User Evidencecollection CC Evidence Collection Checklist v2-2021-11!23!02!35!16

# Ques No.
Topic Question ControlCase Reference Response Uploaded Status CC Comments Assessor Client Comments Category
Evidences
1 1 Scopi Provide a cc1 973::LPB_PCID Under pcidss_32,

ng list of SS_Question_0 Evaluat ei3pa,soc1,
office 1_ver1.0.zip ion soc2,nist_8
locations, 00_53,nist
cloud envir high,nist m
onments, oderate,nis
and data t low,sca,hi
centers paa,hitrust
that store, _10m_to_6
process or 0m_record
transmit s,sig_lite,g
informatio dpr,iso_27
n covered 001_2013_
under this main,priva
assessmen cy_shield,
t. You must microsoft_s
use the spa,csa_st
attached te ar,iso_270
mplate.Ple 01_2013_st
ase click age_1,iso_
on this link 27001_201
to view ad 3_stage_2,
ditional nist_800_1
files to 71,nist_cyb
assist you ersecurity_
with this framework,
question. It ccpa,hitrus
may t_less_than
contain _10m_reco
templates, rds,hitrust_
scripts or over_60m_
other records,sa
additional q_a,saq_a_
files. Once ep,saq_b,s
you have aq_b_ip,sa
gathered q_c,saq_c_
the vt,saq_d_m
informatio erchant,sa
n we q_d_servic
requested, e_provider,
please saq_p2pe,p
upload it cidss_31,s
by clicking wift,hitrust
the _domain,sc
"Upload oping,Scop
Files" ing,soc2_sc
button oping
below or
by
"Dragging
and
Dropping"
the files
below.

ng list of the SS_Question_0 Evaluat ei3pa,soc1,
application 2_ver1.0.zip ion soc2,nist_8
s (third 00_53,nist
party and high,nist m
in-house) oderate,nis
that are t low,sca,hi
involved in paa,hitrust
storing, _10m_to_6
processing 0m_record
or s,sig_lite,g
transmittin dpr,iso_27
g 001_2013_
informatio main,priva
n covered cy_shield,
under this microsoft_s
assessmen spa,csa_st
t. You must ar,iso_270
use the 01_2013_st
attached te age_1,iso_
mplate.Ple 27001_201
ase click 3_stage_2,
on this link nist_800_1
to view ad 71,nist_cyb
ditional ersecurity_
files to framework,
assist you ffiec,ccpa,h
with this itrust_less_
question. It than_10m_
may records,hit
contain rust_over_
templates, 60m_recor
scripts or ds,saq_a,s
other aq_a_ep,sa
additional q_b,saq_b_i
files. Once p,saq_c,sa
you have q_c_vt,saq_
gathered d_merchan
the t,saq_d_ser
informatio vice_provid
n we er,saq_p2p
requested, e,pcidss_3
please 1,swift,hitr
upload it ust_domai
1 / 71
by clicking n,payment
the application
"Upload s / pci
Files" scope web
button and
below or software a
by pplications,
"Dragging POS (Point
and Of Sale) De
Dropping" vices,atm /
the files kiosk,scopi
below. ng,Scoping
,soc2_scopi
ng

ng high-level SS_Question_0 Evaluat ei3pa,soc1,
network 3_ver1.0.zip!! ion soc2,nist_8
diagram of ~!!979::LPB_P 00_53,nist
the in- CIDSS_Questio high,nist m
scope envi n_03_v1.1.zip oderate,nis
ronment. t low,sca,hi
You may paa,hitrust
use the _10m_to_6
attached 0m_record
template s,sig_lite,g
or provide dpr,bits_au
the data in p_2014,iso
an _27001_20
alternative 13_annex_
format.Ple a,iso_2700
ase click 1_2013_ma
on this link in,privacy_
to view ad shield,micr
ditional osoft_sspa,
files to csa_star,is
assist you o_27001_2
with this 013_stage_
question. It 1,iso_2700
may 1_2013_sta
contain ge_2,nist_8
templates, 00_171,nis
scripts or t_cybersec
other urity_frame
additional work,ffiec,c
files. Once cpa,hitrust
you have _less_than_
gathered 10m_recor
the ds,hitrust_
informatio over_60m_
n we records,sa
requested, q_a,saq_a_
please ep,saq_b,s
upload it aq_b_ip,sa
by clicking q_c,saq_c_
the vt,saq_d_m
"Upload erchant,sa
Files" q_d_servic
button e_provider,
below or saq_p2pe,p
by cidss_31,hi
"Dragging trust_doma
and in,scoping,
Dropping" Scoping,so
the files c2_scoping
below.
4 4 Scopi Provide cc4 976::LPB_PCID Under pcidss_32,

ng your asset SS_Question_0 Evaluat ei3pa,soc1,
list. This 4_ver1.0_Sub ion soc2,nist_8
list mit.zip!!~!!97 00_53,nist
includes 8::LPB_PCIDSS high,nist m
the _Question_04_ oderate,nis
software, v1.1.zip t low,mars
databases, e_2_0,sca,
data hipaa,hitru
storage st_10m_to_
locations, 60m_recor
Sample ds,sig_lite,
Sets and gdpr,cms_
other ars_2_0,bit
related s_aup_201
data 4,iso_2700
elements. 1_2013_an
You must nex_a,priv
use the acy_shield,
attached te microsoft_s
mplate.Ple spa,csa_st
ase click ar,iso_270
on this link 01_2013_st
to view ad age_1,iso_
ditional 27001_201
files to 3_stage_2,
assist you nist_800_1
with this 71,nist_cyb
question. It ersecurity_
may framework,
contain ffiec,ccpa,h
templates, itrust_less_
scripts or than_10m_
other records,hit
2 / 71
additional rust_over_
files. Once 60m_recor
you have ds,saq_a,s
gathered aq_a_ep,sa
the q_b,saq_b_i
informatio p,saq_c,sa
n we q_c_vt,saq_
requested, d_merchan
please t,saq_d_ser
upload it vice_provid
by clicking er,saq_p2p
the e,pcidss_3
"Upload 1,swift,hitr
Files" ust_domai
button n,Firewall,S
below or witch,scopi
by ng,Scoping
"Dragging ,soc2_scopi
and ng
Dropping"
the files
below.
5 5 Scopi Provide a cc5 968::LPB_PCID Incomp Will be checked as per ASV and ,pcidss_32,
ng list of all SS_Question_0 lete Inf External PT reports ei3pa,soc1,
your 5_ver1.0.zip ormati nist_800_5
external IP on 3,nist
addresses high,nist m
and their oderate,nis
function. t low,sca,hi
You must paa,hitrust
use the _10m_to_6
attached te 0m_record
mplate.Ple s,sig_lite,bi
ase click ts_aup_201
on this link 4,iso_2700
to view ad 1_2013_an
ditional nex_a,priv
files to acy_shield,
assist you microsoft_s
with this spa,csa_st
question. It ar,iso_270
may 01_2013_st
contain age_1,iso_
templates, 27001_201
scripts or 3_stage_2,
other nist_800_1
additional 71,nist_cyb
files. Once ersecurity_
you have framework,
gathered ccpa,hitrus
the t_less_than
informatio _10m_reco
n we rds,hitrust_
requested, over_60m_
please records,sa
upload it q_a,saq_a_
by clicking ep,saq_b,s
the aq_b_ip,sa
"Upload q_c,saq_c_
Files" vt,saq_d_m
button erchant,sa
below or q_d_servic
by e_provider,
"Dragging saq_p2pe,p
and cidss_31,s
Dropping" wift,hitrust
the files _domain,,S
below. ecurity,sco
ping,Scopi
ng,
6 6 Netw Provide 3 cc6 991::LPB_PCID Under ,pcidss_32,

ork sample SS_Q.06_v1.0. Evaluat ei3pa,soc1,
firewall zip ion sca,hitrust_
and router 10m_to_60
change m_records,
forms or iso_27001_
tickets. 2013_anne
You may x_a,glba,is
use the o_27001_2
attached 013_stage_
template 1,iso_2700
or provide 1_2013_sta
the ge_2,nist_8
required 00_171,nis
informatio t_cybersec
n in an urity_frame
alternative work,ffiec,
formatPlea hitrust_less
se click on _than_10m
this link to _records,hi
view additi trust_over_
onal files 60m_recor
to assist ds,saq_a_e
you with p,saq_d_m
this erchant,sa
question. It q_d_servic
may e_provider,
contain pcidss_31,
templates, hitrust_do
3 / 71
scripts or main,,Fire
other wall,Router
additional ,network,p
files. Once ost-scoping
you have ,Network,
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
7 7 Scopi Provide cc7 1015::LPB_PCI Under pcidss_32,

ng detailed DSS_Q.07_v1.0 Evaluat ei3pa,soc1,
network .zip ion soc2,nist_8
diagram(s) 00_53,nist
that cover high,nist m
the oderate,nis
following: - t low,sca,hi
All trust_10m_
boundaries to_60m_re
of the in - cords,sig_li
scope envi te,gdpr,iso
ronment - _27001_20
Any 13_annex_
network se a,iso_2700
gmentation 1_2013_ma
points in,microsof
which are t_sspa,csa_
used to star,iso_27
reduce 001_2013_
scope of stage_1,iso
the _27001_20
assessmen 13_stage_2
t- ,nist_800_1
Boundaries 71,nist_cyb
between ersecurity_
trusted framework,
and ffiec,hitrust
untrusted _less_than_
networks - 10m_recor
Wireless (if ds,hitrust_
available) over_60m_
and wired records,sa
networks - q_a,saq_a_
All other ep,saq_b,s
connection aq_b_ip,sa
points q_c,saq_c_
applicable vt,saq_d_m
to the erchant,sa
assessmen q_d_servic
t Ensure e_provider,
the saq_p2pe,p
diagram(s) cidss_31,s
include wift,hitrust
enough _domain,sc
detail to oping,Scop
understand ing,soc2_p
how each c ost_scopin
ommunicat g
ion point
functions
and is
secured
clearly. For
example,
the level of
detail may
include
identifying
the types
of devices,
device
interfaces,
network te
chnologies,
protocols,
and
security
controls
applicable
to that co
mmunicati
on point.
You may
use the
attached
template
4 / 71
or provide
the data in
an
alternative
format.Ple
ase click
on this link
to view ad
ditional
files to
assist you
with this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
8 8 Scopi Provide cc8 977::LPB_PCID Under pcidss_32,

ng data flow SS_Question_0 Evaluat ei3pa,soc1,
diagrams 8_ver1.0.zip ion soc2,nist_8
that 00_53,nist
explain high,nist m
storage, oderate,nis
processing, t low,sca,hi
and transm paa,hitrust
ission of _10m_to_6
covered 0m_record
informatio s,sig_lite,g
n. You may dpr,iso_27
use the 001_2013_
attached main,micro
template soft_sspa,c
or provide sa_star,iso
the data in _27001_20
an 13_stage_1
alternative ,iso_27001
format.Ple _2013_stag
ase click e_2,nist_80
on this link 0_171,nist_
to view ad cybersecur
ditional ity_framew
files to ork,ffiec,cc
assist you pa,hitrust_l
with this ess_than_1
question. It 0m_record
may s,hitrust_o
contain ver_60m_r
templates, ecords,saq
scripts or _a,saq_a_e
other p,saq_b,sa
additional q_b_ip,saq_
files. Once c,saq_c_vt,
you have saq_d_mer
gathered chant,saq_
the d_service_
informatio provider,sa
n we q_p2pe,pci
requested, dss_31,swif
please t,hitrust_do
upload it main,scopi
by clicking ng,Scoping
the ,soc2_scopi
"Upload ng
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
9 9 Netw Provide cc9 953::LPB_PCI_ Incomp Configuration for Groups and ,pcidss_32,
ork roles and r Question_9.zip lete Inf Roles will be required from AAA ei3pa,soc1,
esponsibilit ormati or Access Control System sca,nist_cy
ies for man on bersecurity
5 / 71
agement of _framewor
firewall k,ffiec,hitru
and st_over_60
routers. m_records,
You may saq_d_mer
use the chant,saq_
attached d_service_
template provider,pc
or provide idss_31,hitr
the ust_domai
required n,,network,
informatio post-scopin
n in an g,Network,
alternative
format.Ple
ase click
on this link
to view ad
ditional
files to
assist you
with this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
10 10 Netw Provide cc10 No Evid ,pcidss_32,

ork business ence U ei3pa,soc1,
justificatio ploade sca,bits_au
n for the d p_2014,iso
use of all _27001_20
services, 13_annex_
protocols, a,csa_star,
and ports saq_a_ep,s
allowed aq_b_ip,sa
through q_d_merch
firewall ant,saq_d_
and router; service_pro
including d vider,pcids
ocumentati s_31,hitrus
on of t_domain,,
security Firewall,Ro
features im uter,netwo
plemented rk,post-sco
for those ping,Netwo
protocols rk,
considered
to be
insecure.
You may
use the
attached
template
or provide
the
required
informatio
n in an
alternative
format.Ple
ase click
on this link
to view ad
ditional
files to
assist you
with this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
6 / 71
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
11 11 Netw Provide cc11 No Evid pcidss_32,

ork two ence U ei3pa,soc1,
compliant ploade soc2,sca,bi
semiannua d ts_aup_201
l firewall 4,iso_2700
and router 1_2013_an
rule set nex_a,csa_
review star,nist_cy
reports, bersecurity
along with _framewor
evidence k,ffiec,hitru
that the st_over_60
team m_records,
performing saq_a_ep,s
the review aq_d_merc
has the hant,saq_d
necessary _service_pr
credentials ovider,pcid
and ss_31,hitru
knowledge. st_domain,
You may security,Fir
use the ewall,Rout
attached er,network,
template, post-scopin
or provide g,Network,
the data in soc2_post_
an scoping
alternative
format.Ple
ase click
on this link
to view ad
ditional
files to
assist you
with this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
12 12 Netw Provide cc12 992::LPB_PCID Under ,pcidss_32,

ork system SS_Q.12_v1.0. Evaluat ei3pa,soc1,
generated zip ion sca,hitrust_
configurati 10m_to_60
on showing m_records,
inbound gdpr,bits_a
and up_2014,ni
outbound st_800_171
access list ,nist_cyber
necessary security_fr
for the amework,ff
covered iec,hitrust_
informatio less_than_
n and 10m_recor
specifically ds,hitrust_
deny all over_60m_
7 / 71
other records,sa
traffic, for q_a_ep,saq
all firewall( _b_ip,saq_c
s)/router(s) ,saq_d_mer
in scope. chant,saq_
Please d_service_
provide the provider,pc
screenshot idss_31,hitr
or system ust_domai
generated n,,Firewall,
configurati Router,net
on of the V work,post-s
LANs/interf coping,Net
aces work,
created on
the
firewall(s)/
router(s).
The
attached
template
contains
the sample
.Please
click on
this link to
view additi
onal files
to assist
you with
this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
13 13 Netw Provide a cc13 954::LPB_PCI_ Incomp Require to add configuration to ,pcidss_32,

ork written Question_13.zi lete Inf verify the Routers running and ei3pa,soc1,
explanatio p ormati startup configs iso_27001_
n of how a on 2013_anne
router conf x_a,iso_27
iguration 001_2013_
backup is stage_1,iso
done and _27001_20
how are 13_stage_2
the ,nist_cyber
backups security_fr
secured. amework,ff
The iec,hitrust_
attached over_60m_
template records,sa
contains q_a_ep,saq
the sample _b_ip,saq_c
.Please ,saq_d_mer
click on chant,saq_
this link to d_service_
view additi provider,pc
onal files idss_31,hitr
to assist ust_domai
you with n,,Firewall,
this Router,net
question. It work,post-s
may coping,Net
contain work,
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
8 / 71
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
14 14 Netw For in - cc14 994::LPB_PCID Under ,pcidss_32,

ork scope SS_Q.14_v1.0. Evaluat ei3pa,soc1,
wireless zip ion hitrust_10
networks, m_to_60m_
provide records,csa
system _star,hitrus
generated t_over_60
configurati m_records,
on of the saq_a_ep,s
firewall(s) aq_b_ip,sa
showing q_c,saq_d_
inbound merchant,s
and aq_d_servi
outbound ce_provide
access list r,pcidss_31
allowing ,hitrust_do
traffic main,,Fire
necessary wall,Wirele
for ss Access
business Point /
purposes Wireless D
permitting evice,netw
only ork,post-sc
authorized oping,Netw
traffic ork,
between
wireless
and the en
vironment
having
covered
informatio
n. The
attached
template
contains
the sample
.Please
click on
this link to
view additi
onal files
to assist
you with
this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
15 15 Netw If publicly cc15 No Evid ,pcidss_32,

