Return to course: Requirement 12: An overview of the Information Security Policy and Supporting Security Policies and Programs
Previous Lesson
Previous
Next
Next Section
Requirement 12: An overview of the Information Security Policy and Supporting Security Policies and Programs
Information Security Policy and Acceptable Use Policy
Requirement 12.1 and 12.2
Test your understanding of 12.1 and 12.2
Target Risk Analysis and PCI Compliance Program
Requirement 12.3 and 12.4
Test your understanding of requirements 12.3 and 12.4
Scope, Security Awareness Training, and HR Background Checks
Requirements 12.5, 12.6, and 12.7
Test your understand of 12.5, 12.6, and 12.7
Third Part Service Providers
Requirements 12.8 and 12.9
Test your understanding of requirements 12.8 and 12.9
Incident Response Plan
Requirement 12.10
Test your understanding of requirement 12.10
Test your understanding of requirements 12.3 and 12.4
A targeted risk analysis must be completed for the requirements that provide flexibility for how frequently its performed only when the entity can’t meet the suggested frequency
*
True
False
Each targeted risk analysis must identify the assets being protected
*
True
False
Entities must use the TRA template provided by the PCI SSC
*
True
False
TRA’s must be reviewed at least every
*
Month
Quarter
12 months
6 Months
TRA’s are required for every instance where the entity is using a customized control
*
True
False
Beginning March 31, 2025, cryptographic suites and protocols must be documented and reviewed every 12 months
*
True
False
Entities must have a(n) ___________ to respond to anticipated changes in cryptographic vulnerabilities
*
Unwritten agreement
Documented strategy
Budget
Allocated resources
Hardware and software technologies are part of a continuous PCI scope management process
*
True
False
End of life technologies must have a plan for remediation that’s been approved by
*
Change management
Security operations
Senior management
The vendor
Requirements 12.4.1 and 12.4.2 are for all merchants and service providers
*
True
False
Service providers must have a(n) __________________ for a PCI DSS Compliance Program
*
Charter
Idea
Party
Memo
Review are performed at least once every ________________ to confirm that personnel are performing their tasks.
*
Day
12 months
3 months
Week
Reviews can be performed by the same person responsible for completing the task
*
True
False
Results must be included in the reviews
*
True
False
Remediation plans for any gaps noted in the reviews are unnecessary
*
True
False
Merchants which haven’t reduced their scope would be wise to adopt requirements 12.4.1 and 12.4.2
*
True
False