B.

Pre-production (test) environments only if located outside the CDE.

C.

Pre-production environments that are located within the CDE.

D.

Testing with live PANs must only be performed in the QSA Company environment.

Question 16

Which of the following parties is responsible for completion of the Controls Matrix for the Customized Approach?

Options:

A.

Only a Qualified Security Assessor (QSA).

B.

Either a QSA, AQSA, or PCIP.

C.

Entity being assessed.

D.

Card brands or acquirer.

Question 17

Which statement is true regarding the use of intrusion detection techniques, such as intrusion detection systems and/or intrusion protection systems (IDS/IPS)?

Options:

A.

Intrusion detection techniques are required on all system components.

B.

Intrusion detection techniques are required to alert personnel of suspected compromises.

C.

Intrusion detection techniques are required to isolate systems in the cardholder data environment from all other systems.

D.

Intrusion detection techniques are required to identify all instances of cardholder data.

Question 18

Which systems must have anti-malware solutions?

Options:

A.

All CDE systems, connected systems, NSCs, and security-providing systems.

B.

All portable electronic storage.

C.

All systems that store PAN.

D.

Any in-scope system except for those identified as ‘not at risk’ from malware.

Question 19

What must be included in an organization's procedures for managing visitors?

Options:

A.

Visitors are escorted at all times within areas where cardholder data is processed or maintained.

B.

Visitor badges are identical to badges used by onsite personnel.

C.

Visitor log includes visitor name, address, and contact phone number.

D.

Visitors retain their identification (for example, a visitor badge) for 30 days after completion of the visit.

Question 20

Which statement about PAN is true?

Options:

A.

It must be protected with strong cryptography for transmission over private wireless networks.

B.

It must be protected with strong cryptography tor transmission over private wired networks.

C.

It does not require protection for transmission over public wireless networks.

D.

It does not require protection for transmission over public wired networks.

Question 21

Which systems must have anti-malware solutions?

Options:

A.

All CDE systems, connected systems. NSCs, and security-providing systems.

B.

All portable electronic storage.

C.

All systems that store PAN.

D.

Any in-scope system except for those identified as 'not at risk' from malware.

Question 22

What is the intent of classifying media that contains cardholder data?

Options:

A.

Ensuring that media is properly protected according to the sensitivity of the data it contains.

B.

Ensuring that media containing cardholder data Is moved from secured areas an a quarterly basis.

C.

Ensuring that media is clearly and visibly labeled as "Confidential" so all personnel know that the media contains cardholder data.

D.

Ensuring that all media is consistently destroyed on the same schedule, regardless of the contents.

Page: 1 / 8
Total 75 questions