ork accessible ence U ei3pa,soc1,
services, ploade hitrust_10
protocols d m_to_60m_
and ports records,bit
exists, s_aup_201
provide 4,iso_2700
specific fire 1_2013_an
wall/router nex_a,nist_
configurati 800_171,hi
on showing trust_less_t
DMZ han_10m_r
interface(s) ecords,hitr
. For the ust_over_6
9 / 71
identified 0m_record
DMZ s,saq_a_ep
interface(s) ,saq_b_ip,s
, provide aq_c,saq_d
access _merchant,
control saq_d_serv
list(s) ice_provide
which r,pcidss_31
limits the ,swift,hitru
inbound st_domain,
internet ,Firewall,R
traffic to IP outer,netw
addresses ork,post-sc
within the oping,Netw
DMZ. If ork,
there is
outbound
traffic from
the environ
ment
containing
covered
informatio
n to the
internet,
provide
specific fire
wall/router
access
control
list(s)
which
limits
outbound
traffic to
the
internet.
For such
traffic,
provide
explicit doc
umented
approval. If
covered
informatio
n is stored,
provide
specific fire
wall/router
configurati
on showing
that
covered
informatio
n is stored
in the
internal
network
zone
segregated
from DMZ
and
untrusted
network.
You must
use the
attached te
mplate.Ple
ase click
on this link
to view ad
ditional
files to
assist you
with this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
10 / 71
Dropping"
the files
below.
16 16 Netw Provide cc17 969::LPB_PCID Incomp Required to verify the devices ,pcidss_32,
ork screenshot SS_Question_1 lete Inf (External Firewalls) from soc1,hitrus
for anti- 6_ver1.0.zip ormati Inventory t_10m_to_6
spoofing on 0m_record
access list s,iso_2700
or similar 1_2013_an
settings on nex_a,hitru
external st_over_60
firewall m_records,
and/or saq_a_ep,s
router. The aq_b_ip,sa
attached q_d_merch
template ant,saq_d_
contains service_pro
the vider,pcids
sample. s_31,swift,
Provide the hitrust_do
screenshot main,,Fire
evidence wall,Router
to highlight ,network,p
how ost-scoping
private IP ,Network,
addresses
are
restricted
from
disclosures
to unautho
rized partie
s.Please
click on
this link to
view additi
onal files
to assist
you with
this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
17 17 Netw Provide cc19 No Evid ,pcidss_32,

ork screenshot ence U ei3pa,soc1,
to show ploade hitrust_10
stateful d m_to_60m_
inspection records,iso
enabled on _27001_20
external 13_annex_
firewalls in a,hitrust_o
scope. The ver_60m_r
attached ecords,saq
template _a_ep,saq_
contains b_ip,saq_c,
the sample saq_d_mer
.Please chant,saq_
click on d_service_
this link to provider,pc
view additi idss_31,swi
onal files ft,hitrust_d
to assist omain,,Fire
you with wall,netwo
this rk,post-sco
question. It ping,Netwo
may rk,
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
11 / 71
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
18 18 Netw For a cc22 997::LPB_PCID Under ,pcidss_32,

ork sample SS_Q.18_v1.0. Evaluat ei3pa,soc1,
selected by zip ion iso_27001_
the 2013_anne
assessor, x_a,iso_27
provide the 001_2013_
following stage_1,iso
(for at _27001_20
least 5 13_stage_2
laptops): - ,saq_a_ep,
Evidence saq_d_mer
of a chant,saq_
personal d_service_
firewall provider,pc
installed, idss_31,hitr
actively ust_domai
running, n,,workstat
and ion / laptop
configured ,network,p
as per the ost-scoping
organizatio ,Network,
n's specific
configurati
on setting.
- Evidence
showing
user
cannot
disable the
personal
firewall.
The
attached
template
contains
the sample
.Please
click on
this link to
view additi
onal files
to assist
you with
this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
19 19 Confi If a cc23 No Evid ,pcidss_32,

gurat wireless ence U ei3pa,soc1,
ion M access ploade nist_800_5
anag point is d 3,nist
emen used, high,nist m
t provide a oderate,nis
screenshot t low,mars
that shows e_2_0,sca,
the hitrust_10
12 / 71
following: - m_to_60m_
firmware records,cm
version is s_ars_2_0,i
the latest - so_27001_
strong 2013_anne
encryption x_a,csa_sta
is impleme r,iso_2700
nted for au 1_2013_sta
thenticatio ge_1,iso_2
n and trans 7001_2013
mission - _stage_2,ni
vendor st_800_171
defaults ,hitrust_les
(e.g. Users, s_than_10
SNMP, m_records,
encryption hitrust_ove
protocols r_60m_rec
etc.) are ords,saq_b
changed _ip,saq_c,s
The aq_d_merc
attached hant,saq_d
template _service_pr
contains ovider,pcid
the sample ss_31,swift
.Please ,hitrust_do
click on main,,Wirel
this link to ess Access
view additi Point /
onal files Wireless D
to assist evice,confi
you with guration m
this anagement
question. It ,post-scopi
may ng,Configu
contain ration Man
templates, agement,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
20 20 Confi Provide the cc24 1003::LPB_PCI Under ,pcidss_32,

gurat screenshot DSS_Q.20_v1.0 Evaluat ei3pa,soc1,
ion M s from the .zip!!~!!1009:: ion nist_800_5
anag sampled LPB_PCIDSS_Q. 3,nist
emen systems to 20_v1.1.zip high,nist m
t check for oderate,nis
the unnece t low,mars
ssary e_2_0,sca,
default hitrust_10
accounts m_to_60m_
removal or records,sig
disabling. _lite,gdpr,c
Provide ms_ars_2_
hardening 0,bits_aup_
(secure co 2014,iso_2
nfiguration 7001_2013
) _annex_a,c
documents sa_star,nist
for all _800_171,n
system ist_cyberse
component curity_fram
s identified ework,ffiec
in the ,hitrust_les
asset inven s_than_10
tory.Please m_records,
click on hitrust_ove
this link to r_60m_rec
view additi ords,saq_a,
onal files saq_a_ep,s
to assist aq_c,saq_d
you with _merchant,
this saq_d_serv
question. It ice_provide
may r,pcidss_31
contain ,swift,hitru
templates, st_domain,
scripts or ,Firewall,R
other outer,Switc
additional h,ids / ips,
files. Once Windows,m
13 / 71
you have ainframe,li
gathered nux,unix,vi
the rtual platfo
informatio rm,worksta
n we tion / lapto
requested, p,database
please ,Wireless
upload it Access
by clicking Point /
the Wireless
"Upload Device,We
Files" b
button Application
below or Firewall,pa
by yment
"Dragging application
and s / pci
Dropping" scope web
the files and
below. software a
pplications,
POS (Point
Of Sale) De
vices,atm /
kiosk,confi
guration m
anagement
,post-scopi
ng,Configu
ration Man
agement,
21 21 Confi Provide the cc25 No Evid ,pcidss_32,

gurat screenshot ence U ei3pa,soc1,
ion M s of the ploade hitrust_10
anag services/ d m_to_60m_
emen ports records,gd
t running on pr,bits_aup
in-scope _2014,iso_
systems 27001_201
(servers 3_annex_a,
and csa_star,hit
network co rust_less_t
mponents) han_10m_r
OR Provide ecords,hitr
configurati ust_over_6
on scan 0m_record
(i.e. authen s,saq_a_ep
ticated vul ,saq_c,saq_
nerability d_merchan
scans) t,saq_d_ser
results that vice_provid
evidence er,pcidss_3
the list of p 1,swift,hitr
orts/servic ust_domai
es running n,,Windows
on in - ,mainfram
scope e,linux,uni
systems x,virtual pl
(servers atform,con
and figuration
network manageme
devices) nt,post-sco
OR In the ping,Config
absence of uration Ma
configurati nagement,
on scan,
you may
provide
results of
running
ControlCas
e scripts
on in -
scope
systems.
The
attached
template
contains
the sample
.Please
click on
this link to
view additi
onal files
to assist
you with
this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
14 / 71
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
22 22 Confi For cc26 No Evid ,pcidss_32,

gurat insecure ence U ei3pa,soc1,
ion M services ploade gdpr,bits_a
anag (such as d up_2014,is
emen HTTP, FTP, o_27001_2
t Telnet, 013_annex
specific _a,saq_a_e
SSL/TLS p,saq_c,sa
versions) q_d_merch
provide ant,saq_d_
details on service_pro
what vider,pcids
additional s_31,swift,
controls hitrust_do
have been main,,Fire
implement wall,Router
ed to ,Switch,acs
mitigate /radius,ids
the risk of / ips,Windo
having that ws,mainfra
insecure me,linux,u
service. nix,virtual
You must platform,d
use the atabase,Wi
attached te reless
mplate.Ple Access
ase click Point /
on this link Wireless
to view ad Device,We
ditional b
files to Application
assist you Firewall,re
with this mote
question. It access
may technology
contain / vpn devic
templates, e,payment
scripts or application
other s / pci
additional scope web
files. Once and
you have software a
gathered pplications,
the POS (Point
informatio Of Sale) De
n we vices,atm /
requested, kiosk,confi
please guration m
upload it anagement
by clicking ,post-scopi
the ng,Configu
"Upload ration Man
Files" agement,
button
below or
by
"Dragging
and
Dropping"
the files
below.
23 23 Confi Provide co cc28 No Evid ,pcidss_32,

gurat nfiguration ence U ei3pa,soc1,
ion M scan (i.e. a ploade nist_800_5
anag uthenticate d 3,nist
emen d vulnerabi high,nist m
t lity scans) oderate,nis
results that t low,mars
evidence e_2_0,sca,
secure con hitrust_10
figuration m_to_60m_
against records,sig
hardening _lite,gdpr,c
standards. ms_ars_2_
OR In the 0,bits_aup_
absence of 2014,iso_2
configurati 7001_2013
on scan, _annex_a,c
you may sa_star,iso
provide _27001_20
other 13_stage_1
evidence ,iso_27001
(for eg: list _2013_stag
15 / 71
of users, e_2,nist_80
list of 0_171,hitru
running st_over_60
services, m_records,
patches, saq_a_ep,s
password aq_c,saq_d
policy, _merchant,
audit saq_d_serv
logging ice_provide
policy, NTP r,pcidss_31
settings) ,swift,hitru
that clearly st_domain,
outlines ,Firewall,R
secure con outer,Switc
figuration h,ids / ips,
against Windows,m
hardening ainframe,li
standards. nux,unix,vi
The rtual platfo
attached rm,worksta
template tion / lapto
contains p,database
the sample ,Wireless
.Please Access
click on Point /
this link to Wireless
view additi Device,We
onal files b
to assist Application
you with Firewall,pa
this yment
question. It application
may s / pci
contain scope web
templates, and
scripts or software a
other pplications,
additional POS (Point
files. Once Of Sale) De
you have vices,atm /
gathered kiosk,confi
the guration m
informatio anagement
n we ,post-scopi
requested, ng,Configu
please ration Man
upload it agement,
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
24 24 Confi For all cc29 1016::LPB_PCI Under ,pcidss_32,

gurat system DSS_Q.24_v1.0 Evaluat hitrust_10
ion M component .zip ion m_to_60m_
anag s in scope records,gd
emen (servers, pr,iso_270
t network 01_2013_a
devices, ap nnex_a,iso
plications, _27001_20
databases, 13_stage_1
etc.) and ,iso_27001
POS _2013_stag
devices, e_2,nist_80
provide 0_171,hitru
evidence st_less_tha
of strong cr n_10m_rec
yptography ords,hitrust
being impl _over_60m
emented _records,sa
(ssh, TLS q_a_ep,saq
1.2 or _b_ip,saq_c
later, RDP ,saq_d_mer
over TLS chant,saq_
etc.). You d_service_
must use provider,pc
the idss_31,swi
attached ft,hitrust_d
template. omain,Fire
In the case wall,Router
of early ,Switch,acs
TLS or /radius,ids
SSLv3, / ips,Windo
please ws,mainfra
provide the me,linux,u
risk nix,virtual
mitigation platform,d
and atabase,Wi
migration reless
plan.Please Access
click on Point /
this link to Wireless
view additi Device,We
16 / 71
onal files b
to assist Application
you with Firewall,re
this mote
question. It access
may technology
contain / vpn devic
templates, e,payment
other s / pci
additional scope web
files. Once and
you have software a
gathered pplications,
the POS (Point
informatio Of Sale) De
n we vices,atm /
requested, kiosk,confi
please guration m
upload it anagement
by clicking ,post-scopi
the ng,Configu
"Upload ration Man
Files" agement,
button
below or
by
"Dragging
and
Dropping"
the files
below.
25 25 Data Provide the cc31 No Evid ,pcidss_32,

Encry following ence U ei3pa,soc1,
ption for covered ploade nist_800_5
at informatio d 3,nist
rest n, - defined high,nist m
retention oderate,nis
period for t low,mars
each e_2_0,hitru
component st_10m_to_
mentioned 60m_recor
in the CHD ds,sig_lite,
matrix - gdpr,cms_
process for ars_2_0,iso
secure _27001_20
data 13_annex_
deletion a,iso_2700
based on 1_2013_ma
the in,privacy_
retention shield,micr
period - osoft_sspa,
records csa_star,is
that o_27001_2
evidence 013_stage_
process 1,iso_2700
was 1_2013_sta
followed ge_2,nist_8
The 00_171,nis
attached t_cybersec
template urity_frame
contains work,ffiec,
the sample hitrust_less
.Please _than_10m
click on _records,hi
this link to trust_over_
view additi 60m_recor
onal files ds,saq_d_
to assist merchant,s
you with aq_d_servi
this ce_provide
question. It r,saq_p2pe
may ,pcidss_31,
contain hitrust_do
templates, main,,Wind
scripts or ows,mainfr
other ame,linux,
additional unix,works
files. Once tation / lap
you have top,databa
gathered se,email
the server /
informatio mail filter d
n we evice,Pape
requested, r
please Documents
upload it with Card
by clicking Data,POS
the (Point Of
"Upload Sale) Devic
Files" es,atm /
button kiosk,Medi
below or a (tapes /
by External
"Dragging HDD / CD-
and DVD
Dropping" etc.),data
the files encryption
below. at rest,post
-scoping,D
17 / 71
ata
Encryption
at rest,
26 26 Data Provide cc32 No Evid ,pcidss_32,

Encry results that ence U ei3pa,gdpr,
ption show all ploade nist_cybers
at the d ecurity_fra
rest applicable mework,ffi
assets ec,saq_a_e
searched p,saq_b,sa
for card q_b_ip,saq_
data. c,saq_d_m
These erchant,sa
could be a q_d_servic
combinatio e_provider,
n of saq_p2pe,p
process cidss_31,W
interviews, indows,mai
manual nframe,linu
reviews of l x,unix,wor
ogs/transa kstation / l
ction files aptop,data
and base,email
automated server /
scans as mail filter d
long as evice,Pape
they cover r
PAN, Track, Documents
CVV and with Card
PIN in all Data,POS
locations (Point Of
within Sale) Devic
cardholder es,atm /
data enviro kiosk,Medi
nment a (tapes /
(CDE) and External
outside the HDD / CD-
CDE. DVD
Provide the etc.),data
sample encryption
application at rest,post
transaction -scoping,D
, error, ata
history, Encryption
trace logs at rest,
to check
for
sensitive a
uthenticati
on data.
The
attached
template
contains
the sample
.Please
click on
this link to
view additi
onal files
to assist
you with
this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
27 27 Data Provide the cc36 No Evid ,pcidss_32,

Encry following ence U ei3pa,hitru
ption for all ploade st_10m_to_
at physical d 60m_recor
rest media and ds,gdpr,hit
application rust_over_
s - All 60m_recor
screenshot ds,saq_b,s
18 / 71
s where aq_b_ip,sa
cardholder q_c,saq_d_
data is merchant,s
displayed - aq_d_servi
Business ce_provide
justificatio r,pcidss_31
n where ,Paper
full PAN is Documents
displayed with Card
You must Data,paym
use the ent
attached te application
mplate.Ple s / pci
ase click scope web
on this link and
to view ad software a
ditional pplications,
files to POS (Point
assist you Of Sale) De
with this vices,atm /
question. It kiosk,Medi
may a (tapes /
contain External
templates, HDD / CD-
scripts or DVD
other etc.),data
additional encryption
files. Once at rest,post
you have -scoping,D
gathered ata
the Encryption
informatio at rest,
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
28 28 Data Provide the cc37 No Evid pcidss_32,

Encry following ence U ei3pa,soc1,
ption for all ploade soc2,nist_8
at filesystems d 00_53,nist
rest , high,nist m
databases oderate,nis
and any t low,mars
backup e_2_0,sca,
media: - hipaa,hitru
Details on st_10m_to_
method 60m_recor
(encryption ds,sig_lite,
, hashing, gdpr,cms_
truncation, ars_2_0,bit
tokenizatio s_aup_201
n) being 4,iso_2700
used to 1_2013_an
protect nex_a,glba,
covered privacy_shi
informatio eld,micros
n in oft_sspa,cs
storage - a_star,iso_
Evidence (s 27001_201
creenshots 3_stage_1,i
or settings) so_27001_
showing 2013_stag
covered e_2,nist_80
informatio 0_171,nist_
n is cybersecur
protected. ity_framew
For ork,ffiec,hit
encryption rust_less_t
method, han_10m_r
please ecords,hitr
share the ust_over_6
evidence 0m_record
of it's s,saq_d_m
associated erchant,sa
key manag q_d_servic
ement. e_provider,
Description pcidss_31,s
of the cryp wift,hitrust
tographic _domain,W
architectur indows,mai
e that nframe,linu
includes: 1. x,unix,wor
Details of kstation / l
all aptop,data
algorithms, base,email
protocols, server /
and keys mail filter
used for device,POS
19 / 71
the (Point Of
protection Sale) Devic
of es,atm /
cardholder kiosk,Medi
data, a (tapes /
including External
key HDD / CD-
strength DVD
and expiry etc.),data
date 2. encryption
Function of at rest,post
the each -scoping,D
key used in ata
the crypto Encryption
graphic arc at rest,soc
hitecture. 2_post_sco
3. ping
Inventory
of any
HSMs and
other
secure cry
ptographic
devices
(SCD) used
for key ma
nagement
(to be
provided in
inventory
as part of
Q4) You
must use
the
attached te
mplate.Ple
ase click
on this link
to view ad
ditional
files to
assist you
with this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
29 29 Data Provide a cc44 1017::LPB_PCI Under pcidss_32,

Encry list of DSS_Q.29_v1.0 Evaluat ei3pa,soc1,
ption locations .zip ion soc2,nist_8
in tra where 00_53,nist
nsit informatio high,nist m
n is oderate,nis
transmitte t low,mars
d and/or e_2_0,sca,
received hipaa,hitru
over open, st_10m_to_
public 60m_recor
networks ds,sig_lite,
(i.e. gdpr,cms_
Internet, ars_2_0,bit
Wireless s_aup_201
network, 4,iso_2700
GSM, 1_2013_an
GPRS, nex_a,glba,
VSAT privacy_shi
technology eld,micros
etc.). For oft_sspa,cs
the a_star,iso_
locations 27001_201
identified, 3_stage_1,i
provide so_27001_
evidence 2013_stag
of trusted k e_2,nist_80
eys/certific 0_171,nist_
ates, cybersecur
20 / 71
secure con ity_framew
figurations ork,ffiec,hit
and rust_less_t
encryption han_10m_r
being used ecords,hitr
for transmi ust_over_6
ssion. 0m_record
Encryption s,saq_a_ep
must ,saq_b_ip,s
conform to aq_c,saq_d
strong _merchant,
industry saq_d_serv
standards. ice_provide
Provide the r,pcidss_31
sample tra ,swift,hitru
nsmission st_domain,
logs of the Firewall,Ro
sample uter,paym
transaction ent
s which application
highlight s / pci
the scope web
encrypted and
data. If a software a
private co pplications,
mmunicati POS (Point
on channel Of Sale) De
is vices,atm /
used(such kiosk,data
as MPLS, encryption
leased line, in transit,p
etc.), ost-scoping
please ,Data
share its c Encryption
onfiguratio in transit,s
n to oc2_post_s
confirm the coping
same. For
this require
ment, you
may use
the
attached m
ethodology
.Please
click on
this link to
view additi
onal files
to assist
you with
this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
30 30 Data Provide cc46 1005::LPB_PCI Under pcidss_32,

Encry evidence DSS_Q.30_v1.0 Evaluat ei3pa,soc1,
ption of .zip ion soc2,sca,hi
in tra encryption paa,hitrust
nsit being used _10m_to_6
for transmi 0m_record
ssion of in - s,gdpr,iso_
scope data 27001_201
over 3_annex_a,
messaging glba,privac
technologi y_shield,is
es such as o_27001_2
email, 013_stage_
chat, and 1,iso_2700
SMS. 1_2013_sta
Encryption ge_2,nist_c
must ybersecurit
confirm to y_framewo
strong rk,ffiec,hitr
industry ust_less_th
21 / 71
standards. an_10m_re
For this req cords,hitru
uirement, st_over_60
you may m_records,
use the saq_a_ep,s
attached m aq_b,saq_b
ethodology _ip,saq_c,s
.Please aq_d_merc
click on hant,saq_d
this link to _service_pr
view additi ovider,pcid
onal files ss_31,hitru
to assist st_domain,
you with email
this server /
question. It mail filter
may device,dat
contain a
templates, encryption
scripts or in transit,p
other ost-scoping
additional ,Data
files. Once Encryption
you have in transit,s
gathered oc2_post_s
the coping
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
31 31 Anti- For the cc47 998::LPB_PCID Under ,pcidss_32,

Malw selected SS_Q.31_v1.0. Evaluat ei3pa,soc1,
are sample, zip ion nist_800_5
provide 3,nist
evidence high,nist m
of antivirus oderate,nis
software. t low,mars
Provide the e_2_0,sca,
following, - hipaa,hitru
Running in st_10m_to_
active 60m_recor
mode - ds,sig_lite,
Evidence cms_ars_2_
confirming 0,bits_aup_
that 2014,iso_2
Antivirus is 7001_2013
deployed _annex_a,p
on the in- rivacy_shie
scope ld,microsof
servers t_sspa,csa_
and workst star,iso_27
ations 001_2013_
(individual stage_1,iso
screenshot _27001_20
or 13_stage_2
extracted ,nist_800_1
list) - AV co 71,nist_cyb
nfiguration ersecurity_
evidence framework,
to detect, ffiec,hitrust
remove, _less_than_
protect 10m_recor
against ds,hitrust_
malicious over_60m_
software - records,sa
Antivirus q_a_ep,saq
version _b,saq_c,sa
and - q_d_merch
Signature ant,saq_d_
version. - service_pro
Evidence vider,pcids
that user s_31,swift,
cannot hitrust_do
disable or main,,Antiv
alter the irus Solutio
antivirus n,anti-mal
settings ware,post-
You must scoping,An
use the ti-
attached te Malware,
mplate.Ple
ase click
on this link
to view ad
ditional
files to
assist you
22 / 71
with this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
32 32 Anti- Provide an cc50 999::LPB_PCID Under pcidss_32,

Malw Antivirus SS_Q.32_v1.0.r Evaluat ei3pa,soc1,
are Server Man ar ion soc2,nist_8
agement 00_53,nist
Console high,nist m
screenshot oderate,nis
that shows t low,mars
the e_2_0,sca,
following: - hipaa,hitru
Signature st_10m_to_
update 60m_recor
frequency - ds,cms_ars
Periodic _2_0,bits_a
scan up_2014,is
frequency - o_27001_2
Signature 013_annex
version - _a,privacy_
Log shield,micr
generation osoft_sspa,
is enabled iso_27001_
and log 2013_stag
storage for e_1,iso_27
three 001_2013_
months stage_2,nis
online and t_800_171,
further hitrust_less
nine _than_10m
months _records,hi
offline You trust_over_
must use 60m_recor
the ds,saq_a_e
attached te p,saq_c,sa
mplate.Ple q_d_merch
ase click ant,saq_d_
on this link service_pro
to view ad vider,pcids
ditional s_31,swift,
files to hitrust_do
assist you main,Wind
with this ows,linux,
question. It workstatio
may n / laptop,A
contain ntivirus Sol
templates, ution,anti-
scripts or malware,p
other ost-scoping
additional ,Anti-Malw
files. Once are,soc2_p
you have ost_scopin
gathered g
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
33 33 Appli Provide the cc52 No Evid ,pcidss_32,

catio evidence ence U ei3pa,soc1,
23 / 71
n Sec of ploade nist_800_5
urity reputable d 3,nist
outside high,nist m
sources oderate,nis
(e.g. t low,mars
security e_2_0,sca,s
alerts or ig_lite,cms
threat notif _ars_2_0,bi
ications) to ts_aup_201
identify 4,iso_2700
new 1_2013_an
security vu nex_a,priv
lnerabilitie acy_shield,
s. For the csa_star,is
identified v o_27001_2
ulnerabiliti 013_stage_
es, provide 1,iso_2700
the risk 1_2013_sta
ranking ge_2,nist_8
process. 00_171,nis
The t_cybersec
attached urity_frame
template work,ffiec,s
contains aq_a_ep,sa
the sample q_b_ip,saq_
.Please c,saq_d_m
click on erchant,sa
this link to q_d_servic
view additi e_provider,
onal files pcidss_31,
to assist hitrust_do
you with main,,secu
this rity,Firewal
question. It l,Router,Sw
may itch,Windo
contain ws,mainfra
templates, me,linux,u
scripts or nix,virtual
other platform,w
additional orkstation /
files. Once laptop,data
you have base,ntp s
gathered erver,Wirel
the ess Access
informatio Point /
n we Wireless
requested, Device,We
please b
upload it Application
by clicking Firewall,re
the mote
"Upload access
Files" technology
button / vpn devic
below or e,payment
by application
"Dragging s / pci
and scope web
Dropping" and
the files software a
below. pplications,
POS (Point
Of Sale) De
vices,atm /
kiosk,appli
cation secu
rity,post-sc
oping,Appli
cation
Security,
34 34 Appli Please wait cc53 No Evid ,pcidss_32,

catio until ence U ei3pa,soc1,
n Sec assessor ploade nist_800_5
urity provides d 3,nist
you with a high,nist m
sample oderate,nis
after Phase t low,mars
I. For the e_2_0,hitru
selected st_10m_to_
sample, 60m_recor
provide ds,sig_lite,
evidence cms_ars_2_
of, - 0,bits_aup_
Current 2014,iso_2
patch 7001_2013
levels - _annex_a,p
Deploymen rivacy_shie
t of ld,microsof
patches t_sspa,csa_
promptly. star,iso_27
The 001_2013_
attached stage_1,iso
template _27001_20
contains 13_stage_2
the sample ,nist_cyber
.Please security_fr
click on amework,ff
this link to iec,hitrust_
view additi less_than_
onal files 10m_recor
24 / 71
to assist ds,hitrust_
you with over_60m_
this records,sa
question. It q_a,saq_a_
may ep,saq_b_i
contain p,saq_c,sa
templates, q_d_merch
scripts or ant,saq_d_
other service_pro
additional vider,pcids
files. Once s_31,swift,
you have hitrust_do
gathered main,,Fire
the wall,Router
informatio ,Switch,Wi
n we ndows,mai
requested, nframe,linu
please x,unix,virtu
upload it al platform
by clicking ,workstatio
the n / laptop,d
"Upload atabase,nt
Files" p server,Wi
button reless
below or Access
by Point /
"Dragging Wireless
and Device,We
Dropping" b
the files Application
below. Firewall,re
mote
access
technology
/ vpn devic
e,payment
application
s / pci
scope web
and
software a
pplications,
POS (Point
Of Sale) De
vices,atm /
kiosk,appli
cation secu
rity,post-sc
oping,Appli
cation
Security,

catio secure ence U ei3pa,soc1,
n Sec software d ploade nist_800_5
urity evelopmen d 3,nist
t policy/pro high,nist m
cedure oderate,m
adopted arse_2_0,s
for System ca,hitrust_
Developme 10m_to_60
nt Life m_records,
Cycle sig_lite,cm
including s_ars_2_0,
the bits_aup_2
process 014,iso_27
adopted 001_2013_
for annex_a,mi
developer crosoft_ssp
configurati a,csa_star,i
on manage so_27001_
ment, 2013_stag
security e_1,iso_27
testing, saf 001_2013_
eguarding stage_2,nis
the system t_800_171,
during the nist_cybers
developme ecurity_fra
nt activity mework,ffi
and ec,hitrust_l
custom de ess_than_1
velopment 0m_record
activity. s,hitrust_o
The ver_60m_r
attached ecords,saq
template _b_ip,saq_d
contains _merchant,
the sample saq_d_serv
.Please ice_provide
click on r,pcidss_31
this link to ,swift,hitru
view additi st_domain,
onal files ,payment
to assist application
you with s / pci
this scope web
question. It and
may software a
contain pplications,
templates, application
scripts or security,po
25 / 71
other st-scoping,
additional Application
files. Once Security,
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
36 37 Appli Show cc56 No Evid ,pcidss_32,

catio common ence U ei3pa,soc1,
n Sec security vu ploade sca,hitrust_
urity lnerabilitie d 10m_to_60
s are m_records,
addressed sig_lite,bits
in coding _aup_2014,
techniques csa_star,ni
(for st_cyberse
example, curity_fram
the OWASP ework,ffiec
Guide, ,hitrust_ov
SANS CWE er_60m_re
Top 25, cords,saq_
CERT d_merchan
Secure t,saq_d_ser
Coding, vice_provid
etc.) by er,pcidss_3
providing a 1,swift,hitr
recent ust_domai
code n,,payment
review application
report for i s / pci
nternal/ext scope web
ernal appli and
cation(s) software a
that stores, pplications,
processes, application
or security,po
transmits st-scoping,
protected Application
informatio Security,
n. You
must use
the
attached te
mplate.Ple
ase click
on this link
to view ad
ditional
files to
assist you
with this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
37 38 Appli Provide cc57 955::LPB_PCI_ Incomp can be reviewed only when pcidss_32,
catio evidence Question_38.zi lete Inf scoping is given ei3pa,soc1,
n Sec showing p ormati soc2,hitrus
urity that Higher on t_10m_to_6
26 / 71
environme 0m_record
nts(i.e. s,sig_lite,is
production o_27001_2
) and lower 013_annex
environme _a,csa_star
nts (such ,iso_27001
as test/dev _2013_stag
elopment) e_1,iso_27
are 001_2013_
logically stage_2,nis
separated. t_cybersec
You must urity_frame
use the work,ffiec,
attached te hitrust_less
mplate.Ple _than_10m
ase click _records,hi
on this link trust_over_
to view ad 60m_recor
ditional ds,saq_d_
files to merchant,s
assist you aq_d_servi
with this ce_provide
question. It r,pcidss_31
may ,swift,hitru
contain st_domain,
templates, Firewall,Sw
scripts or itch,applica
other tion securit
additional y,post-scop
files. Once ing,Applica
you have tion Securit
gathered y,soc2_pos
the t_scoping
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
38 39 Appli Provide cc58 No Evid ,pcidss_32,

n Sec that shows ploade hitrust_10
urity the d m_to_60m_
separation records,iso
of duties _27001_20
between 13_annex_
users a,csa_star,
having hitrust_less
access to _than_10m
higher _records,hi
(productio trust_over_
n) and 60m_recor
lower (test/ ds,saq_d_
developme merchant,s
nt) environ aq_d_servi
ments. You ce_provide
must use r,pcidss_31
the ,swift,hitru
attached te st_domain,
mplate.Ple ,payment
ase click application
on this link s / pci
to view ad scope web
ditional and
files to software a
assist you pplications,
with this application
question. It security,po
may st-scoping,
contain Application
templates, Security,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
27 / 71
by
"Dragging
and
Dropping"
the files
below.
39 40 Appli Provide cc59 No Evid ,pcidss_32,

n Sec that ploade nist_800_5
urity outlines: - d 3,sca,sig_li
the te,iso_2700
process for 1_2013_an
generating nex_a,micr
test data osoft_sspa,
to be used csa_star,is
in lower (te o_27001_2
st/develop 013_stage_
ment) envi 1,iso_2700
ronments. 1_2013_sta
- the ge_2,saq_d
process for _merchant,
removing saq_d_serv
test data ice_provide
and test r,pcidss_31
accounts ,swift,hitru
before st_domain,
moving the ,payment
system to application
the higher s / pci
(productio scope web
n) environ and
ment. The software a
attached pplications,
template application
contains security,po
the sample st-scoping,
.Please Application
click on Security,
this link to
view additi
onal files
to assist
you with
this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
40 41 Appli Provide cc60 993::LPB_PCID Under ,pcidss_32,

catio following SS_Q.41_v1.0. Evaluat ei3pa,soc1,
n Sec types of zip ion nist_800_5
urity sample 3,nist
change high,nist m
request oderate,nis
within last t low,mars
12 months: e_2_0,sca,
-2 sample hitrust_10
software m m_to_60m_
odification records,sig
-2 security _lite,cms_a
patch impl rs_2_0,bits
ementation _aup_2014,
-A iso_27001_
minimum 2013_anne
of one x_a,glba,is
significant o_27001_2
system 013_stage_
change 1,iso_2700
Also, 1_2013_sta
ensure ge_2,nist_8
following 00_171,hitr
informatio ust_less_th
n at an_10m_re
minimum cords,hitru
is included st_over_60
28 / 71
in the m_records,
change saq_a_ep,s
records: - aq_c,saq_d
Change _merchant,
description saq_d_serv
and date - ice_provide
Change r,pcidss_31
approver ,swift,hitru
informatio st_domain,
n - Change ,Windows,
impact mainframe
informatio ,linux,unix,
n - Change virtual plat
testing form,paym
details - ent
Change application
back-out s / pci
plan For a scope web
significant and
change, software a
show how pplications,
impacted application
compliance security,po
requireme st-scoping,
nts were Application
checked, Security,
including
but not
limited to:
1. Network
diagram is
updated to
reflect
changes.
2. Systems
are
configured
per configu
ration
standards,
with all
default
passwords
changed
and unnec
essary
services
disabled.
3. Systems
are
protected
with
required
controls -
e.g., file-
integrity
monitoring
(FIM),
antivirus,
patches,
audit
logging. 4.
In-scope
data to be
protected
(e.g.
Cardholder
data, PII,
classified
informatio
n etc.) is d
ocumented
and incorp
orated into
data-
retention
policy and
procedures
5. New
systems
are
included in
the
quarterly v
ulnerability
scanning
process.
You must
use the
attached te
mplate.Ple
ase click
on this link
to view ad
ditional
files to
assist you
with this
question. It
may
29 / 71
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.

catio following ence U ei3pa,soc1,
n Sec from a ploade nist_800_5
urity secure d 3,nist high,
code marse_2_0,
training sca,hitrust_
perspectiv 10m_to_60
e, - m_records,
Material cms_ars_2_
used for 0,bits_aup_
training - 2014,iso_2
All 7001_2013
developers _annex_a,h
are itrust_over
included in _60m_reco
the rds,saq_a_
attendee ep,saq_c,s
list. You aq_d_merc
must use hant,saq_d
the _service_pr
attached te ovider,pcid
mplate.Ple ss_31,swift
ase click ,hitrust_do
on this link main,,pay
to view ad ment
ditional application
files to s / pci
assist you scope web
with this and
question. It software a
may pplications,
contain application
templates, security,po
scripts or st-scoping,
other Application
additional Security,
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
42 43 Appli (Optional) cc62 No Evid ,pcidss_32,

catio Provide ence U ei3pa,soc1,
n Sec evidence ploade sca,hitrust_
urity that a web d 10m_to_60
application m_records,
firewall is bits_aup_2
in place to 014,nist_cy
protect bersecurity
against _framewor
well know k,ffiec,hitru
web based st_over_60
vulnerabilit m_records,
ies (such saq_a_ep,s
as aq_d_merc
OWASP). hant,saq_d
You must _service_pr
30 / 71
use the ovider,pcid
attached te ss_31,swift
mplate.Ple ,hitrust_do
ase click main,,secu
on this link rity,Web
to view ad Application
ditional Firewall,pa
files to yment
assist you application
with this s / pci
question. It scope web
may and
contain software a
templates, pplications,
other security,po
additional st-scoping,
files. Once Application
you have Security,
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
43 44 Logic Provide the cc63 989::LPB_PCID Under ,pcidss_32,

al Ac organizatio SS_Q.44_v1.0. Evaluat ei3pa,soc1,
cess nal access zip ion nist_800_5
control 3,nist
policy. You high,nist m
must use oderate,nis
the t low,mars
attached te e_2_0,hipa
mplate.Ple a,hitrust_1
ase click 0m_to_60
on this link m_records,
to view ad sig_lite,gdp
ditional r,cms_ars_
files to 2_0,iso_27
assist you 001_2013_
with this annex_a,gl
question. It ba,privacy_
may shield,csa_
contain star,nist_8
templates, 00_171,nis
scripts or t_cybersec
other urity_frame
additional work,ffiec,
files. Once hitrust_less
you have _than_10m
gathered _records,hi
the trust_over_
informatio 60m_recor
n we ds,saq_a_e
requested, p,saq_b,sa
please q_b_ip,saq_
upload it c,saq_d_m
by clicking erchant,sa
the q_d_servic
"Upload e_provider,
Files" pcidss_31,s
button wift,hitrust
below or _domain,,lo
by gical acces
"Dragging s,post-scop
and ing,Logical
Dropping" Access,
the files
below.
44 45 Logic For the cc64 995::LPB_PCID Under ,pcidss_32,

al Ac selected SS_Q.45_v1.0. Evaluat ei3pa,soc1,
cess sample, zip ion nist_800_5
please 3,nist
provide, - high,nist m
Screenshot oderate,nis
of the list t low,mars
of users - e_2_0,hipa
Access a,hitrust_1
permission 0m_to_60
for those m_records,
users(user sig_lite,gdp
access r,cms_ars_
matrix) - 2_0,iso_27
Business 001_2013_
justificatio annex_a,gl
n for the ba,privacy_
31 / 71
level of shield,micr
access osoft_sspa,
permission iso_27001_
. The 2013_stag
attached e_1,iso_27
template 001_2013_
contains stage_2,nis
the sample t_800_171,
.Please nist_cybers
click on ecurity_fra
this link to mework,ffi
view additi ec,hitrust_l
onal files ess_than_1
to assist 0m_record
you with s,hitrust_o
this ver_60m_r
question. It ecords,saq
may _a_ep,saq_
contain b,saq_b_ip,
templates, saq_c,saq_
scripts or d_merchan
other t,saq_d_ser
additional vice_provid
files. Once er,pcidss_3
you have 1,swift,hitr
gathered ust_domai
the n,,Firewall,
informatio Router,Swi
n we tch,acs/rad
requested, ius,Window
please s,mainfram
upload it e,linux,uni
by clicking x,database
the ,logical acc
"Upload ess,post-sc
Files" oping,Logic
button al Access,
below or
by
"Dragging
and
Dropping"
the files
below.
45 46 Logic Provide cc65 970::LPB_PCID Incomp The form is fine but this is one ,pcidss_32,
al Ac two forms/t SS_Question_4 lete Inf form for account creation of ei3pa,soc1,
cess ickets per 6_ver1.0.zip ormati normal user, please provide nist_800_5
platform on total 6 form ( 3 for privilege 3,nist
(one for account, 3 for normal account) high,nist m
general for creation, deletion and oderate,nis
user and modification activities t low,mars
one for ad e_2_0,sca,
ministrativ hipaa,hitru
e user) st_10m_to_
from the 60m_recor
last six ds,sig_lite,
months for, cms_ars_2_
- User 0,bits_aup_
access 2014,iso_2
creation - 7001_2013
User _annex_a,g
access lba,micros
deletion - oft_sspa,cs
User a_star,iso_
access mo 27001_201
dification. 3_stage_1,i
The so_27001_
attached 2013_stag
template e_2,nist_80
contains 0_171,hitru
the sample st_less_tha
.Please n_10m_rec
click on ords,hitrust
this link to _over_60m
view additi _records,sa
onal files q_a_ep,saq
to assist _c,saq_d_m
you with erchant,sa
this q_d_servic
question. It e_provider,
may pcidss_31,s
contain wift,hitrust
templates, _domain,,Fi
scripts or rewall,Rout
other er,Switch,a
additional cs/radius,
files. Once Windows,m
you have ainframe,li
gathered nux,unix,d
the atabase,e
informatio mail server
n we / mail filter
requested, device,pay
please ment
upload it application
by clicking s / pci
the scope web
"Upload and
Files" software a
button pplications,
32 / 71
below or logical acc
by ess,post-sc
"Dragging oping,Logic
and al Access,
Dropping"
the files
below.
46 47 Logic For the cc66 985::LPB_PCID Under ,pcidss_32,

al Ac sample SS_Question_4 Evaluat ei3pa,soc1,
cess provided 7_ver1.0.zip ion nist_800_5
by the 3,nist
assessor, high,nist m
provide oderate,nis
user t low,mars
terminatio e_2_0,sca,
n forms/tic hipaa,hitru
kets that st_10m_to_
evidence 60m_recor
timely ds,sig_lite,
removal of cms_ars_2_
logical and 0,bits_aup_
physical 2014,iso_2
access 7001_2013
upon _annex_a,g
terminatio lba,privacy
n of an _shield,mic
employee rosoft_sspa
or ,csa_star,is
contractor o_27001_2
(at least 013_stage_
three) The 1,iso_2700
attached 1_2013_sta
template is ge_2,nist_8
provided 00_171,hitr
as a sampl ust_less_th
e.Please an_10m_re
click on cords,hitru
this link to st_over_60
view additi m_records,
onal files saq_a,saq_
to assist a_ep,saq_d
you with _merchant,
this saq_d_serv
question. It ice_provide
may r,pcidss_31
contain ,swift,hitru
templates, st_domain,
scripts or ,Firewall,R
other outer,Switc
additional h,acs/radiu
files. Once s,Windows,
you have mainframe
gathered ,linux,unix,
the database,e
informatio mail server
n we / mail filter
requested, device,pay
please ment
upload it application
by clicking s / pci
the scope web
"Upload and
Files" software a
button pplications,
below or logical acc
by ess,post-sc
"Dragging oping,Logic
and al Access,
Dropping"
the files
below.
47 48 Logic Provide cc67 1018::LPB_PCI Under ,pcidss_32,

al Ac procedures DSS_Q.48_v1.0 Evaluat ei3pa,soc1,
cess that .zip ion sca,hipaa,b
outline the its_aup_20
process for 14,iso_270
monitoring 01_2013_a
inactive nnex_a,glb
users for a,iso_2700
90 days for 1_2013_sta
all ge_1,iso_2
platforms 7001_2013
in scope. _stage_2,ni
Also, st_800_171
provide ,saq_a_ep,
reports or saq_d_mer
screenshot chant,saq_
s from one d_service_
sample per provider,pc
platform, idss_31,swi
showing ft,hitrust_d
inactive omain,,Fire
users for wall,Router
90 days ,Switch,acs
are either /radius,Win
disabled or dows,mainf
removed. rame,linux,
The unix,datab
attached ase,payme
33 / 71
template nt
contains application
the sample s / pci
.Please scope web
click on and
this link to software a
view additi pplications,
onal files logical acc
to assist ess,post-sc
you with oping,Logic
this al Access,
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
48 49 Logic Provide an cc68 956::LPB_PCI_ Under Missing remote access method ,pcidss_32,
al Ac inventory Question_49_5 Evaluat in inventory Please update ei3pa,soc1,
cess of all 4.zip!!~!!983:: ion evidences for: - Procedure for nist_800_5
entities LPB_PCIDSS_Q providing access only when 3,nist
(including uestion_49_ver needed - Access activity high,nist m
vendors & 1.1.zip monitoring reports oderate,nis
third t low,mars
parties) e_2_0,sca,
that hipaa,hitru
provides st_10m_to_
remote 60m_recor
access to ds,sig_lite,
your organi cms_ars_2_
zation and 0,iso_2700
identify 1_2013_an
remote nex_a,glba,
access privacy_shi
methods. eld,nist_cy
For each bersecurity
vendor, _framewor
please k,ffiec,hitru
provide - st_less_tha
Procedure n_10m_rec
for ords,hitrust
providing _over_60m
access _records,sa
only when q_a_ep,saq
needed - _b_ip,saq_c
Access ,saq_d_mer
activity chant,saq_
monitoring d_service_
reportsPlea provider,pc
se click on idss_31,swi
this link to ft,hitrust_d
view additi omain,,rem
onal files ote access
to assist technology
you with / vpn devic
this e,logical ac
question. It cess,post-s
may coping,Logi
contain cal
templates, Access,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
34 / 71
by
"Dragging
and
Dropping"
the files
below.
49 50 Logic For all cc69 1010::LPB_PCI Under pcidss_32,

al Ac assets DSS_Q.50_v1.0 Evaluat ei3pa,soc1,
cess identified .zip ion soc2,nist_8
in the 00_53,nist
sample high,nist m
selected by oderate,nis
the t low,mars
assessor, e_2_0,sca,
provide hipaa,hitru
evidence st_10m_to_
of logical 60m_recor
access ds,sig_lite,
account cms_ars_2_
and 0,bits_aup_
password 2014,iso_2
features 7001_2013
including: - _annex_a,g
Account lba,privacy
lockout _shield,iso_
policy - 27001_201
Account 3_stage_1,i
lockout so_27001_
duration - 2013_stag
Session e_2,nist_80
timeout 0_171,nist_
policy - cybersecur
Password ity_framew
length - ork,ffiec,hit
Password rust_less_t
complexity han_10m_r
- Password ecords,hitr
history - ust_over_6
Password 0m_record
expiry You s,saq_a,sa
must use q_a_ep,saq
the _b_ip,saq_c
attached te ,saq_d_mer
mplate.Ple chant,saq_
ase click d_service_
on this link provider,pc
to view ad idss_31,swi
ditional ft,hitrust_d
files to omain,Fire
assist you wall,Router
with this ,Switch,acs
question. It /radius,ids
may / ips,Windo
contain ws,mainfra
templates, me,linux,u
scripts or nix,virtual
other platform,w
additional orkstation /
files. Once laptop,data
you have base,syslo
gathered g / siem,Wi
the reless
informatio Access
n we Point /
requested, Wireless
please Device,We
upload it b
by clicking Application
the Firewall,re
"Upload mote
Files" access
button technology
below or / vpn devic
by e,payment
"Dragging application
and s / pci
Dropping" scope web
the files and
below. software a
pplications,
POS (Point
Of Sale) De
vices,atm /
kiosk,logic
al access,p
ost-scoping
,Logical Ac
cess,soc2_
sample_sel
ection,soc2
_post_scopi
ng
50 51 Logic For the cc72 1001::LPB_PCI Under ,pcidss_32,

al Ac sample DSS_Q.51_v1.0 Evaluat ei3pa,soc1,
cess provide .zip ion nist_800_5
evidence 3,nist
that during high,nist m
transmissio oderate,nis
n and t low,mars
35 / 71
storage, e_2_0,hipa
encryption a,hitrust_1
is carried 0m_to_60
out on m_records,
passwords cms_ars_2_
(for the 0,bits_aup_
platform 2014,iso_2
and/or 7001_2013
consumer _annex_a,g
application lba,privacy
s). You _shield,iso_
must use 27001_201
the 3_stage_1,i
attached te so_27001_
mplate.Ple 2013_stag
ase click e_2,nist_80
on this link 0_171,hitru
to view ad st_less_tha
ditional n_10m_rec
files to ords,hitrust
assist you _over_60m
with this _records,sa
question. It q_a_ep,saq
may _b_ip,saq_c
contain ,saq_d_mer
templates, chant,saq_
scripts or d_service_
other provider,pc
additional idss_31,swi
files. Once ft,hitrust_d
you have omain,,Fire
gathered wall,Router
the ,Switch,acs
informatio /radius,ids
n we / ips,Windo
requested, ws,mainfra
please me,linux,u
upload it nix,virtual
by clicking platform,d
the atabase,Wi
"Upload reless
Files" Access
button Point /
below or Wireless
by Device,We
"Dragging b
and Application
Dropping" Firewall,re
the files mote
below. access
technology
/ vpn devic
e,payment
application
s / pci
scope web
and
software a
pplications,
logical acc
ess,post-sc
oping,Logic
al Access,
51 52 Logic Provide cc73 971::LPB_PCID Incomp Will review when scoping is ,pcidss_32,
al Ac one SS_Question_5 lete Inf finalized ei3pa,soc1,
cess sample per 2_ver1.0.zip ormati hitrust_10
platform of on m_to_60m_
recent records,iso
password _27001_20
reset requ 13_annex_
ests/forms a,glba,iso_
for users. 27001_201
You must 3_stage_1,i
use the so_27001_
attached te 2013_stag
mplate.Ple e_2,hitrust
ase click _less_than_
on this link 10m_recor
to view ad ds,hitrust_
ditional over_60m_
files to records,sa
assist you q_a_ep,saq
with this _c,saq_d_m
question. It erchant,sa
may q_d_servic
contain e_provider,
templates, pcidss_31,s
scripts or wift,hitrust
other _domain,,lo
additional gical acces
files. Once s,post-scop
you have ing,Logical
gathered Access,
the
informatio
n we
requested,
please
upload it
by clicking
36 / 71
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
52 53 Logic Provide do cc77 972::LPB_PCID Incomp Will review when scoping is ,pcidss_32,
al Ac cumented SS_Question_5 lete Inf finalized ei3pa,soc1,
cess procedures 3_ver1.0.zip ormati hipaa,hitru
for on st_10m_to_
password 60m_recor
change ds,bits_aup
during new _2014,iso_
user 27001_201
creation or 3_annex_a,
for a glba,iso_27
password 001_2013_
reset for all stage_1,iso
platforms _27001_20
in scope. 13_stage_2
For one ,nist_800_1
sample per 71,hitrust_l
platform ess_than_1
provide the 0m_record
screenshot s,hitrust_o
of the ver_60m_r
setting ecords,saq
which _a_ep,saq_
forces the c,saq_d_m
user to erchant,sa
change the q_d_servic
password e_provider,
after the pcidss_31,s
first logon. wift,hitrust
The _domain,,Fi
attached rewall,Rout
template er,Switch,a
contains cs/radius,id
the sample s / ips,Win
.Please dows,mainf
click on rame,linux,
this link to unix,virtual
view additi platform,w
onal files orkstation /
to assist laptop,data
you with base,syslo
this g / siem,Wi
question. It reless
may Access
contain Point /
templates, Wireless
scripts or Device,We
other b
additional Application
files. Once Firewall,re
you have mote
gathered access
the technology
informatio / vpn devic
n we e,payment
requested, application
please s / pci
upload it scope web
by clicking and
the software a
"Upload pplications,
Files" POS (Point
button Of Sale) De
below or vices,atm /
by kiosk,logic
"Dragging al access,p
and ost-scoping
Dropping" ,Logical
the files Access,
below.
53 54 Logic Provide the cc78 957::LPB_PCI_ Under Please update evidences as pcidss_32,
al Ac following Question_49_5 Evaluat requirement: - Procedure that ei3pa,soc1,
cess related to 4.zip!!~!!981:: ion outlines the process of granting soc2,nist_8
remote LPB_PCIDSS_Q remote access as well as the 00_53,nist
access: - uestion_54_ver description of the multi-factor high,nist m
Procedure 1.1.zip authentication technology used oderate,nis
that - List of internal and external t low,mars
outlines users with remote access e_2_0,hipa
the a,hitrust_1
process of 0m_to_60
granting m_records,
remote cms_ars_2_
access as 0,bits_aup_
well as the 2014,glba,
description nist_800_1
of the 71,nist_cyb
multi- ersecurity_
factor auth framework,
entication ffiec,hitrust
37 / 71
technology _less_than_
used - List 10m_recor
of internal ds,hitrust_
and over_60m_
external records,sa
users with q_a_ep,saq
remote _b_ip,saq_c
access You ,saq_d_mer
may use chant,saq_
the d_service_
attached provider,pc
template, idss_31,swi
or provide ft,hitrust_d
the data in omain,rem
an ote access
alternative technology
format.Ple / vpn devic
ase click e,logical ac
on this link cess,post-s
to view ad coping,Logi
ditional cal Access,
files to soc2_post_
assist you scoping
with this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
54 55 Logic This cc79 No Evid ,pcidss_32,

al Ac question is ence U soc1,sca,gl
cess applicable ploade ba,nist_cyb
only to d ersecurity_
service framework,
providers ffiec,saq_a
with _ep,saq_c,s
remote aq_d_servi
access to ce_provide
multiple r,pcidss_31
customers. ,swift,hitru
Provide st_domain,
user list for ,remote
up to (but access
not technology
exceeding) / vpn devic
3 e,logical ac
customers cess,post-s
to prove coping,Logi
unique cal
credentials Access,
are being
used per
customer.
The
attached
template
contains
the sample
.Please
click on
this link to
view additi
onal files
to assist
you with
this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
38 / 71
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
55 56 Logic If other aut cc80 No Evid pcidss_32,

al Ac hentication ence U ei3pa,soc1,
cess mechanis ploade soc2,nist_8
ms are d 00_53,nist
used apart high,nist m
from oderate,nis
normal t low,mars
passwords e_2_0,sca,
(for hipaa,hitru
example, st_10m_to_
physical or 60m_recor
logical ds,sig_lite,
security cms_ars_2_
tokens, 0,iso_2700
smart 1_2013_an
cards, nex_a,glba,
certificates microsoft_s
, etc.) then spa,iso_27
provide the 001_2013_
list of users stage_1,iso
and that _27001_20
the authen 13_stage_2
tication ,hitrust_les
method s_than_10
assigned to m_records,
an hitrust_ove
individual r_60m_rec
account. ords,saq_a
The _ep,saq_c,s
attached aq_d_merc
template hant,saq_d
contains _service_pr
the sample ovider,pcid
.Please ss_31,hitru
click on st_domain,
this link to Firewall,Ro
view additi uter,Switch
onal files ,acs/radius,
to assist ids / ips,Wi
you with ndows,mai
this nframe,linu
question. It x,unix,virtu
may al platform
contain ,workstatio
templates, n / laptop,d
scripts or atabase,re
other mote
additional access
files. Once technology
you have / vpn devic
gathered e,payment
the application
informatio s / pci
n we scope web
requested, and
please software a
upload it pplications,
by clicking logical acc
the ess,post-sc
"Upload oping,Logic
Files" al Access,s
button oc2_post_s
below or coping
by
"Dragging
and
Dropping"
the files
below.
56 57 Logic For the cc81 1004::LPB_PCI Under ,pcidss_32,

al Ac provided DSS_Q.57_v1.0 Evaluat ei3pa,soc1,
cess sample .zip ion nist_800_5
provide the 3,nist high,
output marse_2_0,
screenshot hipaa,cms_
of current ars_2_0,sa
active con q_d_merch
nections. ant,saq_d_
You must service_pro
use the vider,pcids
attached te s_31,,data
mplate.Ple base,paym
39 / 71
ase click ent
on this link application
to view ad s / pci
ditional scope web
files to and
assist you software a
with this pplications,
question. It logical acc
may ess,post-sc
contain oping,Logic
templates, al Access,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
57 58 Physi Provide the cc82 1006::LPB_PCI Under pcidss_32,

cal S following DSS_Q.58_v1.0 Evaluat ei3pa,soc1,
ecurit for all .zip ion soc2,nist_8
y physical 00_53,nist
locations in high,nist m
scope: - oderate,nis
Sample t low,mars
records e_2_0,sca,
from hipaa,hitru
physical st_10m_to_
access 60m_recor
control ds,cms_ars
system _2_0,bits_a
(such as a up_2014,is
badge o_27001_2
system) 013_annex
and /or _a,glba,pri
video vacy_shiel
cameras d,microsoft
showing 90 _sspa,csa_
days of star,iso_27
retention - 001_2013_
List of stage_1,iso
users _27001_20
created on 13_stage_2
access ,nist_800_1
control 71,nist_cyb
system ersecurity_
(such as a framework,
badge ffiec,hitrust
system) for _less_than_
administrat 10m_recor
ive access ds,hitrust_
You must over_60m_
use the records,sa
attached te q_a_ep,saq
mplate.Ple _c,saq_d_m
ase click erchant,sa
on this link q_d_servic
to view ad e_provider,
ditional pcidss_31,s
files to wift,hitrust
assist you _domain,p
with this hysical sec
question. It urity,post-s
may coping,Phy
contain sical Securi
templates, ty,soc2_po
scripts or st_scoping
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
40 / 71
below or
by
"Dragging
and
Dropping"
the files
below.
58 59 Physi Provide cc84 958::LPB_PCI_ Incomp Please provide sample for ,pcidss_32,
cal S two Question_59.zi lete Inf revoking physical access right ei3pa,soc1,
ecurit samples of p ormati form nist_800_5
y user on 3,nist
access high,nist m
creation oderate,nis
and t low,mars
deletion for e_2_0,sca,
ms/tickets hipaa,hitru
from the st_10m_to_
last six 60m_recor
months ds,cms_ars
that _2_0,bits_a
evidence, - up_2014,is
physical o_27001_2
access 013_annex
allocation _a,glba,pri
to the vacy_shiel
sensitive d,csa_star,i
area is so_27001_
authorized 2013_stag
and as per e_1,iso_27
individual's 001_2013_
job stage_2,nis
function. - t_800_171,
timely nist_cybers
removal of ecurity_fra
physical mework,ffi
access ec,hitrust_
upon over_60m_
terminatio records,sa
n of user. q_d_merch
The ant,saq_d_
attached service_pro
template vider,pcids
contains s_31,swift,
the sample hitrust_do
.Please main,,phys
click on ical securit
this link to y,post-scop
view additi ing,Physica
onal files l Security,
to assist
you with
this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
59 60 Physi Provide cc85 959::LPB_PCI_ Incomp Will review when location and ,pcidss_32,
cal S sample Question_60.zi lete Inf facility scope is finalized ei3pa,soc1,
ecurit records or p ormati nist_800_5
y scanned on 3,nist
copies of high,nist m
visitor log oderate,nis
(for a 90 t low,mars
day period) e_2_0,hipa
for the a,hitrust_1
facility 0m_to_60
/network m_records,
rooms/data cms_ars_2_
centers 0,bits_aup_
that 2014,iso_2
contain: - 7001_2013
The _annex_a,g
visitor's lba,privacy
name - The _shield,csa
date and _star,iso_2
41 / 71
time - The 7001_2013
firm repres _stage_1,is
ented, and o_27001_2
- The 013_stage_
onsite 2,hitrust_le
personnel ss_than_10
authorizing m_records,
physical hitrust_ove
access. r_60m_rec
The ords,saq_d
attached _merchant,
template saq_d_serv
contains ice_provide
the sample r,pcidss_31
.Please ,hitrust_do
click on main,,phys
this link to ical securit
view additi y,post-scop
onal files ing,Physica
to assist l Security,
you with
this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
60 61 Physi Provide a cc86 No Evid ,pcidss_32,

cal S procedure ence U ei3pa,soc1,
ecurit that ploade sca,hipaa,h
y outlines d itrust_10m
the _to_60m_re
following, - cords,sig_li
visitors can te,bits_aup
be distingu _2014,iso_
ished from 27001_201
onsite 3_annex_a,
personnel ( glba,privac
employees y_shield,is
) - visitors o_27001_2
are 013_stage_
escorted 1,iso_2700
during 1_2013_sta
access to ge_2,nist_8
sensitive 00_171,hitr
areas - ust_less_th
visitor an_10m_re
badges are cords,hitru
returned st_over_60
upon depar m_records,
turePlease saq_d_mer
click on chant,saq_
this link to d_service_
view additi provider,pc
onal files idss_31,hitr
to assist ust_domai
you with n,,physical
this security,po
question. It st-scoping,
may Physical
contain Security,
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
42 / 71
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
61 62 Physi This cc87 No Evid ,pcidss_32,

cal S question is ence U ei3pa,soc1,
ecurit applicable ploade nist_800_5
y only if d 3,nist
physical high,nist m
media is oderate,m
used for arse_2_0,s
backups of ca,hipaa,hi
covered trust_10m_
informatio to_60m_re
n and cords,sig_li
stored te,cms_ars
offsite. _2_0,bits_a
Provide the up_2014,is
procedure o_27001_2
which 013_annex
mentions _a,privacy_
the shield,iso_
controls for 27001_201
physically 3_stage_1,i
securing so_27001_
the 2013_stag
cardholder e_2,nist_80
data. 0_171,nist_
Provide cybersecur
evidence ity_framew
that a ork,ffiec,hit
physical rust_over_
security 60m_recor
review has ds,saq_a,s
been aq_a_ep,sa
performed q_b,saq_b_i
on the p,saq_c,sa
backup q_d_merch
facility. ant,saq_d_
Provide service_pro
procedures vider,saq_p
for the ma 2pe,pcidss
nagement _31,swift,hi
of all trust_doma
removable in,,Media
media (tapes /
(tapes, External
USB, hard HDD / CD-
drives, DVD etc.),p
etc,) in hysical sec
accordanc urity,post-s
e with the coping,Phy
classificati sical
on scheme Security,
adopted by
the organiz
ation. PCI -
only
applicable
if CHD is
stored on
removable
media. The
attached
template
contains
the sample
.Please
click on
this link to
view additi
onal files
to assist
you with
this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
43 / 71
button
below or
by
"Dragging
and
Dropping"
the files
below.
62 63 Physi This cc88 1019::LPB_PCI Under ,pcidss_32,

cal S question is DSS_Q.63_v1.0 Evaluat ei3pa,soc1,
ecurit applicable .zip ion nist_800_5
y only if 3,nist
physical high,nist m
media is oderate,nis
used to t low,mars
store e_2_0,sca,
covered hipaa,hitru
informatio st_10m_to_
n. Provide 60m_recor
the ds,sig_lite,
following, - gdpr,cms_
Full media ars_2_0,bit
inventory - s_aup_201
a sample 4,iso_2700
of 5 1_2013_an
inbound nex_a,priv
and acy_shield,
outbound iso_27001_
media 2013_stag
movement e_1,iso_27
records 001_2013_
(including stage_2,nis
informatio t_800_171,
n such as nist_cybers
date/time ecurity_fra
of mework,ffi
movement, ec,hitrust_l
approver ess_than_1
name, 0m_record
delivery s,hitrust_o
method) ver_60m_r
from last ecords,saq
six _a,saq_a_e
months. p,saq_b,sa
The q_b_ip,saq_
attached c,saq_d_m
template erchant,sa
contains q_d_servic
the sample e_provider,
.Please pcidss_31,
click on hitrust_do
this link to main,,Medi
view additi a (tapes /
onal files External
to assist HDD / CD-
you with DVD etc.),p
this hysical sec
question. It urity,post-s
may coping,Phy
contain sical
templates, Security,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
63 64 Physi Provide the cc90 No Evid pcidss_32,

cal S physical/di ence U ei3pa,soc1,
ecurit gital media ploade soc2,nist_8
y destruction d 00_53,nist
procedure. high,nist m
And, for oderate,nis
the sample t low,mars
selected by e_2_0,sca,
the hipaa,hitru
assessor st_10m_to_
provide 60m_recor
media ds,gdpr,cm
destruction s_ars_2_0,i
records so_27001_
44 / 71
(from 2013_anne
within the x_a,privacy
last year). _shield,mic
The rosoft_sspa
attached ,iso_27001
template _2013_stag
contains e_1,iso_27
the sample 001_2013_
.Please stage_2,nis
click on t_800_171,
this link to nist_cybers
view additi ecurity_fra
onal files mework,ffi
to assist ec,hitrust_l
you with ess_than_1
this 0m_record
question. It s,hitrust_o
may ver_60m_r
contain ecords,saq
templates, _a,saq_a_e
scripts or p,saq_b,sa
other q_b_ip,saq_
additional c,saq_d_m
files. Once erchant,sa
you have q_d_servic
gathered e_provider,
the saq_p2pe,p
informatio cidss_31,hi
n we trust_doma
requested, in,Paper
please Documents
upload it with Card
by clicking Data,physi
the cal security
"Upload ,post-scopi
Files" ng,Physical
button Security,so
below or c2_sample
by _selection,
"Dragging soc2_post_
and scoping
Dropping"
the files
below.
64 65 Physi Provide up cc92 980::LPB_PCID Under ,pcidss_32,

cal S - to - date SS_Q.65_v1.0. Evaluat soc1,privac
ecurit list of point zip ion y_shield,ni
y of sale st_cyberse
devices curity_fram
(card - ework,saq_
reading b,saq_b_ip,
devices saq_c,saq_
and d_merchan
terminals) t,saq_d_ser
with vice_provid
informatio er,saq_p2p
n that e,pcidss_3
includes: - 1,,POS
Make and (Point Of
model of Sale) Devic
device. - es,physical
Location of security,po
the device st-scoping,
(for Physical
example, Security,
the
address of
the site or
facility
where the
device is
located). -
Device
serial
number or
another
method of
unique ide
ntification.
You may
use the
attached
template
or provide
the
required
informatio
n in an
alternative
format.Ple
ase click
on this link
to view ad
ditional
files to
assist you
with this
question. It
may
contain
45 / 71
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
65 66 Physi Provide for cc93 1011::LPB_PCI Under ,pcidss_32,

cal S POS DSS_Q.66_v1.0 Evaluat saq_b,saq_
ecurit devices, - .zip ion b_ip,saq_c,
y Maintainin saq_d_mer
g a list of chant,saq_
devices - d d_service_
ocumented provider,sa
procedures q_p2pe,pci
that dss_31,PO
outline the S (Point Of
process for Sale) Devic
inspection es,physical
for security,po
tampering. st-scoping,
- the Physical
material Security,
used for
training
personnel
for
inspection.
- records
showing
that
personnel
has been
trained. - a
sample of
3 records
from
different
retail
locations
showing
the
schedule of
inspection.
The
attached
template
contains
the sample
.Please
click on
this link to
view additi
onal files
to assist
you with
this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
46 / 71
Dropping"
the files
below.
66 67 Loggi For the cc95 1007::LPB_PCI Under ,pcidss_32,

ng sample, DSS_Q.67_v1.0 Evaluat ei3pa,soc1,
and provide the .zip ion sca,hipaa,h
Monit audit log itrust_10m
oring policy _to_60m_re
settings. cords,bits_
You may aup_2014,i
use the so_27001_
attached 2013_anne
template x_a,glba,pr
or provide ivacy_shiel
the d,csa_star,i
required so_27001_
informatio 2013_stag
n in an e_1,iso_27
alternative 001_2013_
format.Ple stage_2,nis
ase click t_800_171,
on this link nist_cybers
to view ad ecurity_fra
ditional mework,ffi
files to ec,hitrust_l
assist you ess_than_1
with this 0m_record
question. It s,hitrust_o
may ver_60m_r
contain ecords,saq
templates, _a_ep,saq_
scripts or c,saq_d_m
other erchant,sa
additional q_d_servic
files. Once e_provider,
you have pcidss_31,s
gathered wift,hitrust
the _domain,,Fi
informatio rewall,Rout
n we er,Switch,a
requested, cs/radius,
please Windows,m
upload it ainframe,li
by clicking nux,unix,vi
the rtual platfo
"Upload rm,databas
Files" e,syslog /
button siem,ntp
below or server,Web
by Application
"Dragging Firewall,re
and mote
Dropping" access
the files technology
below. / vpn devic
e,payment
application
s / pci
scope web
and
software a
pplications,
POS (Point
Of Sale) De
vices,atm /
kiosk,loggi
ng and mo
nitoring,po
st-scoping,
Logging
and
Monitoring,
67 68 Loggi Provide cc96 No Evid ,pcidss_32,

ng actual ence U ei3pa,soc1,
and event logs ploade nist_800_5
Monit for each of d 3,nist
oring the high,nist m
platforms oderate,nis
identified t low,mars
in the e_2_0,hipa
sample. a,hitrust_1
You must 0m_to_60
use the m_records,
attached te sig_lite,cm
mplate.Ple s_ars_2_0,
ase click bits_aup_2
on this link 014,iso_27
to view ad 001_2013_
ditional annex_a,gl
files to ba,privacy_
assist you shield,csa_
with this star,iso_27
question. It 001_2013_
may stage_1,iso
contain _27001_20
templates, 13_stage_2
scripts or ,nist_800_1
other 71,nist_cyb
47 / 71
additional ersecurity_
files. Once framework,
you have ffiec,hitrust
gathered _less_than_
the 10m_recor
informatio ds,hitrust_
n we over_60m_
requested, records,sa
please q_a_ep,saq
upload it _c,saq_d_m
by clicking erchant,sa
the q_d_servic
"Upload e_provider,
Files" pcidss_31,
button hitrust_do
below or main,,soc,F
by irewall,Rou
"Dragging ter,Switch,
and acs/radius,
Dropping" Windows,m
the files ainframe,li
below. nux,unix,vi
rtual platfo
rm,databas
e,syslog /
siem,ntp
server,Web
Application
Firewall,re
mote
access
technology
/ vpn devic
e,payment
application
s / pci
scope web
and
software a
pplications,
POS (Point
Of Sale) De
vices,atm /
kiosk,loggi
ng and mo
nitoring,po
st-scoping,
Logging
and
Monitoring,
68 69 Loggi Provide the cc98 1000::LPB_PCI Under ,pcidss_32,

ng following DSS_Q.69_v1.0 Evaluat ei3pa,soc1,
and NTP .zip ion nist_800_5
Monit evidence: - 3,nist
oring Device high,nist m
being used oderate,nis
as the t low,mars
central NTP e_2_0,hipa
server a,cms_ars_
along with 2_0,privacy
the NTP _shield,csa
version _star,nist_8
number - S 00_171,saq
etting/Scre _a_ep,saq_
enshot c,saq_d_m
showing sy erchant,sa
nchronizati q_d_servic
on e_provider,
between pcidss_31,,
NTP server Firewall,Ro
and uter,Switch
external ,acs/radius,
time ids / ips,Wi
source - ndows,mai
Access nframe,linu
control list x,unix,virtu
for NTP al platform
server - ,syslog /
Changes to siem,ntp
time server,Web
settings on Application
critical Firewall,re
systems mote
are logged access
You must technology
use the / vpn devic
attached te e,payment
mplate.Ple application
ase click s / pci
on this link scope web
to view ad and
ditional software a
files to pplications,
assist you POS (Point
with this Of Sale) De
question. It vices,atm /
may kiosk,loggi
contain ng and mo
templates, nitoring,po
48 / 71
scripts or st-scoping,
other Logging
additional and
files. Once Monitoring,
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
69 70 Loggi Provide cc101 1008::LPB_PCI Under ,pcidss_32,

ng evidence DSS_Q.70_v1.0 Evaluat ei3pa,soc1,
and of the .zip ion nist_800_5
Monit following 3,nist
oring on the high,nist m
central oderate,nis
Syslog t low,mars
server - e_2_0,sca,
Description hipaa,hitru
of the st_10m_to_
controls im 60m_recor
plemented ds,cms_ars
to protect _2_0,iso_27
against un 001_2013_
authorized annex_a,cs
changes to a_star,iso_
log 27001_201
informatio 3_stage_2,
n and nist_800_1
operational 71,nist_cyb
problems ersecurity_
with framework,
logging ffiec,hitrust
facilities. _less_than_
This 10m_recor
includes a) ds,hitrust_
alterations over_60m_
to records,sa
message q_a_ep,saq
types _d_mercha
recorded; nt,saq_d_s
b) log files ervice_pro
that are vider,pcids
edited or s_31,hitrus
deleted; c) t_domain,,
event log syslog / sie
failures, or m,logging
overwriting and monito
of past ring,post-s
events coping,Log
recorded. - ging and
Access list Monitoring,
of users
with
permission
type (i.e. r
ead-only/m
odify) and
business
justificatio
n-
Evidence
of archived
logs being
protected
by FIM The
attached
template
contains
the sample
.Please
click on
this link to
view additi
onal files
to assist
you with
this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
49 / 71
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
70 71 Loggi Provide - cc105 No Evid ,pcidss_32,

ng one daily ence U ei3pa,soc1,
and log review ploade nist_800_5
Monit report/ema d 3,nist
oring il for every high,nist m
sample. - oderate,nis
Evidence t low,mars
of follow- e_2_0,sca,
up to the hipaa,hitru
event - st_10m_to_
Evidence 60m_recor
of log ds,sig_lite,
retention cms_ars_2_
for 12 0,bits_aup_
months 2014,iso_2
You must 7001_2013
use the _annex_a,c
attached te sa_star,iso
mplate.Ple _27001_20
ase click 13_stage_1
on this link ,iso_27001
to view ad _2013_stag
ditional e_2,nist_80
files to 0_171,nist_
assist you cybersecur
with this ity_framew
question. It ork,ffiec,hit
may rust_less_t
contain han_10m_r
templates, ecords,hitr
scripts or ust_over_6
other 0m_record
additional s,saq_a_ep
files. Once ,saq_c,saq_
you have d_merchan
gathered t,saq_d_ser
the vice_provid
informatio er,pcidss_3
n we 1,swift,hitr
requested, ust_domai
please n,,soc,sysl
upload it og / siem,l
by clicking ogging and
the monitoring,
"Upload post-scopin
Files" g,Logging
button and
below or Monitoring,
by
"Dragging
and
Dropping"
the files
below.
71 72 Secur Provide cc109 No Evid ,pcidss_32,

ity Te quarterly ence U ei3pa,soc1,
sting wireless ploade nist_800_5
analyzer d 3,nist
reports high,nist m
along with oderate,nis
details for t low,mars
authorized/ e_2_0,sca,
unauthoriz hipaa,hitru
ed nature st_10m_to_
of the 60m_recor
access ds,sig_lite,
point. The cms_ars_2_
attached 0,bits_aup_
template 2014,priva
contains cy_shield,c
the sample sa_star,nist
.Please _800_171,h
click on itrust_less_
this link to than_10m_
view additi records,hit
onal files rust_over_
to assist 60m_recor
you with ds,saq_c,sa
this q_d_merch
50 / 71
question. It ant,saq_d_
may service_pro
contain vider,pcids
templates, s_31,hitrus
scripts or t_domain,,
other security te
additional sting,post-
files. Once scoping,Se
you have curity
gathered Testing,
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.

ity Te one ence U ei3pa,soc1,
sting sample ploade nist_800_5
Incident d 3,nist
Response high,nist m
report in oderate,nis
response t low,mars
to a rogue e_2_0,sca,c
access ms_ars_2_
point 0,bits_aup_
detection. 2014,priva
The cy_shield,s
attached aq_b_ip,sa
template q_c,saq_d_
contains merchant,s
the sample aq_d_servi
.Please ce_provide
click on r,pcidss_31
this link to ,hitrust_do
view additi main,,secu
onal files rity testing,
to assist post-scopin
you with g,Security
this Testing,
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
73 74 Secur Provide cc112 No Evid pcidss_32,

sting internal vul ploade soc2,nist_8
nerability/c d 00_53,nist
onfiguratio high,nist m
n oderate,nis
assessmen t low,mars
t reports e_2_0,sca,
for the last hipaa,hitru
4 quarters. st_10m_to_
You must 60m_recor
use the ds,sig_lite,
attached te cms_ars_2_
mplate.Ple 0,bits_aup_
ase click 2014,iso_2
to view ad _annex_a,g
ditional lba,privacy
files to _shield,mic
51 / 71
assist you rosoft_sspa
with this ,csa_star,is
question. It o_27001_2
may 013_stage_
contain 1,iso_2700
templates, 1_2013_sta
scripts or ge_2,nist_8
other 00_171,nis
additional t_cybersec
files. Once urity_frame
you have work,ffiec,
gathered hitrust_less
the _than_10m
informatio _records,hi
n we trust_over_
requested, 60m_recor
please ds,saq_c,sa
upload it q_d_merch
by clicking ant,saq_d_
the service_pro
"Upload vider,pcids
Files" s_31,swift,
button hitrust_do
below or main,Secur
by ity,security
"Dragging testing,pos
and t-scoping,S
Dropping" ecurity Tes
the files ting,soc2_p
below. ost_scopin
g

sting external vu ploade soc2,nist_8
lnerability/ d 00_53,nist
ASV scan high,nist m
reports for oderate,nis
the last 4 t low,mars
quarters. e_2_0,sca,
You must hipaa,hitru
use the st_10m_to_
attached te 60m_recor
mplate.Ple ds,sig_lite,
ase click cms_ars_2_
on this link 0,bits_aup_
to view ad 2014,iso_2
ditional 7001_2013
files to _annex_a,g
assist you lba,privacy
with this _shield,mic
question. It rosoft_sspa
may ,iso_27001
contain _2013_stag
templates, e_1,iso_27
scripts or 001_2013_
other stage_2,nis
additional t_cybersec
files. Once urity_frame
you have work,ffiec,
gathered hitrust_ove
the r_60m_rec
informatio ords,saq_a
n we _ep,saq_b_i
requested, p,saq_c,sa
please q_d_merch
upload it ant,saq_d_
by clicking service_pro
the vider,pcids
"Upload s_31,swift,
Files" hitrust_do
button main,secur
below or ity testing,
by post-scopin
"Dragging g,Security
and Testing,soc
Dropping" 2_post_sco
the files ping
below.
75 76 Secur Provide a d cc114 No Evid ,pcidss_32,

ity Te ocumented ence U ei3pa,soc1,
sting methodolo ploade nist_800_5
gy being d 3,nist
used for high,nist m
penetratio oderate,nis
n testing. t low,mars
You must e_2_0,hipa
use the a,cms_ars_
attached te 2_0,bits_au
mplate.Ple p_2014,glb
ase click a,privacy_s
on this link hield,micro
to view ad soft_sspa,n
ditional ist_800_17
files to 1,nist_cybe
assist you rsecurity_fr
with this amework,ff
question. It iec,saq_a_e
may p,saq_c,sa
contain q_d_merch
52 / 71
templates, ant,saq_d_
scripts or service_pro
other vider,pcids
additional s_31,swift,
files. Once hitrust_do
you have main,,secu
gathered rity testing,
the post-scopin
informatio g,Security
n we Testing,
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.

ity Te external ence U ei3pa,soc1,
sting penetratio ploade soc2,nist_8
n test d 00_53,nist
reports for high,marse
the _2_0,hipaa,
network hitrust_10
and m_to_60m_
application records,sig
layer. You _lite,cms_a
must use rs_2_0,bits
the _aup_2014,
attached te iso_27001_
mplate.Ple 2013_anne
ase click x_a,glba,pr
on this link ivacy_shiel
to view ad d,microsoft
ditional _sspa,csa_
files to star,iso_27
assist you 001_2013_
with this stage_1,iso
question. It _27001_20
may 13_stage_2
contain ,nist_cyber
templates, security_fr
scripts or amework,ff
other iec,hitrust_
additional less_than_
files. Once 10m_recor
you have ds,hitrust_
gathered over_60m_
the records,sa
informatio q_a_ep,saq
n we _d_mercha
requested, nt,saq_d_s
please ervice_pro
upload it vider,pcids
by clicking s_31,swift,
the hitrust_do
"Upload main,Secur
Files" ity,security
button testing,pos
below or t-scoping,S
by ecurity Tes
"Dragging ting,soc2_p
and ost_scopin
Dropping" g
the files
below.

ity Te internal ence U ei3pa,soc1,
sting penetratio ploade nist_800_5
n test d 3,nist
reports for high,nist m
network oderate,m
and arse_2_0,hi
application paa,hitrust
layer. You _10m_to_6
must use 0m_record
the s,sig_lite,c
attached te ms_ars_2_
mplate.Ple 0,bits_aup_
ase click 2014,iso_2
to view ad _annex_a,g
ditional lba,privacy
files to _shield,mic
assist you rosoft_sspa
with this ,csa_star,is
question. It o_27001_2
may 013_stage_
contain 1,iso_2700
templates, 1_2013_sta
scripts or ge_2,nist_c
53 / 71
other ybersecurit
additional y_framewo
files. Once rk,ffiec,hitr
you have ust_over_6
gathered 0m_record
the s,saq_d_m
informatio erchant,sa
n we q_d_servic
requested, e_provider,
please pcidss_31,s
upload it wift,hitrust
by clicking _domain,,S
the ecurity,sec
"Upload urity testin
Files" g,post-sco
button ping,Securi
below or ty Testing,
by
"Dragging
and
Dropping"
the files
below.

