Security Assessment Questionnaires

Complete the SAQ and write answers to be reused in subsequent SAQ’s

Usually only advises and still requires significant internal resources to complete the SAQ

Complete the SAQ but requires more time, resources, & takes the FTE away from other projects

Ensure policies, procedures, and controls are created or refined to expedite future assessments

Usually don’t have insight into security roadmap & only concerned with the current SAQ project

Only concerned with processes that gets the organization through the existing SAQ

Quickly remediate risk areas  to score higher on the questionnaire

Only provides templates to ‘meet’ questionnaire’s risk objectives

May not have the experience to identify what is considered a risk area

Affirm the questionnaire is completed in proper security jargon

Sometimes has experience with security jargon

May not have the experience to be familiarized with the preferred security jargon

Act as security liaison with prospective client/partner, advocating on the company’s behalf

Have the experience to advocate on pushback but oftentimes rely on internal resources to remediate

Act as liaison that may not have experience with how to advocate when there’s pushback

Act as your CISO (which is oftentimes a requirement for the client/partner)

Don’t always offer CISO services or they charge extra for the service

Doesn’t typically have the experience of a CISO or the security background needed