Qualified Security Assessor V4 Exam Questions and Answers
Question 21
Which scenario meets PCI DSS requirements for critical systems to have correct and consistent time?
Options:
A.
Each internal system is configured to be its own time server.
B.
Access to time configuration settings is available to all users of the system.
C.
Central time servers receive time signals from specific, approved external sources.
D.
Each internal system peers directly with an external source to ensure accuracy of time updates.
Answer:
C
Explanation:
PerRequirement 10.6.1, PCI DSS mandates that time-synchronization technology be used, andsystems must be synchronized to a central time serverthat itself receives time from an approved external source. This ensures logs can be accurately correlated.
Option A:Incorrect. Time inconsistency arises if each system operates independently.
Option B:Incorrect. Time configuration must berestricted to authorised personnel only.
Option C:Correct. Time should be sourced from a centralised server which is in sync with reliable external sources.
Option D:Incorrect. Each system peering independently can cause inconsistencies.
Where an entity under assessment is using the customized approach, which of the following steps is the responsibility of the assessor?
Options:
A.
Monitor the control.
B.
Derive testing procedures and document them in Appendix E of the ROC.
C.
Document and maintain evidence about each customized control as defined in Appendix E of PCI DSS.
D.
Perform the targeted risk analysis as per PCI DSS requirement 12.3.2.
Answer:
B
Explanation:
Under theCustomized Approach, assessors are responsible forderiving and documenting the testing proceduresinAppendix E of the Report on Compliance (ROC). The assessor must ensure the controlmeets the requirement objectiveand validate it throughcustom testing.
Option A:❌Incorrect. Ongoing monitoring is the entity’s responsibility, not the assessor’s.
Option B:✅Correct. The assessor must derive anddocument testingin Appendix E.
Option C:❌Incorrect. The entity documents control details; the assessor documents test results.
Option D:❌Incorrect. Theentitymust perform the targeted risk analysis, not the assessor.
[Reference:PCI DSS v4.0.1 – Appendix D (Customized Approach) and Appendix E (ROC Template)., , ]