Minimum System Scan Frequency

A.

As per PCI DSS v3.2.1 requirement 11.2.2, external and internal network vulnerability scans must be performed at least quarterly and after any significant change in the network, which includes adding new systems or changing system components. Additionally, some organizations may have more frequent scanning requirements based on their own internal policies or regulatory requirements.

Therefore, the minimum frequency to complete the scan of the finance system in this scenario would be quarterly, which is option C. This means that the penetration tester must perform vulnerability scans of the system at least once every three months to ensure that any new vulnerabilities are identified and remediated in a timely manner.

It is important to note that this is the minimum requirement, and organizations may choose to conduct scans more frequently based on their own risk assessments and internal policies. Also, penetration testing is not the same as vulnerability scanning. Penetration testing goes beyond vulnerability scanning and attempts to exploit vulnerabilities to determine the extent of damage that could be caused by an attacker. Therefore, the organization may choose to perform penetration testing on a more frequent basis than vulnerability scanning to ensure that they are fully aware of their security posture.