Which of the following is NOT included in the controls covered in requirement 2?

The correct choice indicates that storing sensitive data in the cloud is not included in the controls covered in requirement 2. This requirement primarily focuses on the protection of cardholder data and the security of systems that process such information. Requirement 2 specifically emphasizes the necessity of configuring systems securely, such as ensuring that default passwords are changed and that there are established standards for system configuration.

The other options directly align with the goals of this requirement. Not using vendor-supplied default passwords is crucial for ensuring that systems are not easily compromised. Utilizing system configuration standards helps maintain a consistent security posture across all components, which is fundamental in maintaining a secure environment. Maintaining an inventory of system components is also essential, as it enables organizations to know what assets require protection and helps in managing them effectively.

In contrast, storing sensitive data in the cloud may be part of broader data management or security considerations but does not directly fall under the specific controls pointed out in requirement 2, which is more about securing the internal systems and configurations rather than how data is stored in external environments.