What must be ensured about outbound traffic from the CDE to the Internet?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the PCI DSS Test with detailed questions and explanations. Use flashcards and quizzes to enhance knowledge. Ensure you're ready for your certification exam!

Multiple Choice

What must be ensured about outbound traffic from the CDE to the Internet?

Explanation:
Outbound traffic from the CDE must be tightly controlled with explicit authorization before any Internet access is allowed. This follows a deny-by-default approach: the firewall blocks outbound connections unless a specific, approved rule permits them, detailing the destination, port, and protocol. This helps prevent unapproved data exfiltration and ensures that only necessary, auditable connections are allowed, aligning with PCI DSS goals of strong access controls and traceability. Choosing the other ideas isn’t appropriate because allowing outbound by default would bypass this protection, and treating outbound traffic as unmonitored would ignore the need for ongoing detection and auditing of connections. Limiting to port 80 only is too specific and not universally correct, since many legitimate services require other ports and protocols.

Outbound traffic from the CDE must be tightly controlled with explicit authorization before any Internet access is allowed. This follows a deny-by-default approach: the firewall blocks outbound connections unless a specific, approved rule permits them, detailing the destination, port, and protocol. This helps prevent unapproved data exfiltration and ensures that only necessary, auditable connections are allowed, aligning with PCI DSS goals of strong access controls and traceability.

Choosing the other ideas isn’t appropriate because allowing outbound by default would bypass this protection, and treating outbound traffic as unmonitored would ignore the need for ongoing detection and auditing of connections. Limiting to port 80 only is too specific and not universally correct, since many legitimate services require other ports and protocols.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy