Re: Budget for PCI DSS SAQ D for Bookstore Operations

["Carson, Larry" <larry.carson () UBC CA>]

I would recommend descoping to SAQ C, if at all possible. This may mean updating data stores in a DB, sanitising 
(possibly even destroying) backups and logs, Santising email stores, etc. Just keep a record of all items sanitised, as 
it is a good record of your descoping exercise. 

WRT tracking compliance: spreadsheets, lots of them but we're considering a GRC solution to keep our sanity. 


Larry

---
Larry Carson
Associate Director, Information Security Management
Information Technology | Engage. Envision. Enable.
The University of British Columbia
Tel: 604.822.0773 | Twitter: @L4rryC4rson
 

----- Original Message -----
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Fri Aug 05 05:18:21 2011
Subject: Re: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations

A 340 row Lovecraftian spreadsheet which causes those who stare into its depths to gibber in unholy madness.  We call 
it The  Beast.

The 40+ columns track a lot of things, none of which are on any SAQ; vendors, manufacturers, contracts language status, 
versions, validation types, concessionnaires, CDE segmentation status, SAQ completion dates...  About row 200 I 
realized this was a database problem, but our development staff is limited.

    -jml


-----Original Message-----
From: Doug Markiewicz - EDUCAUSE
Sent: 2011-08-05 06:48:02
To: Doug Markiewicz - EDUCAUSE;The EDUCAUSE Security Constituent Group Listserv
Cc: 
Subject: Re: [SECURITY] Budget for PCI DSS SAQ D for Bookstore Operations


> We are working with Trustwave to provide an online portal to track all information, scans, provide and
> track training, do external scans, fill out SAQs, etc.

I'm curious how others are organizing all their PCI compliance data, tracking training, etc. Manually?  Through a 
software package or service provider?