Free Qualified Security Assessor V4 Exam QSA_New_V4 Exam Practice Test

What must be included in an organization's procedures for managing visitors?

• Visitors are escorted at all times within areas where cardholder data is processed or maintained.
• Visitor badges are identical to badges used by onsite personnel.
• Visitor log includes visitor name, address, and contact phone number.
• Visitors retain their identification (for example, a visitor badge) for 30 days after completion of the visit.

Security policies and operational procedures should be?

• Encrypted with strong cryptography.
• Stored securely so that only management has access.
• Reviewed and updated at least quarterly.
• Distributed to and understood by ail affected parties.

Which of the following is true regarding compensating controls?

• A compensating control is not necessary if all other PCI DSS requirements are in place.
• A compensating control must address the risk associated with not adhering to the PCI DSS requirement.
• An existing PCI DSS requirement can be used as compensating control if it is already implemented.
• A compensating control worksheet is not required if the acquirer approves the compensating control.

Which statement is true regarding the use of intrusion detection techniques, such as intrusion detection systems and/or Intrusion protection systems (IDS/IPS)?

• Intrusion detection techniques are required on all system components.
• Intrusion detection techniques are required to alert personnel of suspected compromises.
• Intrusion detection techniques are required to isolate systems in the cardholder data environment from all other systems
• Intrusion detection techniques are required to identify all instances of cardholder data.

Viewing of audit log files should be limited to?

• Individuals who performed the logged activity.
• Individuals with read/write access.
• Individuals with administrator privileges.
• Individuals with a job-related need.

Where an entity under assessment is using the customized approach, which of the following steps is the responsibility of the assessor?

• Monitor the control.
• Derive testing procedures and document them in Appendix E of the ROC.
• Document and maintain evidence about each customized control as defined in Appendix E of PCI DSS.
• Perform the targeted risk analysis as per PCI DSS requirement 12.3.2.

A network firewall has been configured with the latest vendor security patches. What additional configuration Is needed to harden the firewall?

• Remove the default "Firewall Administrator account and create a shared account for firewall administrators to use.
• Configure the firewall to permit all traffic until additional rules are defined.
• Synchronize the firewall rules with the other firewalls in the environment.
• Disable any firewall functions that are not needed in production.

Which of the following is true regarding internal vulnerability scans?

• They must be performed after a significant change.
• They must be performed by an Approved Scanning Vendor (ASV).
• They must be performed by QSA personnel.
• They must be performed at least annually.

Which scenario meets PCI DSS requirements for restricting access to databases containing cardholder data?

• User access to the database Is only through programmatic methods.
• User access to the database Is restricted to system and network administrators.
• Application IDs for database applications can only be used by database administrators.
• Direct queries to the database are restricted to shared database administrator accounts.

What is the intent of classifying media that contains cardholder data?

• Ensuring that media is properly protected according to the sensitivity of the data it contains.
• Ensuring that media containing cardholder data Is moved from secured areas an a quarterly basis.
• Ensuring that media is clearly and visibly labeled as "Confidential" so all personnel know that the media contains cardholder data.
• Ensuring that all media is consistently destroyed on the same schedule, regardless of the contents.