Assessor_New_V4 Exam Dumps : Assessor_New_V4 Exam

PCI DSS Requirement 11.5 states that entities must deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly1. This is to ensure that any unauthorized or malicious changes to the files are detected and reported in a timely manner, and that the integrity and security of the files are maintained. Critical files are those that affect the security of the cardholder data environment (CDE), such as system files, application executables, configuration files, database files, and log files2. Therefore, the correct answer is option A.

The other options are not true regarding the frequency of critical file comparisons for a change-detection mechanism. Option B is not true because PCI DSS does not allow the entity to define the periodicity of the file comparisons, as it specifies a minimum frequency of at least weekly1. Option C is not true because PCI DSS does not limit the file comparisons to only after a valid change is installed, as it requires the file comparisons to be performed at least weekly regardless of the change status1. Option D is not true because PCI DSS does not allow the file comparisons to be performed at least monthly, as it requires a higher frequency of at least weekly1. References:

• PCI DSS v3.2.1
• File Integrity Monitoring Tools For PCI DSS

Segmentation is a method of isolating system components that store, process, or transmit cardholder data from systems that do not, by using security controls such as firewalls, routers, switches, or other devices1. Segmentation can reduce the scope of the cardholder data environment (CDE) and thus reduce the scope of the PCI DSS assessment, as only the systems and networks within the CDE or connected to the CDE are subject to PCI DSS requirements2. However, segmentation is not mandatory for PCI DSS compliance, and it is the responsibility of the entity to define and document the scope of their CDE and the segmentation controls they use2.

The assessor’s role is to verify the scope of the CDE and the effectiveness of the segmentation controls, as specified in PCI DSS Requirement 11.3.43. The assessor must verify that the segmentation controls are configured properly and functioning as intended, and that they allow only necessary traffic into the CDE. The assessor must also perform penetration testing on the segmentation controls at least annually and after anychanges to the segmentation methods, to confirm that there are no exploitable vulnerabilities that could allow an attacker to access the CDE from out-of-scope systems3. Therefore, the correct answer is option D.

The other options are not true regarding the role of the assessor in verifying segmentation for PCI DSS. Option A is not true because the assessor must verify not only that the segmentation controls allow only necessary traffic into the CDE, but also that they are configured properly and functioning as intended, as stated in option D. Option B is not true because the assessor does not need to verify that the payment card brands have approved the segmentation, as PCI DSS does not require such approval, although the payment card brands may have their own policies and procedures for segmentation that the entity must follow2. Option C is not true because the assessor does not need to verify that approved devices and applications are used for the segmentation controls, as PCI DSS does not mandate the use of specific devices or applications for segmentation, although it requires the entity to use industry-accepted and strong methods for segmentation2. References:

• Network Segmentation - PCI Security Standards Council
• Guidance for PCI DSS Scoping and Network Segmentation
• PCI DSS v3.2.1

when a cryptographic key is retired and replaced with a new key, the assessor will verify that the assessor observed the entity’s systems were compliant with the requirement, which means they should have implemented compensating controls to address any weaknesses or gaps in the customized control. This is one of the requirements for ensuring that an entity can use both approaches when appropriate.