Common Technical Interview Questions and Answers Update on December 31, 2020

Question 111: Which of the following statements about PCI-DSS compliance is true?
A. Only organizations that store, transfer, or process more than 6 million credit card numbers are required to undergo an annual PCI audit.
B. Service providers are not required to submit an attestation of compliance (AOC) annually.
C. Merchants that process fewer than 15,000 credit card transactions are not required to submit an attestation of compliance (AOC).
D. All organizations that store, transfer, or process credit card data are required to submit an attestation of compliance (AOC) annually.
Correct Answer: D. All organizations that store, transfer, or process credit card data are required to submit an attestation of compliance (AOC) annually.

Explanation: All organizations that store, process, or transmit credit card data are required to submit an attestation of compliance (AOC) annually to their acquiring bank, processing bank, or card brand.

“Only organizations that store, transfer, or process more than 6 million credit card numbers are required to undergo an annual PCI audit” is incorrect because some organizations that process fewer credit card numbers are also required to undergo annual PCI audits — for example, organizations that have suffered a breach may be required to undergo audits. “Service providers are not required to submit an attestation of compliance (AOC) annually” is incorrect because service providers are required to submit attestations of compliance (AOC) annually. “Merchants that process fewer than 15,000 credit card transactions are not required to submit an attestation of compliance (AOC)” is incorrect because all merchants are required to submit attestations of compliance (AOC).

Question 112: An organization recently suffered a significant security incident. The organization was surprised by the incident and believed that this kind of an event would not occur. To avoid a similar event in the future, what should the organization do next?
A. Commission an enterprise-wide risk assessment.
B. Commission a controls maturity assessment.
C. Commission an internal and external penetration test.
D. Commission a controls gap assessment.
Correct Answer: A. Commission an enterprise-wide risk assessment.
Explanation: An enterprise-wide risk assessment is the best option here so that risks of all kinds can be identified and remedies suggested for mitigating them.

“Commission a controls maturity assessment” is incorrect because it’s possible that there are missing controls; a controls maturity assessment takes too narrow a view here and focuses only on existing controls, when the problem might be controls that are nonexistent. “Commission an internal and external penetration test” is incorrect because the nature of the incident is unknown and may not be related to technical vulnerabilities that a penetration test would reveal (for example, it may have been phishing or fraud). “Commission a controls gap assessment” is incorrect because a controls gap assessment takes too narrow a view here and focuses only on existing controls, when the problem might be controls that are nonexistent.

Question 113: Security analysts in the SOC have noticed that the organization’s firewall is being scanned by a port scanner in a hostile country. Security analysts have notified the security manager. How should the security manager respond to this matter?
A. Declare a high-severity security event.
B. Declare a low-severity security event.
C. Take no action.
D. Direct the SOC to blackhole the scan’s originating IP address.
Correct Answer: D. Direct the SOC to blackhole the scan’s originating IP address.
Explanation: The best course of action is to blackhole the IP address that is the origination of the port scan. However, even this may not be necessary because a port scan is not, by itself, a serious matter. However, it may represent reconnaissance by an intruder that is targeting the organization.

“Declare a high-severity security event” is incorrect because a port scan is not a high-severity security matter. “Declare a low-severity security event” is incorrect because this is not the best answer; however, some organizations might consider a port scan a low-level security incident and respond in some way, such as blackholing the IP address. “Take no action” is incorrect because taking no action at all is not the best course of action.