Certified Chief Information Security Officer (CCISO) — Question 151
When an organization claims it is secure because it is PCI-DSS certified, what is a good first question to ask towards assessing the effectiveness of their security program?
Answer options
- A. How many credit records are stored?
- B. What is the value of the assets at risk?
- C. What is the scope of the certification?
- D. How many servers do you have?
Correct answer: C
Explanation
The correct answer is C because understanding the scope of the certification is crucial in evaluating whether the organization is compliant with PCI-DSS requirements across all relevant areas. Options A and D are less relevant as they focus on specific numbers rather than compliance scope, while option B, while important, does not directly address the effectiveness of their PCI-DSS certification.