Which activity supports verifying that firewall rule-set reviews occur at least every 6 months per 1.1.7?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the PCI DSS Requirements Test with our interactive quizzes. Use multiple choice questions, flashcards, and detailed explanations. Ace your exam with confidence!

Multiple Choice

Which activity supports verifying that firewall rule-set reviews occur at least every 6 months per 1.1.7?

Explanation:
Verifying that firewall rule-set reviews occur on a six-month cadence requires evidence that the reviews actually happened, when they occurred, and who performed them. Examining documentation that records each rule-set review and interviewing the individuals responsible provides concrete proof of both the timing and the execution of the reviews. This approach combines documentary evidence with direct confirmation, satisfying the requirement that reviews take place at least every six months and that there is accountable ownership. Relying on automated alerts doesn’t prove a review was conducted; alerts track events, not the formal review process. Focusing only on the latest change logs shows what changed recently but doesn’t demonstrate a periodic, comprehensive review. Asking vendors for confirmation externalizes the control and doesn’t establish internal adherence to the six-month schedule.

Verifying that firewall rule-set reviews occur on a six-month cadence requires evidence that the reviews actually happened, when they occurred, and who performed them. Examining documentation that records each rule-set review and interviewing the individuals responsible provides concrete proof of both the timing and the execution of the reviews. This approach combines documentary evidence with direct confirmation, satisfying the requirement that reviews take place at least every six months and that there is accountable ownership.

Relying on automated alerts doesn’t prove a review was conducted; alerts track events, not the formal review process. Focusing only on the latest change logs shows what changed recently but doesn’t demonstrate a periodic, comprehensive review. Asking vendors for confirmation externalizes the control and doesn’t establish internal adherence to the six-month schedule.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy