Security Assessment Questionnaires
Complete the SAQ and write answers to be reused in subsequent SAQ’s
Usually only advises and still requires significant internal resources to complete the SAQ
Complete the SAQ but requires more time, resources, & takes the FTE away from other projects
Ensure policies, procedures, and controls are created or refined to expedite future assessments
Usually don’t have insight into security roadmap & only concerned with the current SAQ project
Only concerned with processes that gets the organization through the existing SAQ
Quickly remediate risk areas to score higher on the questionnaire
Only provides templates to ‘meet’ questionnaire’s risk objectives
May not have the experience to identify what is considered a risk area
Affirm the questionnaire is completed in proper security jargon
Sometimes has experience with security jargon
May not have the experience to be familiarized with the preferred security jargon
Act as security liaison with prospective client/partner, advocating on the company’s behalf
Have the experience to advocate on pushback but oftentimes rely on internal resources to remediate
Act as liaison that may not have experience with how to advocate when there’s pushback
Act as your CISO (which is oftentimes a requirement for the client/partner)
Don’t always offer CISO services or they charge extra for the service
Doesn’t typically have the experience of a CISO or the security background needed