A penetration tester needs to perform a test on a finance system that is PCI DSS v3.2.1 compliant.
Which of the following is the MINIMUM frequency to complete the scan of the system?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdfAs per PCI DSS v3.2.1 requirement 11.2.2, external and internal network vulnerability scans must be performed at least quarterly and after any significant change in the network, which includes adding new systems or changing system components. Additionally, some organizations may have more frequent scanning requirements based on their own internal policies or regulatory requirements.
Therefore, the minimum frequency to complete the scan of the finance system in this scenario would be quarterly, which is option C. This means that the penetration tester must perform vulnerability scans of the system at least once every three months to ensure that any new vulnerabilities are identified and remediated in a timely manner.
It is important to note that this is the minimum requirement, and organizations may choose to conduct scans more frequently based on their own risk assessments and internal policies. Also, penetration testing is not the same as vulnerability scanning. Penetration testing goes beyond vulnerability scanning and attempts to exploit vulnerabilities to determine the extent of damage that could be caused by an attacker. Therefore, the organization may choose to perform penetration testing on a more frequent basis than vulnerability scanning to ensure that they are fully aware of their security posture.