ity Te results of ence U ei3pa,soc1,
sting penetratio ploade nist_cybers
n testing d ecurity_fra
performed mework,ffi
on segmen ec,saq_a_e
tation p,saq_c,sa
controls at q_d_merch
least every ant,saq_d_
six months service_pro
and after vider,pcids
any s_31,swift,,
changes to security te
segmentati sting,post-
on controls scoping,Se
/methods.Y curity
ou must Testing,
use the
attached te
mplate.Ple
ase click
on this link
to view ad
ditional
files to
assist you
with this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
79 80 Secur Provide cc118 986::LPB_PCID Under pcidss_32,

ity Te evidence SS_Question_8 Evaluat ei3pa,soc1,
sting of the 0_ver1.0.zip ion soc2,sca,hi
following paa,hitrust
from all _10m_to_6
IDS/IPS imp 0m_record
lemented: - s,sig_lite,bi
Location ts_aup_201
on network 4,iso_2700
- Version 1_2013_an
number - nex_a,glba,
Signatures privacy_shi
- Alerting eld,micros
emails - oft_sspa,cs
Follow up a_star,nist_
to alerts 800_171,ni
You must st_cyberse
use the curity_fram
attached te ework,ffiec
mplate.Ple ,hitrust_les
ase click s_than_10
54 / 71
on this link m_records,
to view ad hitrust_ove
ditional r_60m_rec
files to ords,saq_a
assist you _ep,saq_d_
with this merchant,s
question. It aq_d_servi
may ce_provide
contain r,pcidss_31
templates, ,swift,hitru
scripts or st_domain,
other soc,ids /
additional ips,security
files. Once testing,pos
you have t-scoping,S
gathered ecurity Tes
the ting,soc2_p
informatio ost_scopin
n we g
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
80 81 Secur Provide the cc119 1002::LPB_PCI Under pcidss_32,

ity Te following DSS_Q.81_v1.0 Evaluat ei3pa,soc1,
sting evidence .zip ion soc2,nist_8
for the 00_53,nist
sample high,nist m
selected by oderate,m
the arse_2_0,hi
assessor: - paa,sig_lite
FIM version ,cms_ars_2
installed - _0,csa_star
Files being ,nist_cyber
monitored security_fr
by FIM - amework,ff
Alerting iec,saq_a_e
emails - p,saq_c,sa
Follow up q_d_merch
to alerts - ant,saq_d_
Critical file service_pro
compariso vider,pcids
ns - at s_31,swift,
least hitrust_do
weekly You main,soc,
must use Windows,m
the ainframe,li
attached te nux,unix,se
mplate.Ple curity testi
ase click ng,post-sc
on this link oping,Secu
to view ad rity Testing
ditional ,soc2_sam
files to ple_selecti
assist you on,soc2_po
with this st_scoping
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
81 82 HR Provide the cc120 960::LPB_PCI_ Incomp Please update these point: - pcidss_32,
high level Question_82.zi lete Inf how the policy is distributed to ei3pa,soc1,
policy of p ormati the relevant personnel, vendors soc2,nist_8
the manag on and business partners. - any 00_53,nist
55 / 71
ement record to confirm all relevant high,nist m
system person who are read and oderate,nis
(Informatio understand information security t low,mars
n security policy - How to all person can e_2_0,hipa
policy/busi access to read policy or a,hitrust_1
ness document management 0m_to_60
continuity method m_records,
policy/othe cms_ars_2_
r) and how 0,bits_aup_
the policy 2014,iso_2
is 7001_2013
distributed _main,glba
to the ,privacy_sh
relevant ield,csa_st
personnel, ar,iso_270
vendors 01_2013_st
and age_1,iso_
business p 27001_201
artners.Ple 3_stage_2,
ase click nist_cybers
on this link ecurity_fra
to view ad mework,ffi
ditional ec,hitrust_l
files to ess_than_1
assist you 0m_record
with this s,hitrust_o
question. It ver_60m_r
may ecords,saq
contain _a_ep,saq_
templates, b,saq_b_ip,
scripts or saq_c,saq_
other d_merchan
additional t,saq_d_ser
files. Once vice_provid
you have er,saq_p2p
gathered e,pcidss_3
the 1,hitrust_d
informatio omain,Sup
n we port,hr,pos
requested, t-scoping,H
please R,soc2_pos
upload it t_scoping
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
82 83 Polici Provide all cc121 No Evid pcidss_32,

es informatio ence U ei3pa,soc1,
and P n security ploade soc2,sca,hi
roced policies d paa,hitrust
ures and _10m_to_6
procedures 0m_record
. Include s,sig_lite,bi
evidence ts_aup_201
of annual 4,iso_2700
review of 1_2013_an
applicable nex_a,glba,
policies csa_star,is
and o_27001_2
procedures 013_stage_
for 1,iso_2700
consistenc 1_2013_sta
y with the ge_2,nist_c
company's ybersecurit
risk y_framewo
mitigation rk,ffiec,ccp
plan and a,hitrust_le
company ss_than_10
strategy m_records,
changes. hitrust_ove
This docum r_60m_rec
entation ords,saq_a,
includes, saq_a_ep,s
but is not aq_b,saq_b
limited to: _ip,saq_c,s
-Informatio aq_c_vt,sa
n Security q_d_merch
Policy ant,saq_d_
-Access Pro service_pro
visioning, vider,saq_p
Account 2pe,pcidss
Creation, _31,hitrust
and _domain,p
Terminatio olicies and
n -Backup procedures
and ,post-scopi
Recovery ng,Policies
-Breach and Proced
Notification ures,soc2_
-Data Class post_scopi
ification ng
-Data
56 / 71
Protection
-Emergenc
y Access
-Emergenc
y Change
-Encryption
Standards
-Incident
Response
and
Escalation
-Password
Configurati
on
-Remote
Access
-Record
Retention,
Protection
and
Disposal
Policy
-SDLC and
Program
Change Ma
nagement:
include doc
umentation
, testing,
and authori
zation requ
irements
-Server / In
frastructur
e Configur
ation
Standards
-Third
Party Enga
gement
-User Ident
ification
and Authe
nticationPl
ease click
on this link
to view ad
ditional
files to
assist you
with this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
83 84 Risk Provide the cc122 No Evid ,pcidss_32,

Asses following ence U ei3pa,soc1,
smen informatio ploade nist_800_5
t n related d 3,nist
to Risk high,nist m
Assessmen oderate,nis
t (as t low,mars
applicable) e_2_0,sca,
: - The risk hipaa,hitru
assessmen st_10m_to_
t methodol 60m_recor
ogy ds,sig_lite,
/process gdpr,cms_
(definition ars_2_0,bit
of risk s_aup_201
criteria, 4,iso_2700
risk identifi 1_2013_ma
cation, risk in,glba,mic
analysis, rosoft_sspa
risk ,csa_star,is
evaluation) o_27001_2
57 / 71
. - The 013_stage_
results of 1,iso_2700
the 1_2013_sta
assessmen ge_2,nist_8
t carried 00_171,nis
out (Risk t_cybersec
Assessmen urity_frame
t Report). - work,ffiec,
The risk hitrust_less
treatment _than_10m
plan (risk _records,hi
treatment trust_over_
options, id 60m_recor
entification ds,saq_b_i
of required p,saq_d_m
controls. - erchant,sa
Evidence q_d_servic
of the e_provider,
Informatio saq_p2pe,p
n Security cidss_31,s
Risk wift,hitrust
Treatment _domain,,ri
Plan's sk assessm
approval ent,post-sc
and oping,Risk
acceptance Assessmen
of the t,
residual
informatio
n security
risks. - The
privacy risk
assessmen
t, covering
the risk
related to
the mainte
nance and
processing
of PII. - (For
27001
only) The
Statement
of Applicab
ilityPlease
click on
this link to
view additi
onal files
to assist
you with
this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
84 85 Polici If remote cc125 961::LPB_PCI_ Under VPN timeout must be ,pcidss_32,

es access to o Question_85.zi Evaluat configured at 10 minutes. ei3pa,soc1,
and P rganization p!!~!!982::LPB ion Please provide evidences again nist_800_5
roced 's network _PCIDSS_Quest with fully information ( name of 3,nist
ures is allowed, ion_85_ver1.1. VPN solution, dated of high,nist m
provide co zip evidences capture, description oderate,nis
nfiguration of VPN structure ) t low,mars
screenshot e_2_0,sca,
for remote hitrust_10
access m_to_60m_
technology records,cm
(such as s_ars_2_0,
Remote nist_cybers
VPN) ecurity_fra
showing mework,ffi
session ec,hitrust_l
time - out ess_than_1
defined 0m_record
after s,hitrust_o
specific ver_60m_r
58 / 71
period of ecords,saq
inactivity. _c,saq_d_m
The erchant,sa
attached q_d_servic
template e_provider,
contains pcidss_31,s
the sample wift,hitrust
Please _domain,,r
click on emote
this link to access
view additi technology
onal files / vpn devic
to assist e,policies
you with and proced
this ures,post-s
question. It coping,Poli
may cies and Pr
contain ocedures,
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
85 86 Polici Provide a cc127 996::LPB_PCID Under ,pcidss_32,

es policy SS_Q.86_v1.0. Evaluat ei3pa,soc1,
and P which zip ion sca,hitrust_
roced requires 10m_to_60
ures the m_records,
following sig_lite,nist
for: - _cybersecu
prohibit rity_frame
copying, work,ffiec,
moving, or hitrust_less
storing of _than_10m
covered _records,hi
informatio trust_over_
n onto 60m_recor
local hard ds,saq_d_
drives and merchant,s
removable aq_d_servi
electronic ce_provide
media r,pcidss_31
unless a ,swift,hitru
valid st_domain,
business ,remote
justificatio access
n exists - technology
In the case / vpn devic
of a e,policies
business and proced
justificatio ures,post-s
n, provide coping,Poli
evidence cies and Pr
that ocedures,
adequate
protection
exists on
target hard
drives or
electronic
media. The
attached
template
contains
the sample
.Please
click on
this link to
view additi
onal files
to assist
you with
this
question. It
may
contain
templates,
scripts or
other
additional
59 / 71
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
86 87 Polici Provide an cc128 962::LPB_PCI_ Incomp Wrong evidences have been ,pcidss_32,
es organizatio Question_87.zi lete Inf shared, please update again ei3pa,soc1,
and P n chart (or p ormati nist_800_5
roced equivalent on 3,nist
ures documenta high,nist m
tion) which oderate,nis
clearly t low,mars
outlines e_2_0,sca,
the hitrust_10
Informatio m_to_60m_
n Security records,sig
roles and r _lite,gdpr,c
esponsibilit ms_ars_2_
y for all 0,iso_2700
personnel. 1_2013_an
Also, nex_a,iso_
provide 27001_201
following 3_main,glb
records in a,microsoft
support of _sspa,csa_
assigned star,iso_27
security re 001_2013_
sponsibiliti stage_1,iso
es: - recent _27001_20
Informatio 13_stage_2
n security ,nist_800_1
policy revie 71,nist_cyb
w/approval ersecurity_
record - framework,
Informatio ffiec,hitrust
n security _less_than_
policy com 10m_recor
munication ds,hitrust_
to all users over_60m_
- any records,sa
security q_a_ep,saq
alert email _b,saq_b_ip
communic ,saq_c,saq_
ation to d_merchan
affected t,saq_d_ser
parties For vice_provid
PCI DSS er,saq_p2p
(where the e,pcidss_3
entity is a 1,hitrust_d
Service omain,,poli
Provider) cies and pr
and for ocedures,p
HITRUST, ost-scoping
please ,Policies
provide and Proced
following: - ures,
Overall acc
ountability
for
maintainin
g
compliance
- Documen
ted charter
for a
compliance
program
and related
communic
ation to
the
executive
manageme
nt - Docum
ented
(Quarterly
for PCI DSS
or as
applicable
for other st
andards/re
gulations)
results of
the
60 / 71
reviews
showing: 1.
Daily log
reviews,
Firewall
rule-set
reviews,
Applying c
onfiguratio
n
standards
to new
systems,
Respondin
g to
security
alerts,
Change ma
nagement
process 2.
Sign-off of
results by
personnel
assigned r
esponsibilit
y for
maintainin
g
compliance
The
attached
template
contains
the sample
.Please
click on
this link to
view additi
onal files
to assist
you with
this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
87 88 HR Provide cc129 963::LPB_PCI_ Under Wrong evidences have been ,pcidss_32,

informatio Question_88.zi Evaluat shared, please update ei3pa,soc1,
n security p!!~!!988::LPB ion evidences again nist_800_5
awareness _PCIDSS_Quest 3,nist
material ion_88_ver1.0. high,nist m
used for zip oderate,nis
user t low,mars
training e_2_0,sca,
and demon hipaa,hitru
strates an st_10m_to_
annual 60m_recor
recurrence. ds,sig_lite,
Also, cms_ars_2_
provide 0,bits_aup_
sample 2014,iso_2
training 7001_2013
attendance _annex_a,i
records so_27001_
covering 2013_main
one year ,glba,micro
period for: soft_sspa,c
-New Hires sa_star,iso
-Existing _27001_20
employees 13_stage_1
-Contractor ,iso_27001
s The _2013_stag
attached e_2,nist_80
template 0_171,nist_
contains cybersecur
the sample ity_framew
61 / 71
.Please ork,ffiec,hit
click on rust_less_t
this link to han_10m_r
view additi ecords,hitr
onal files ust_over_6
to assist 0m_record
you with s,saq_a_ep
this ,saq_b,saq
question. It _c,saq_d_m
may erchant,sa
contain q_d_servic
templates, e_provider,
scripts or saq_p2pe,p
other cidss_31,s
additional wift,hitrust
files. Once _domain,,s
you have upport,POS
gathered (Point Of
the Sale) Devic
informatio es,atm / ki
n we osk,hr,post
requested, -scoping,H
please R,
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
88 89 HR For the cc132 967::LPB_PCI_ Accept pcidss_32,

sample of Question_89.zi ed by A ei3pa,soc1,
employees p ssessor soc2,nist_8
selected by 00_53,nist
the high,nist m
assessor, oderate,nis
provide t low,mars
backgroun e_2_0,sca,
d check hipaa,hitru
records st_10m_to_
from the 60m_recor
period ds,sig_lite,
under cms_ars_2_
assessmen 0,bits_aup_
t (at least 2014,iso_2
10 7001_2013
employees _annex_a,g
). The lba,csa_sta
attached r,iso_2700
template is 1_2013_sta
provided ge_1,iso_2
as a sampl 7001_2013
e.Please _stage_2,ni
click on st_800_171
this link to ,nist_cyber
view additi security_fr
onal files amework,ff
to assist iec,hitrust_
you with over_60m_
this records,sa
question. It q_d_merch
may ant,saq_d_
contain service_pro
templates, vider,pcids
scripts or s_31,swift,
other hitrust_do
additional main,hr,po
files. Once st-scoping,
you have HR,soc2_sa
gathered mple_selec
the tion,soc2_p
informatio ost_scopin
n we g
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
89 90 Third Provide the cc133 1012::LPB_PCI Under ,pcidss_32,

Party list of third DSS_Q.90+Q.9 Evaluat ei3pa,soc1,
Mana party 1_v1.0.zip ion sca,hipaa,h
geme service itrust_10m
nt providers _to_60m_re
62 / 71
as per the cords,sig_li
following te,gdpr,bit
criterion, - s_aup_201
All third 4,iso_2700
party 1_2013_an
service nex_a,glba,
providers privacy_shi
used by an eld,csa_sta
assessed r,iso_2700
entity to 1_2013_sta
store, ge_1,iso_2
process, or 7001_2013
transmit _stage_2,hi
covered trust_less_t
informatio han_10m_r
n on their ecords,hitr
behalf for ust_over_6
business 0m_record
purpose - s,saq_a,sa
All third q_a_ep,saq
party _b,saq_b_ip
service ,saq_c,saq_
providers d_merchan
used by t,saq_d_ser
the vice_provid
assessed er,saq_p2p
entity to e,pcidss_3
manage 1,swift,hitr
the ust_domai
component n,,third
s such as party man
routers, agement,p
firewalls, ost-scoping
databases, ,Third
physical Party Mana
security, gement,
and/or
servers.
You must
use
attached te
mplate.Ple
ase click
on this link
to view ad
ditional
files to
assist you
with this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
90 91 Third For all cc134 1013::LPB_PCI Under ,pcidss_32,

Party identified DSS_Q.90+Q.9 Evaluat ei3pa,soc1,
Mana in-scope 1_v1.0.zip ion nist_800_5
geme third party 3,nist
nt service high,nist m
providers oderate,nis
and t low,mars
business e_2_0,sca,
partners hipaa,hitru
provide st_10m_to_
following: - 60m_recor
Current ds,sig_lite,
service gdpr,cms_
agreement ars_2_0,bit
which s_aup_201
covers 4,iso_2700
third 1_2013_an
party's nex_a,glba,
security, privacy_shi
availability, eld,csa_sta
confidentia r,iso_2700
lity, 1_2013_sta
processing ge_1,iso_2
63 / 71
integrity 7001_2013
and/or _stage_2,ni
privacy res st_cyberse
ponsibilitie curity_fram
s for ework,ffiec
handling ,ccpa,hitru
covered st_less_tha
informatio n_10m_rec
n - Current ords,hitrust
compliance _over_60m
status _records,sa
against q_a,saq_a_
applicable ep,saq_b,s
regulations aq_b_ip,sa
/ data q_c,saq_d_
security merchant,s
standards - aq_d_servi
List of ce_provide
security re r,saq_p2pe
quirements ,pcidss_31,
which are swift,hitrus
managed t_domain,,t
by each hird party
third party manageme
service nt,post-sco
provider on ping,Third
your behalf Party Mana
- Non- gement,
disclosure
agreement
s You must
use
attached te
mplate.Ple
ase click
on this link
to view ad
ditional
files to
assist you
with this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
91 92 Third Provide cc135 1014::LPB_PCI Under ,pcidss_32,

Party Third-party DSS_Q.92_v1.0 Evaluat ei3pa,soc1,
Mana manageme .zip ion sca,hipaa,h
geme nt policy, itrust_10m
nt including _to_60m_re
how the cords,sig_li
entity te,gdpr,bit
assess and s_aup_201
perform 4,iso_2700
due 1_2013_an
diligence nex_a,glba,
before privacy_shi
engaging a eld,csa_sta
third party. r,iso_2700
From the 1_2013_sta
sample of ge_1,iso_2
third-party 7001_2013
selected by _stage_2,ni
the st_cyberse
assessor, curity_fram
provide ework,ffiec
due ,hitrust_les
diligence d s_than_10
ocument/re m_records,
port for hitrust_ove
contracted r_60m_rec
third- ords,saq_a,
parties. saq_a_ep,s
The aq_b,saq_b
attached _ip,saq_c,s
template aq_d_merc
64 / 71
contains hant,saq_d
the sample _service_pr
.Please ovider,saq_
click on p2pe,pcids
this link to s_31,swift,
view additi hitrust_do
onal files main,,third
to assist party man
you with agement,p
this ost-scoping
question. It ,Third
may Party Mana
contain gement,
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
92 93 Polici This cc138 No Evid ,pcidss_32,

es question ence U soc1,hipaa,
and P applies ploade bits_aup_2
roced only to d 014,glba,pr
ures service ivacy_shiel
providers. d,saq_b_ip,
Provide a saq_d_serv
sample ice_provide
written ack r,saq_p2pe
nowledgm ,pcidss_31,
ent that ,third party
outlines manageme
that you nt,post-sco
are ping,Policie
responsible s and Proc
for the edures,
security of
your
customer's
data. The
attached
template
contains
the sample
.Please
click on
this link to
view additi
onal files
to assist
you with
this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
93 94 Incid Provide the cc139 964::LPB_PCI_ Under Incident response procedure pcidss_32,
65 / 71
ent R Organizatio Question_94.zi Evaluat has date 15 July 2020, please ei3pa,soc1,
espo n's p!!~!!987::LPB ion provide latest version of this soc2,nist_8
nse Incident _PCIDSS_Quest documentation. Also provide 00_53,nist
Response P ion_94_ver1.0. one of the following as high,nist m
lan/Proced zip evidence to confirm that oderate,nis
ure. The documented Incident Response t low,mars
plan procedure was followed: 1. e_2_0,sca,
should Annual Incident Response Plan hipaa,hitru
consider: - test report OR 2. From the st_10m_to_
Responsibl sample of security incidents 60m_recor
e persons selected by the assessor, ds,sig_lite,
for the ma provide supporting documents cms_ars_2_
nagement 0,bits_aup_
of the 2014,iso_2
security 7001_2013
incidents. - _annex_a,g
The lba,privacy
procedure _shield,mic
for rosoft_sspa
reporting ,csa_star,is
security o_27001_2
events. - 013_stage_
Guidelines 1,iso_2700
are given 1_2013_sta
for ge_2,nist_8
employees 00_171,nis
and t_cybersec
contractors urity_frame
to record work,ffiec,
and report hitrust_less
any _than_10m
observed _records,hi
or trust_over_
suspected 60m_recor
informatio ds,saq_a,s
n security aq_a_ep,sa
incidents in q_b,saq_b_i
the p,saq_c,sa
systems or q_d_merch
services. - ant,saq_d_
The service_pro
procedure vider,saq_p
for 2pe,pcidss
evaluating _31,swift,hi
and trust_doma
deciding if in,incident
events response,p
related to ost-scoping
informatio ,Incident R
n security esponse,so
are c2_post_sc
classified oping
as
incidents. -
The
process for
responding
to
informatio
n security
incidents. -
The
guidelines
established
to use the
knowledge
gained in
the
analysis
and
resolution
of
informatio
n security
incidents
to reduce
the
likelihood
or impact
of future
incidents.
Also
include the
mechanis
ms in place
to quantify
and
monitor
the types,
volumes,
and costs
of
informatio
n security
incidents. -
Procedures
developed
for
identifying,
collecting,
66 / 71
acquiring,
and
preserving
informatio
n that can
serve as
evidence. -
Procedures
on escalati
ons/comm
unication
to/with
external
authorities
(i.e.,
Police, Fire,
Regulatory
agencies)
contacted
in the
event of a
security
incident. -
Procedures
that
specify
when and
who should
contact
authorities
- AND - -
How
identified
informatio
n security
incidents
should be
reported
promptly
(e.g., if a
violation of
the law is
suspected)
. Also,
provide
one of the
following
as
evidence
to confirm
that docum
ented
Incident
Response
procedure
was
followed:
1. Annual
Incident
Response
Plan test
report OR
2. From
the sample
of security
incidents
selected by
the
assessor,
provide
supporting
documents
You must
use the
attached te
mplatePlea
se click on
this link to
view additi
onal files
to assist
you with
this
question. It
may
contain
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
67 / 71
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
94 95 Incid Provide cc143 966::LPB_PCI_ Accept Incident response training ,pcidss_32,

ent R Incident Question_95.zi ed by A record have date 12 Dec 2020, ei3pa,soc1,
espo handling p ssessor this question is accepted nist_800_5
nse training temporary because target 3,nist
records for certificate is Feb 2022 and this high,nist m
team with evidences will expire in 12 Dec oderate,nis
security 2021 t low,mars
breach e_2_0,sca,
response r hipaa,hitru
esponsibilit st_10m_to_
ies. The 60m_recor
attached ds,cms_ars
template _2_0,bits_a
contains up_2014,gl
the sample ba,csa_star
.Please ,nist_cyber
click on security_fr
this link to amework,ff
view additi iec,hitrust_
onal files less_than_
to assist 10m_recor
you with ds,hitrust_
this over_60m_
question. It records,sa
may q_d_merch
contain ant,saq_d_
templates, service_pro
scripts or vider,pcids
other s_31,swift,
additional hitrust_do
files. Once main,,SOC,
you have incident re
gathered sponse,pos
the t-scoping,I
informatio ncident
n we Response,
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
95 233 Logic Provide cc284 965::LPB_PCI_ Under Please provide step by step ,pcidss_32,
al Ac evidence Question_233. Evaluat screenshot for privilege access ei3pa,soc1,
cess of two- zip!!~!!984::LP ion over CyberArk to clarify what nist_800_5
factor auth B_PCIDSS_Que kind of multifactor 3,nist
entication stion_233_ver1 authentication was deployed high,nist m
being used .1.zip oderate,nis
for all admi t low,mars
nistrative e_2_0,sig_li
access to te,cms_ars
the _2_0,nist_8
network 00_171,saq
zone or to _a_ep,saq_
individual b_ip,saq_c,
assets saq_d_mer
within the chant,saq_
environme d_service_
nt storing, provider,,L
processing ogical
or Access,
transmittin
g in-scope
data. The
attached
template is
provided
as a sampl
e.Please
click on
this link to
view additi
onal files
to assist
you with
this
question. It
may
contain
68 / 71
templates,
scripts or
other
additional
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
96 234 Loggi Provide the cc285 990::LPB_PCID Under ,pcidss_32,

ng following SS_Q.234_v1.0 Evaluat soc1,nist_8
and evidence .zip ion 00_53,nist
Monit that the high,nist m
oring enterprise oderate,nis
is t low,mars
monitoring e_2_0,hitru
and st_10m_to_
responding 60m_recor
to the ds,sig_lite,
failure of cms_ars_2_
critical 0,nist_cybe
security rsecurity_fr
component amework,ff
s such as iec,hitrust_
firewalls, less_than_
audit 10m_recor
logging, ds,hitrust_
file over_60m_
integrity records,sa
monitoring q_d_servic
etc. - An e_provider,
alert hitrust_do
showing main,,Logg
timely ing and
detection Monitoring,
and
reporting
of failures
of critical
security
control
systems
(e.g.
Firewalls,
IDS/IPS,
FIM,
antivirus,
physical
access
controls,
logical
access
controls,
audit
logging me
chanisms,
segmentati
on controls
(if used)) -
Provide
document
that shows
processes
for
responding
to failures
in security
controls
which
includes at
least: 1.
Restoring
security
functions
2.
Identifying
and docum
enting the
duration
(date and
time start
to end) of
the
security
69 / 71
failure 3.
Identifying
and docum
enting
cause(s) of
failure,
including
root cause,
and docum
enting
remediatio
n required
to address
root cause
4.
Identifying
and
addressing
any
security
issues that
arose
during the
failure 5.
Performing
a risk
assessmen
t to
determine
whether
further
actions are
required as
a result of
the
security
failure 6. I
mplementi
ng controls
to prevent
cause of
failure
from
reoccurring
7.
Resuming
monitoring
of security
controls -
Provide at
least one
incident re
port/record
to verify
that
security
control
failures are
documente
d to
include: 1.
Identificati
on of
cause(s) of
the failure,
including
root cause
2. Duration
(date and
time start
and end) of
the
security
failure 3.
Details of
the
remediatio
n required
to address
the root
cause The
attached
template is
provided
as a sampl
e.Please
click on
this link to
view additi
onal files
to assist
you with
this
question. It
may
contain
templates,
scripts or
other
additional
70 / 71
files. Once
you have
gathered
the
informatio
n we
requested,
please
upload it
by clicking
the
"Upload
Files"
button
below or
by
"Dragging
and
Dropping"
the files
below.
71 / 71
Powered by TCPDF (www.tcpdf.org)

User Evidencecollection CC Evidence Collection Checklist v2-2021-11!23!02!35!16

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

User Evidencecollection CC Evidence Collection Checklist v2-2021-11!23!02!35!16

Uploaded by

Copyright:

Available Formats

# Ques No.

1 1 Scopi Provide a cc1 973::LPB_PCID Under pcidss_32,

2 2 Scopi Provide a cc2 974::LPB_PCID Under pcidss_32,

3 3 Scopi Provide a cc3 975::LPB_PCID Under pcidss_32,

4 4 Scopi Provide cc4 976::LPB_PCID Under pcidss_32,

6 6 Netw Provide 3 cc6 991::LPB_PCID Under ,pcidss_32,

7 7 Scopi Provide cc7 1015::LPB_PCI Under pcidss_32,

8 8 Scopi Provide cc8 977::LPB_PCID Under pcidss_32,

10 10 Netw Provide cc10 No Evid ,pcidss_32,

11 11 Netw Provide cc11 No Evid pcidss_32,

12 12 Netw Provide cc12 992::LPB_PCID Under ,pcidss_32,

13 13 Netw Provide a cc13 954::LPB_PCI_ Incomp Require to add configuration to ,pcidss_32,

14 14 Netw For in - cc14 994::LPB_PCID Under ,pcidss_32,

15 15 Netw If publicly cc15 No Evid ,pcidss_32,

17 17 Netw Provide cc19 No Evid ,pcidss_32,

18 18 Netw For a cc22 997::LPB_PCID Under ,pcidss_32,

19 19 Confi If a cc23 No Evid ,pcidss_32,

20 20 Confi Provide the cc24 1003::LPB_PCI Under ,pcidss_32,

21 21 Confi Provide the cc25 No Evid ,pcidss_32,

22 22 Confi For cc26 No Evid ,pcidss_32,

23 23 Confi Provide co cc28 No Evid ,pcidss_32,

24 24 Confi For all cc29 1016::LPB_PCI Under ,pcidss_32,

25 25 Data Provide the cc31 No Evid ,pcidss_32,

26 26 Data Provide cc32 No Evid ,pcidss_32,

27 27 Data Provide the cc36 No Evid ,pcidss_32,

28 28 Data Provide the cc37 No Evid pcidss_32,

29 29 Data Provide a cc44 1017::LPB_PCI Under pcidss_32,

30 30 Data Provide cc46 1005::LPB_PCI Under pcidss_32,

31 31 Anti- For the cc47 998::LPB_PCID Under ,pcidss_32,

32 32 Anti- Provide an cc50 999::LPB_PCID Under pcidss_32,

33 33 Appli Provide the cc52 No Evid ,pcidss_32,

34 34 Appli Please wait cc53 No Evid ,pcidss_32,

35 35 Appli Provide the cc54 No Evid ,pcidss_32,

36 37 Appli Show cc56 No Evid ,pcidss_32,

38 39 Appli Provide cc58 No Evid ,pcidss_32,

39 40 Appli Provide cc59 No Evid ,pcidss_32,

40 41 Appli Provide cc60 993::LPB_PCID Under ,pcidss_32,

41 42 Appli Provide the cc61 No Evid ,pcidss_32,

42 43 Appli (Optional) cc62 No Evid ,pcidss_32,

43 44 Logic Provide the cc63 989::LPB_PCID Under ,pcidss_32,

44 45 Logic For the cc64 995::LPB_PCID Under ,pcidss_32,

46 47 Logic For the cc66 985::LPB_PCID Under ,pcidss_32,

47 48 Logic Provide cc67 1018::LPB_PCI Under ,pcidss_32,

49 50 Logic For all cc69 1010::LPB_PCI Under pcidss_32,

50 51 Logic For the cc72 1001::LPB_PCI Under ,pcidss_32,

54 55 Logic This cc79 No Evid ,pcidss_32,

55 56 Logic If other aut cc80 No Evid pcidss_32,

56 57 Logic For the cc81 1004::LPB_PCI Under ,pcidss_32,

57 58 Physi Provide the cc82 1006::LPB_PCI Under pcidss_32,

60 61 Physi Provide a cc86 No Evid ,pcidss_32,

61 62 Physi This cc87 No Evid ,pcidss_32,

62 63 Physi This cc88 1019::LPB_PCI Under ,pcidss_32,

63 64 Physi Provide the cc90 No Evid pcidss_32,

64 65 Physi Provide up cc92 980::LPB_PCID Under ,pcidss_32,

65 66 Physi Provide for cc93 1011::LPB_PCI Under ,pcidss_32,

66 67 Loggi For the cc95 1007::LPB_PCI Under ,pcidss_32,

67 68 Loggi Provide cc96 No Evid ,pcidss_32,

68 69 Loggi Provide the cc98 1000::LPB_PCI Under ,pcidss_32,

69 70 Loggi Provide cc101 1008::LPB_PCI Under ,pcidss_32,

70 71 Loggi Provide - cc105 No Evid ,pcidss_32,

71 72 Secur Provide cc109 No Evid ,pcidss_32,

72 73 Secur Provide cc111 No Evid ,pcidss_32,

73 74 Secur Provide cc112 No Evid pcidss_32,

74 75 Secur Provide cc113 No Evid pcidss_32,