ISA-N_Retake PCI Internal Security Assessor RetakeExam Questions and Answers

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , assigning a unique ID to each person is intended to ensure individual users are accountable for their own actions, rather than shared accounts or group accounts based on need-to-know. This is one of the requirements for ensuring that user accounts are properly managed and controlled.

According to requirement 3.1.2, multi-tenant service providers must ensure that customers cannot access another entity’s cardholder data environment, which means they should isolate each customer’s cardholder data from other customers’ cardholder data and prevent unauthorized access or disclosure. This is one of the requirements for ensuring that multi-tenant service providers protect each customer’s cardholder data.

critical systems must have correct and consistent time, which means they should use a reliable time source and synchronize their clocks with other systems. This is one of the requirements for ensuring that critical systems have accurate time.

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , active network connections are tracked so that invalid response traffic can be identified. This is one of the requirements for preventing replay attacks and ensuring secure communication.

  One of the best practices for hardening a firewall is to disable any firewall functions that are not needed in production, such as unused services, ports, protocols, or features. This reduces the attack surface and minimizes the potential for exploitation. According to the PCI Card Production Logical Security Requirements, section 3.2.1, “The firewall must be configured to deny all traffic by default and allow only traffic that is explicitly required for the card production environment.” Furthermore, section 3.2.2 states, “The firewall must be configured to block all unnecessary services, ports, protocols, and IP addresses.”  References :  PCI Card Production Logical Security Requirements ,  Card Production Security Assessor - Logical - Credly

The customized approach is a new option in PCI DSS v4.0 that allows entities to use alternate security controls or new technologies that meet the PCI DSS Customized Approach Objective for a requirement 1 .  The customized approach requires the entity to complete and document a Controls Matrix and a Targeted Risk Analysis (TRA) for each customized control, and to provide this documentation to the assessor 2 .  The assessor’s role is to review the documentation, assess the customized control, and verify that the customized approach was correctly followed 3 .  The assessor must also document the assessment of the customized control in the Report on Compliance (ROC), using the ROC Template provided by PCI SSC 4 . Therefore, the correct answer is option B.

The other options are not true regarding the role of the assessor in the customized approach.  Option A is not true because the assessor does not need another assessor to verify the TRA, as the assessor is responsible for reviewing and validating the TRA as part of the assessment process 3 .  Option C is not true because the assessor can and must assess the control and the documentation, as well as document the work on the customized control in the ROC 3 4 .  Option D is not true because the assessor is allowed to assist the entity with the completion of the Controls Matrix or the TRA, as long as the assessor does not design, develop, or implement the customized control for the entity 5 .  References :

PCI DSS v4.0: Is the Customized Approach Right For Your Organization?

PCI DSS v4.0: Roles and Responsibilities for the Customized Approach

PCI DSS v4.0 Report on Compliance Template

PCI DSS v4.0

PCI DSS v4.0: Customized Approach Explained

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , business facilities and system components can be sampled for testing during a PCI DSS assessment, as long as they are not critical components or components that are not in scope for testing. This is one of the requirements for ensuring that testing covers all relevant components and processes.

An LDAP server is a type of directory service that provides authentication and authorization data to the cardholder data environment (CDE) 1 .  According to the PCI DSS scoping and segmentation guidance 2 , any system that provides a security service to the CDE, such as authentication, is considered a connected or security-impacting system (Category 2) and is in scope for PCI DSS. This is because such systems can affect the security and controls of the CDE and the cardholder data (CHD) or sensitive authentication data (SAD) that it contains. Therefore, an LDAP server providing authentication services to the CDE is in scope for PCI DSS, regardless of whether it stores, processes, or transmits CHD or SAD, or whether it provides authentication services to systems in the DMZ or not.  References :

Guidance for PCI DSS Scoping and Network Segmentation

What Are the Effects of Using Active Directory as a Shared Service on PCI Compliance?

The Ultimate Guide To PCI DSS Scoping and Segmentation

LDAP - PCI Security Standards Council

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , track equivalent data on the chip of a payment card is sensitive authentication data, which means it can be used to authenticate a cardholder or a transaction, but it should not be stored or transmitted by merchants after authorization if encrypted. This is one of the requirements for preventing unauthorized access to sensitive authentication data.

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , the assessor must derive testing procedures and document them in Appendix E of the ROC. This is one of the requirements for ensuring that testing procedures are defined and documented.

when disk encryption is used to protect account data, access to the disk encryption must be managed independently of the operating system access control mechanisms, which means it should not be affected by changes in the operating system settings or permissions. This is one of the requirements for ensuring that disk encryption is secure and effective.

Segmentation is a method of isolating system components that store, process, or transmit cardholder data from systems that do not, by using security controls such as firewalls, routers, switches, or other devices 1 .  Segmentation can reduce the scope of the cardholder data environment (CDE) and thus reduce the scope of the PCI DSS assessment, as only the systems and networks within the CDE or connected to the CDE are subject to PCI DSS requirements 2 .  Virtual LANs (VLANs) are one example of such a security control, as they can create logical subnetworks that separate different types of traffic and restrict access between them 3 . Therefore, the correct answer is option C.

The other options are not true regarding the scenario that describes segmentation of the cardholder data environment (CDE) for the purposes of reducing PCI DSS scope. Option A is not true because routers that monitor network traffic flows between the CDE and out-of-scope networks are not sufficient to isolate the CDE, as they do not prevent or limit the traffic flows. Option B is not true because firewalls that log all network traffic flows between the CDE and out-of-scope networks are not sufficient to isolate the CDE, as they do not block or filter the traffic flows. Option D is not true because a network configuration that prevents all network traffic between the CDE and out-of-scope networks is not realistic or feasible, as some traffic may be necessary for business or legal reasons, such as payment processing, reporting, or auditing.  References :

Network Segmentation - PCI Security Standards Council

Guidance for PCI DSS Scoping and Network Segmentation

VLANs and PCI Compliance: What You Need to Know

According to the PCI DSS v3.2.1 Quick Reference Guide 1 , pre-production environments that are located within the cardholder data environment can be used for testing, as long as they are not accessible from untrusted networks and are monitored for any changes or vulnerabilities. This is one of the requirements for ensuring that testing environments are isolated from production environments.

PCI DSS Requirement 12.10.1 requires entities to implement an incident response plan that includes roles, responsibilities, and communication and contact strategies for a data security incident, including notification of relevant payment brands 1 .  This is important because each payment card brand has its own policies and procedures for dealing with a security breach, and failing to follow them or meet reporting deadlines could result in fines or loss of authority to process payment card transactions 2 .  Therefore, an incident response plan must include procedures for notifying PCI SSC of the security incident, as well as any other entities that may require notification, whether by contract or law 1 .  References :

Guidance for PCI DSS Scoping and Network Segmentation

Responding to a Cardholder Data Breach