Question 1

The BEST time in the SDLC process for an application service provider to perform Threat Modeling analysis is:

Options :

A : Before the application design and development activities begin

B : After the application vulnerability or penetration test is completed

C : After testing and before the deployment of the final code into production

D : Prior to the execution of a contract with each client

Answer: A

Question 2

Which of the following statements is FALSE about Data Loss Prevention Programs?

Options :

A :

DLP programs include the policy, tool configuration requirements, and processes for the identification, blocking or monitoring of data

B : DLP programs define the consequences for non-compliance to policies

C : DLP programs define the required policies based on default tool configuration

D : DLP programs include acknowledgement the company can apply controls to remove any data

Answer: C

Question 3

Which statement is TRUE regarding artifacts reviewed when assessing the Cardholder Data Environment (CDE) in payment card processing?

Options :

A : The Data Security Standards (DSS) framework should be used to scope the assessment

B :

The Report on Compliance (ROC) provides the assessment results completed by a qualified security assessor that includes an onsite audit

C : The Self-Assessment Questionnaire (SAQ) provides independent testing of controls

D : A System and Organization Controls (SOC) report is sufficient if the report addresses the same location

Answer: B

Question 4

Which statement BEST reflects the factors that help you determine the frequency of cyclical assessments?

Options :

A :

Vendor assessments should be conducted during onboarding and then be replaced by continuous monitoring

B :

Vendor assessment frequency should be based on the level of risk and criticality of the vendor to your operations as determined by their vendor risk score

C : Vendor assessments should be scheduled based on the type of services/products provided

D : Vendor assessment frequency may need to be changed if the vendor has disclosed a data breach

Answer: B

Question 5

Which statement is FALSE regarding the primary factors in determining vendor risk classification?

Options :

A : The geographic area where the vendor is located may trigger specific regulatory obligations

B : The importance to the outsourcer-s recovery objectives may trigger a higher risk tier

C :

The type and volume of personal data processed may trigger a higher risk rating based on the criticality of the systems

D :

Network connectivity or remote access may trigger a higher vendor risk classification only for third parties that process personal information

Answer: D