What should 1.1.6 documentation include?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the PCI DSS Test with detailed questions and explanations. Use flashcards and quizzes to enhance knowledge. Ensure you're ready for your certification exam!

Multiple Choice

What should 1.1.6 documentation include?

Explanation:
The main idea being tested is how PCI DSS requires formal documentation around the services, protocols, and ports that are allowed in the cardholder data environment. Specifically, the documentation must include the business justification and formal approval for using every service, protocol, and port, and it must describe the security features in place for any insecure protocols. This is about ensuring you don’t have unmanaged or unknown services running in the environment. By capturing the business reason and who approved each allowed service, you create accountability and a clear trail for audits and change management. At the same time, noting the security measures for insecure protocols shows you’re actively mitigating risk rather than tolerating insecure practices. For example, if an organization must allow a remote management protocol that is considered insecure, the documentation should state why it’s needed, exactly which ports/protocols are allowed, and what protections are in place (like encryption, strong authentication, restricted access, logging). Why the other options don’t fit: documenting services without any business justification or approval removes the essential governance and accountability. Claiming no documentation is required contradicts the need for controlled, auditable changes. And only listing allowed protocols omits the required business justification and the security measures for insecure protocols, leaving gaps in risk management.

The main idea being tested is how PCI DSS requires formal documentation around the services, protocols, and ports that are allowed in the cardholder data environment. Specifically, the documentation must include the business justification and formal approval for using every service, protocol, and port, and it must describe the security features in place for any insecure protocols.

This is about ensuring you don’t have unmanaged or unknown services running in the environment. By capturing the business reason and who approved each allowed service, you create accountability and a clear trail for audits and change management. At the same time, noting the security measures for insecure protocols shows you’re actively mitigating risk rather than tolerating insecure practices. For example, if an organization must allow a remote management protocol that is considered insecure, the documentation should state why it’s needed, exactly which ports/protocols are allowed, and what protections are in place (like encryption, strong authentication, restricted access, logging).

Why the other options don’t fit: documenting services without any business justification or approval removes the essential governance and accountability. Claiming no documentation is required contradicts the need for controlled, auditable changes. And only listing allowed protocols omits the required business justification and the security measures for insecure protocols, leaving gaps in risk management.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy