A security analyst is preparing a vulnerability-management compliance report for an upcoming PCI-DSS audit. Which section of the report would MOST directly demonstrate to the auditors that the organization satisfies the standard's requirements?
A table listing patch-deployment dates for all critical production servers
A control-to-requirement mapping matrix correlating internal controls to each applicable PCI-DSS clause
A graph showing the ten most exploited vulnerabilities detected during the last quarter
A narrative executive summary highlighting recent security program improvements
Auditors need clear evidence that each control the organization has implemented satisfies a particular PCI-DSS clause. A control-to-requirement mapping matrix provides that direct linkage, making it the section that most convincingly demonstrates compliance. A graph of common vulnerabilities, an executive narrative, or a patch-deployment table are useful context but do not explicitly map controls to the standard's mandatory clauses and therefore do not, by themselves, prove adherence.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is PCI-DSS, and why is it important?
Open an interactive chat with Bash
What is a control-to-requirement mapping matrix?
Open an interactive chat with Bash
How does a control-to-requirement matrix differ from other report sections like graphs or tables?