PCI Management Use Case Design

The Control Scoping unit application stores a copy of the ROC controls and Custom Control for each project. A set of data feeds link the ROC controls from this application to a Compliance Project record. Each ROC Control record allows for the documentation of in-place requirements commentary and the reporting methodology for each testing procedure. Each Custom Control requires the assessed entity to provide additional supporting documentation and evidences for assessment. Control Scoping Unit is a standard application which other use cases '' use to maintain historical control versioning. Control Scoping Unit has replaced the PCI Controls application from version 6.11 and later.

The Compliance Project application functions as the hub of the PCI Management use case. It allows you to link the cardholder data environments you want to include for the Self-Assessment Questionnaire and the ROC. You can also identify and record stakeholders, personnel interviewed, and the Qualified Security Assessor. Additionally, this application allows you to define the validation type for your SAQ questionnaire, and includes a mail merge template to create the standard PCI Report On Compliance. You can use this application to conduct assessments for PCI DSS Version 3.2.1 and Version 4.0.

The Self-Assessment questionnaire displays questions based on the SAQ type selected in the associated project. This questionnaire determines an organization's overall compliance with the standard PCI requirements 3.2.1.

The Self-Assessment questionnaire displays questions based on the SAQ type selected in the associated project. This questionnaire determines an organization's overall compliance with the standard PCI requirements 4.0.

This questionnaire displays within Control Scoping Unit for Custom Controls. The Entity being assessed should provide the control implementation details in the template.

This questionnaire displays within the Control Scoping Unit for Custom Controls. The Entity being assessed should perform a targeted risk analysis in the template.

The Primary Controls application serves as a central repository for procedures, baselines, and activities that are mapped to corporate control standards, establishing the foundation for enterprise-wide risk monitoring and compliance measurement. Primary Controls are categorized into two types: Technical and Process. Based on the selected type, different pieces of information are captured and different testing options are made available.

Note: The Primary Controls application is included in the Enterprise Catalog package.

The Question Library application stores assessment questions that you can reference and copy into a questionnaire. Each question is stored as an individual record, and each record contains information including the question and answer text as well as information necessary to display and score the question. Depending on the solution that you have licensed, the Question Library contains a large set of pre-built questions by default. In addition, you can add new questions and store them in the Question Library.

The Applications application enables organizations to store details related to their business operations, such as payment intake or customer account information.

The Applications application stores all software applications used by the organization to perform business operations. You can view how an application is used, the people that use it, and the devices on which the application is installed. You can also track the business impact, customer impact, and licensing details, and associate it with other aspects of the enterprise infrastructure.

Note: The Applications application is included in the Enterprise Catalog package.

The PCI Cardholder Data application enables organizations to document data flows, database and files stores, applications, devices, facilities and service providers that make up the cardholder data environment. This application also captures the executive summary of the Report On Compliance (ROC) and allows you to attach a network diagram and payment card business overview.

The Devices application serves as a central repository for knowledge, such as criticality, about IT devices and which applications they support. You can manage devices to ensure that they are protected according to management expectations. The application is also associated with other aspects of the enterprise infrastructure.

Note: The Devices application is included in the Enterprise Catalog package.

The Facilities application maintains a listing of all organizational facilities, such as data centers and branches. You can document and review all information associated with a specific facility, such as contact personnel, location information, and technologies associated with the location.

Note: The Facilities application is included in the Enterprise Catalog package.

The Information Assets application allows you to manage a repository of information assets, such as credit card data, financial forecasts, employee Social Security numbers, and trademarks. Use this application to perform online assessments to determine information classification ratings and required retention periods. Link information assets to the business processes they support, the applications where they are managed, and the facilities where they are housed.

Note: The Information Assets application is included in the Enterprise Catalog package.

The Control Procedures application serves as a central repository for instances of control procedures, baselines and activities that are mapped to corporate Primary Controls, establishing the foundation for enterprise-wide risk monitoring and compliance measurement. Control Procedures are categorized into two types: Technical and Process. Based on the selected type, different pieces of information are captured and different testing options are made available.

Note: The Control Procedures application is included in the Enterprise Catalog package.

This role gives executive-level management read-only rights to the PCI Management use case; create, read, and update rights to use case reports, Findings, and Exceptions; and read-only rights to the SAQ.

This role gives internal stakeholders read-only rights to the PCI Management use case; read and update rights to the SAQ and Findings; create, read, update, and delete rights to the PCI Management use case reports other than the Findings reports; and create, read, and update rights to Exceptions.

This role gives the project team rights to create a Compliance Project and its SAQ. The role has create, read, update, and delete rights to the PCI Management use case and its reports.

The PCI Executive Dashboard is intended for the PCI Executive Sponsorship role.

This dashboard is for use to track control assessment activities, display distribution of work across the entire PCI team, and provides an overview of the entire compliance project. This is for use by the PCI Project Team Member role.

These data feeds scope the first, second, third, and fourth path of assets into the Cardholder Data Environment (CDE) based on the selected business process.

This data feed generates PCI Controls that are specific to a Compliance Project.

This data feed links generated findings from the Self-Assessment Questionnaire (SAQ) to their corresponding control scoping records .