Question 1

When defining due diligence requirements for the set of vendors that host web applications which of the

following is typically NOT part of evaluating the vendor's patch

management controls?

Options :

A : The capability of the vendor to apply priority patching of high-risk systems

B : Established procedures for testing of patches, service packs, and hot fixes prior to installation

C : A documented process to gain approvals for use of open source applications

D : The existence of a formal process for evaluation and prioritization of known vulnerabilities

Answer: C

Question 2

Which statement is FALSE regarding the primary factors in determining vendor risk classification?

Options :

A : The geographic area where the vendor is located may trigger specific regulatory obligations

B : The importance to the outsourcer-s recovery objectives may trigger a higher risk tier

C :

The type and volume of personal data processed may trigger a higher risk rating based on the criticality of the systems

D :

Network connectivity or remote access may trigger a higher vendor risk classification only for third parties that process personal information

Answer: D

Question 3

Which requirement is the MOST important for managing risk when the vendor contract terminates?

Options :

A : The responsibility to perform a financial review of outstanding invoices

B : The commitment to perform a final assessment based upon due diligence standards

C : The requirement to ensure secure data destruction and asset return

D : The obligation to define contract terms for transition services

Answer: C

Question 4

Which of the following BEST describes the distinction between a regulation and a standard?

Options :

A :

A regulation must be adhered to by all companies subject to its requirements, but companies “can voluntarily choose to follow standards.

B : There is no distinction, regulations and standards are the same and have equal impact

C : Standards are always a subset of a regulation

D :

A standard must be adhered to by companies based on the industry they are in, while regulations are voluntary.

Answer: A

Question 5

Which statement is TRUE regarding artifacts reviewed when assessing the Cardholder Data Environment (CDE) in payment card processing?

Options :

A : The Data Security Standards (DSS) framework should be used to scope the assessment

B :

The Report on Compliance (ROC) provides the assessment results completed by a qualified security assessor that includes an onsite audit

C : The Self-Assessment Questionnaire (SAQ) provides independent testing of controls

D : A System and Organization Controls (SOC) report is sufficient if the report addresses the same location

Answer: B