Online Questions - Valid Practice To your Assessor_New_V4 Exam (Updated 62 Questions) [Q24-Q42]

QUESTION 24
Viewing of audit log files should be limited to?

Individuals who performed the logged activity

Individuals with read/write access

Individuals with administrator privileges

Individuals with a job-related need

QUESTION 25
What is the intent of classifying media that contains cardholder data?

Ensuring that media is property protected according to the sensitivity of the data it contains

Ensuring that media containing cardholder data is moved from secured areas an a quarterly basis

Ensuring that media is clearly and visibly labeled as ‘Confidential so all personnel know that the media contains cardholder data

Ensuring that all media is consistently destroyed on the same schedule regardless of the contents

QUESTION 26
Which scenario meets PCI DSS requirements for restricting access to databases containing cardholder data?

User access to the database is only through programmatic methods

User access to the database is restricted to system and network administrators

Application IDs for database applications can only be used by database administrators

Direct queries to the database are restricted to shared database administrator accounts

QUESTION 27
What would be an appropriate strength for the key-encrypting key (KEK) used to protect an AES 128 bit data-encrypting key (DEK)

DES256

RSA512

AES 128

ROT 13

QUESTION 28
What does the PCI PTS standard cover?

Point-of-interaction devices used to protect account data

Secure coding practices for commercial payment applications.

Development of strong cryptographic algorithms

End-to-end encryption solutions for transmission of account data

QUESTION 29
Which of the following can be sampled for testing during a PCI DSS assessment?

PCI DSS requirements and testing procedures.

Compensating controls

Business facilities and system components

Security policies and procedures

QUESTION 30
Which of the following file types must be monitored by a change-detection mechanism (for example, a file-integrity monitoring tool)?

Application vendor manuals

Files that regularly change

Security policy and procedure documents

System configuration and parameter files

QUESTION 31
Which of the following parties is responsible for completion of the Controls Matrix to* the Customized Approach?

Only a Qualified Security Assessor (QSA)

EitheraQSA,AQSA,orPClP.

Entity being assessed

Card brands or acquirer

QUESTION 32
Which of the following is required to be included in an incident response plan?

Procedures for notifying PCI SSC of the security incident

Procedures for responding to the detection of unauthorized wireless access points

Procedures for securely deleting incident response records immediately upon resolution of the incident

Procedures forlaunching a reverse-attack on the individual(s) responsible for the security incident

QUESTION 33
H an entity shares cardholder data with a TPSP, what activity is the entity required to perform’?

The entity must conduct ASV scans on the TPSP’s systems at least annually

The entity must perform a risk assessment of the TPSP’s environment at least quarterly.

The entity must test the TPSP’s incident response plan at least quarterly

The entity must monitor the TPSP’s PCI DSS compliance status at least annually

QUESTION 34
Which of the following is true regarding compensating controls?

A compensating control is not necessary if all other PCI DSS requirements are in place

A compensating control must address the risk associated with not adhering to the PCI DSS requirement

An existing PCI DSS requirement can be used as compensating control if it is already implemented

A compensating control worksheet is not required if the acquirer approves the compensating control

QUESTION 35
an entity under assessment is using the customized approach, which of the following steps is the responsibility of the assessor?

Monitor the control.

Derive testing procedures and document them in Appendix E of the ROC.

Document and maintain evidence about each customized control as defined in Appendix E of PCI DSS

Perform the targeted risk analysis as per PCI DSS requirement 12.3.2

QUESTION 36
A retail merchant has a server room containing systems that store encrypted PAN data. The merchant has implemented a badge access-control system that identities who entered and exited the room onwhat date and at what time There are no video cameras located in the server room Based on this information, which statement is true regarding PCI DSS physical security requirements?

The badge access-control system must be protected from tampering or disabling

The merchant must install video cameras in addition to the existing access-control system

Data from the access-control system must be securely deleted on a monthly basis

The merchant must install motion-sensing alarms in addition to the existing access-control system

QUESTION 37
Which of the following meets the definition of ‘quarterly’ as indicated in the description of timeframes used in PCI DSS requirements?

Occurring at some point in each quarter of a year

At least once every 95 97 days.

On the 15th of each third month

On the 1st of each fourth month

QUESTION 38
According torequirement 1,what is the purpose of “Network Security Controls?

Manage anti-malware throughout the CDE.

Control network traffic between two or more logical or physical network segments.

Discover vulnerabilities and rank them

Encrypt PAN when stored

QUESTION 39
Could an entity use both the Customized Approach and the Defined Approach to meet the same requirement?

No because a single approach must be selected

No. because only compensating controls can be used with the Defined Approach

Yes if the entity uses no compensating controls

Yes if the entity is eligible to use both approaches

QUESTION 40
An entity wants to know if the Software Security Framework can be leveraged during their assessment Which of the following software types would this apply to?

Any payment software in the CDE

Only software which runs on PCI PTS devices

Validated Payment Applications that are listed by PCI SSC and have undergone a PA-DSS assessment

Software developed by the entity in accordance with the Secure SLC Standard

QUESTION 41
What would be an appropriate strength for the key-encrypting key (KEK) used to protect an AES 128-bit data-encrypting key (DEK)

DES256

RSA512

AES 128

ROT 13

QUESTION 42
The intent of assigning a risk ranking to vulnerabilities is to?

Ensure all vulnerabilities are addressed within 30 days

Replace the need toquarterly ASV scans

Prioritize the highest risk items so they can be addressed more quickly

Ensure that critical security patches are installed at least quarterly

Online Questions – Valid Practice To your Assessor_New_V4 Exam (Updated 62 Questions) [Q24-Q42]

Online Questions – Valid Practice To your Assessor_New_V4 Exam (Updated 62 Questions) [Q24-Q42]

TrainingDump

Leave a Reply
Cancel reply

Leave a Reply

Online Questions – Valid Practice To your Assessor_New_V4 Exam (Updated 62 Questions) [Q24-Q42]

TrainingDump

Leave a Reply Cancel reply

Leave a Reply

Leave a Reply
Cancel reply