Return to course: Requirement 12: An overview of the Information Security Policy and Supporting Security Policies and Programs
Previous Lesson
Previous
Next
Next Section
Requirement 12: An overview of the Information Security Policy and Supporting Security Policies and Programs
Information Security Policy and Acceptable Use Policy
Requirement 12.1 and 12.2
Test your understanding of 12.1 and 12.2
Target Risk Analysis and PCI Compliance Program
Requirement 12.3 and 12.4
Test your understanding of requirements 12.3 and 12.4
Scope, Security Awareness Training, and HR Background Checks
Requirements 12.5, 12.6, and 12.7
Test your understand of 12.5, 12.6, and 12.7
Third Part Service Providers
Requirements 12.8 and 12.9
Test your understanding of requirements 12.8 and 12.9
Incident Response Plan
Requirement 12.10
Test your understanding of requirement 12.10
Test your understand of 12.5, 12.6, and 12.7
Requirement 12.5.1 is the old (v3.2.1) 2.4 requirement
*
True
False
A description of ___________ must be documented for all in scope system components
*
function/use
function/quantity
location/function
quantity/use
PCI DSS scope must be documented and confirmed at least every __________ and upon significant change to the in scope environment
*
6 months
never
12 months
month
Third party service providers that store, process, or transmit CHD on the entity’s behalf or could impact the security of the CDE are not considered to be in scope
*
True
False
Beginning March 31, 2025, service providers must confirm scope once every 6 months
*
True
False
Security awareness training is once and done
*
True
False
Entities in scope for PCI DSS must have a formal security awareness program
*
True
False
Employees must receive security awareness training only upon hire
*
True
False
Personnel must acknowledge that they have read and understand the information security policy
*
True
False
The security awareness program must maintain records to prove that employees attend security awareness training upon hire and at least once every 12 months
*
True
False
Email, posters, digital displays, are examples of ________________ of communicating awareness and educating personnel
*
busy work
multiple methods
wasting time
Beginning March 31, 2025, security awareness training must include training on
*
phishing attacks
smishing attacks
social engineering
acceptable use of end-use technologies
none of the above
all of the above
Potential employees that could have access to the CDE must be screened (within constraints of local laws) prior to hire
*
True
False
