There’s a problem with the self-assessment questionnaires, when you come to fill one in for the first time. While there is a lot of information and guidance provided, fundamentally it comes down to a tick box for each requirement:
Yes, with CCW (Compensating Control Worksheet)
A lot of the requirements ask (relatively) simple questions, and there is always a temptation to reach for the ‘Yes’ box. It sounds about right and there seems to be lots of confident nodding around the meeting room table.
The way we always ask customers to look at their reporting, is to start ‘in the event of a breach’.
Make a note!
As the Executive Officer of the company, your signature is on the SAQ form and, should the worst happen, the review process starts with you. On this basis, you need to treat the SAQ like a maths exam paper. The working out is just as important as the final answer.
As there is isn’t anything suitable on the SAQ form itself, you’ll need to record all the output from your ‘Expected Testing’ work in another document. It doesn’t need to be reams of information, but you should consider:
The source of the response – which person, document or electronic source gave you the answer you were looking for?
Location – Which physical location, or piece of equipment was reviewed to arrive at a response? You may have a number of functionally identical systems, so was the answer ‘yes’ for a sample of them or all systems in question?
Example of the settings observed – System interfaces change over time, so make a note of the screen / tab / management application that was used.
Software version – Make a note of the version of the software that was reviewed. It’s always possible that an upgrade between annual assessments changed the environment in an unexpected way.
The second element to consider is any interaction with Third Parties. Going back to that horrible statement ‘in the event of a breach’, you need to consider that a review will consider all parties involved in the processing, storage or transmission of cardholder data.
Have a good look at requirement 12.8.5 – “Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity?”
Sounds simple enough, but there is always a danger here that requirements can fall through the cracks. Document all the requirements you believe each Service Provider falls in scope for, and pass them a copy of that list. You could simply send them an SAQ form and highlight all the ‘Not Applicable’ responses that you believe they are covering.
You’ll be surprised how often requesting a written (an email will do) confirmation of responsibility leads to all kinds of interesting misunderstandings that were lurking below the surface of their Attestation of Compliance (AOC).
The Domino effect
A constant problem area is the annual ‘surprise’ that an assessment has come around again. This can be compounded further by involvement with Service Providers, who rarely seem to have their AOC ready each year.
Allow yourself sufficient time to conduct your own review, but also give your Service Providers and internal teams a nudge well before the due date.
Part 3c of the forms, shows the involvement of a QSA in the self-assessment process. Why would a QSA be needed with the clue to self-assessment literally being in the title?
Think of it as a backstop, and a second pair of eyes to make sure you are on the right track. You don’t need to do this for every assessment, but it’s worthwhile the first time through the process.
IntaForensics provide a service to assist with your own self-assessment, and offer a gentle guiding hand around those pitfalls. It is your name on the SAQ form after all.
Call us on +44247 771 7780 or email firstname.lastname@example.org.