Information Security Policy & PCI DSS Requirements Quiz

Questions and Answers

True or false: The information security policy is based on the Payment Card Industry Data Security Standard (PCI DSS)?

True

True or false: The policy sets out detailed procedures and standards for meeting the policy objectives?

False

True or false: The policy applies only to IT systems within the company?

False

True or false: Breaches in information security can result in financial losses only?

False

True or false: Individual actions and behaviors of personnel do not affect information security?

False

True or false: Line managers are responsible for ensuring their personnel attend information security training?

True

True or false: Senior management is not responsible for information security within the company?

False

True or false: The policy includes requirements for physical security?

True

True or false: Insecure Services refer to services that are encrypted and not susceptible to known attacks?

False

Study Notes

Information Security Policy Document Control

• This document is a draft of an information security policy for a company.

• The policy is based on the Payment Card Industry Data Security Standard (PCI DSS).

• The policy sets out high-level objectives for information security.

• Personnel must refer to other procedures and standards to determine how to meet the policy objectives.

• The policy applies to people, processes, and IT systems within the company.

• The primary goal of information security is to protect information assets.

• Breaches in information security can have serious consequences, including disclosure of personal information and financial losses.

• Individual actions and behaviors of personnel are critical to protecting information assets.

• Personnel must understand their responsibilities for protecting information and attend information security training.

• Line managers are responsible for ensuring their personnel attend training and have access to policies and procedures.

• Senior management is responsible for information security within the company and must approve exceptions to the policy.

• The policy includes requirements for network security, system builds, data security, anti-virus, patching, vulnerability management, software development, change management, access control, physical security, system logging, network testing, and monitoring tools.PCI DSS Requirements and Glossary of Terms Summary

• Requirement 9: Unique ID assigned to each person with computer access

• Requirement 10: Physical access to cardholder data must be restricted

• Requirement 11: Tracking and monitoring of all access to network resources and cardholder data

• Requirement 12: Regular testing of security systems and processes

• Annex A: Glossary of Terms provided, including definitions for PCI DSS and Insecure Services

• Insecure Services: Services that transmit data in an unencrypted format or are susceptible to known attacks

• Public Network: Any network not managed by the entity and can be monitored or intercepted by others

• DMZ: Demilitarized Zone, a subnet that exposes an organization's external-facing services to an untrusted network

• Inbound Traffic: Traffic flowing into the organization from outside via routers or firewalls

• Outbound Traffic: Traffic flowing out of the organization from inside via routers or firewalls

• Sensitive Authentication Data (SAD): Data used in relation to payment cards, including full magnetic stripe data, PINs, and more

• Cardholder Data (CHD): Data used in relation to payment cards, including the primary account number, cardholder name, and expiration date

Description

Test your knowledge on information security policies, based on the Payment Card Industry Data Security Standard (PCI DSS), including requirements for unique IDs, physical access restrictions, tracking and monitoring, and regular testing. Explore key terms like Insecure Services, DMZ, and Sensitive Authentication Data.