Regarding access control, which statement is true about device and personnel authorization?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the PCI DSS Test with detailed questions and explanations. Use flashcards and quizzes to enhance knowledge. Ensure you're ready for your certification exam!

Multiple Choice

Regarding access control, which statement is true about device and personnel authorization?

Explanation:
Controlling access hinges on documenting who and what is allowed to access systems that handle cardholder data. The best approach is to maintain a current list that includes every device authorized to connect to the environment and the personnel who are authorized to use those devices. This creates clear accountability, supports enforcing least-privilege, and allows prompt revocation of access when someone changes roles or a device is decommissioned. It also helps prevent unauthorized devices from gaining access and ensures that any legitimate users are correctly linked to the devices they’re allowed to operate. Not identifying devices leaves you with unchecked connections that could be exploited by rogue equipment. Limiting the list to IT staff excludes users who may legitimately need access to specific devices. Listing devices without tying them to the people who can use them removes the crucial link between the device and the authorized user, reducing traceability and effective control.

Controlling access hinges on documenting who and what is allowed to access systems that handle cardholder data. The best approach is to maintain a current list that includes every device authorized to connect to the environment and the personnel who are authorized to use those devices. This creates clear accountability, supports enforcing least-privilege, and allows prompt revocation of access when someone changes roles or a device is decommissioned. It also helps prevent unauthorized devices from gaining access and ensures that any legitimate users are correctly linked to the devices they’re allowed to operate.

Not identifying devices leaves you with unchecked connections that could be exploited by rogue equipment. Limiting the list to IT staff excludes users who may legitimately need access to specific devices. Listing devices without tying them to the people who can use them removes the crucial link between the device and the authorized user, reducing traceability and effective control.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy