When filling out the PCI DSS questionnaire, is it important to provide documentation?
Our agency has just received notice from our acquiring bank that we must fill out the PCI DSS questionnaire. I'm being directed by management just to fill out the questionnaire and not worry about the documentation, because they believe that the questionnaire will not be audited. My opinion is that if we fill out this questionnaire we should be ready to provide documentation. Am I wrong to make this assumption?
It's absolutely right to always gather appropriate PCI DSS-related documentation in the event of an audit. The kind of management perspective that says otherwise is all about doing the least amount possible to make the auditor go away. The reality is security professionals need to do the right thing and plan for the worst-case scenario, consistently -- that means every day.
In this case, the right process is to gather appropriate documentation as a common part of security operations. If it's necessary to gather a bunch of documentation to substantiate practices that should be in place anyway (which is most of PCI DSS), then something is wrong.
In today's security environment, security managers will always be scrutinized. The executive suite will always wonder what's happening with all that money in the security budget. They want substantiation of what it is that the security team does, and why. Gathering the documentation when an audit is happening puts the security team behind the curve and in turn makes the value of information security less apparent
to management, so I suggest making documentation a part of everyday activities. Yes, it's a hassle, but no more of a hassle than having to manufacture data to substantiate what's been done the night before an audit.
This was first published in February 2009
Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.