11. Exercise: Compliance Obligation Evaluation

Exercise: Compliance Obligation Evaluation

Please answer the following questions about evaluation compliance obligations.

Question 1.

Which of the following words are determinative as defined earlier in this section? Check all that apply.
SOLUTION:
  • Must
  • Shall
  • Will

Question 2.

14 Cloud Security Principles, Section 1. Data in Transit says the following about TLS: "Use of SSL or TLS versions earlier than version 1.2 is not recommended. There are known vulnerabilities in protocols which could be manipulated by an attacker to access your data." Is this statment determinative or passive?
SOLUTION: Passive

Review the Managed Service Agreement Clause below and answer the following two questions.

Question 3.

What are the Service Provider's obligations?
SOLUTION: The Service Provider must allow one audit with 30 days' notice or additional audits with 60 days' notice

Question 4.

What are the Customer's obligations?
SOLUTION: The Customer can perform 1 audit per year with 30 days' notice or 60 days' notice for additional audits.

Review the following PCI clause and answer the next two questions.

Question 5

Choose the best answer. To successfully meet obligations under PCI v3.2.1 Section 1.3 you…
SOLUTION: Must implment a DMZ AND limit inbound internet traffic AND implement anti-spoofing measures

Answer the following scenario:

QUESTION:

Question 6.

How would you illustrate PCI-DSS v3.2.1 Section 1.3.3 as an obligation? Create two concise determinative statements from PCI-DSS v3.2.1 Section 1.3.3.

ANSWER:

Must implement anti-spoofing measures to detect forged source IPs

AND

Must block forged source IPs

Next Concept