The CSA interface consists of a Requirement Information Panel and the Response Panel. The interface is designed to provide all the necessary information for control owners to assess and describe the controls currently in place to address the requirements, assess the control effectiveness, and provide evidence supporting their statements.
Requirement Information Panel (outlined in red below) #
Practice: This is a brief description of the control using informal language.
Policy Document: This is a link to the policy associated with the requirement topic. This allows control owners to quickly review the organization’s policy, referenced procedures, and requirements so they can confirm the people and the technology are compliant with the framework requirements and organization policy. Most frameworks will require organization policy to specifically address compliance requirements and will expect controls to be aligned with organization policy.
Requirements: This is the requirement number and verbiage from the framework directly. This is the language with which the control owner must demonstrate compliance.
Purpose of the requirement: This provides some additional context for meeting this requirement. Control owners need to understand the intent of the control to provide a holistic response.
Key Questions: These are informal questions that control owners should ask themselves to better understand the purpose of the requirement and to consider evidence that should be provided or compensating controls that should be considered in the response.
Example Controls: The examples help the control owner consider aspects of their control environment that will help them write a formal description of controls. The example provided may address some but not all the requirements. They are there for reference and should not be copied directly into the “Description of Current Controls” cell in the Response panel.
Risk Category: There are multiple risk categories to allow the organization to focus resources in specific areas. Each control is designed to address at least one area of risk. While a control may address multiple areas of risk, select the one that is most appropriate.
Example Evidence: The examples help the control owner consider what evidence auditors will need to see to prove controls were suitably designed to address the requirements and operating effectively. The examples provided may address some but not all the requirements. They are there for consideration, but additional evidence may be required.
Response Panel (outlined in orange above) #
Description of Current Controls: This should be a brief description of one or more controls that are in place to address the requirement. Control statements should be brief, clear, and sufficiently detailed to allow others to review the attached evidence and conclude that the controls are suitably designed and operating effectively to meet the requirements. In almost all cases, you should write fewer than 500 characters and should apply only 1-3 controls to address each requirement.
Was the control executed timely, accurately and completely?
- Select “Yes” if the control was/is executed as required at the frequency required.
- Select “No” if one or more of these assertions is inaccurate.
- Rarely, you may need to select “Not Applicable” if the requirement or controls are not applicable. Use the “Description of the Issue” cell to describe why this is not applicable.
- Rarely, you may need to select that you have insufficient information to prove the controls are in place. Use the “Description of the Issue” cell to describe why this was selected. This should be treated as a risk and managed through the Risk Management process.
Was the control compliant with requirements?
- Select “Yes” if the control(s) was/is compliant with the requirement.
- Select “Yes” if the control(s) was/is NOT compliant with the requirement.
- Rarely, you may need to select “Not Applicable” if the requirement or controls are not applicable. Use the “Description of the Issue” cell to describe why this is not applicable.
- Rarely, you may need to select that you have insufficient information to prove the controls are in place. This should be treated as a risk and managed through the Risk Management process.
Were any issues with this control identified during the period? Briefly describe the issue.
- Select “No” if the control was/is executed as required at the frequency required and there were no issues with executing the control or collecting evidence at any time since the last CSA.
- Select “Yes” if one or more of these assertions is inaccurate.
- Rarely, you may need to select “Not Applicable” if the requirement or controls are not applicable. Use the “Description of the Issue” cell to describe why this is not applicable.
- Rarely, you may need to select that you have insufficient information to prove the controls are in place. Use the “Description of the Issue” cell to describe why this was selected. This should be treated as a risk and managed through the Risk Management process.
Description of the Issue: Any issues that were identified in the execution of the control or collection of evidence even if compliance with the requirement was proven. Issues identified here may just be opportunities for improvement of the existing process or may be issues that the quality assurance reviewer may wish to address through risk management.
Control Effectiveness Assertion: The control owner provides a rating of the effectiveness of the control(s) in reliably meeting the requirement on a scale of 1 to 5 according to the table below:
| Rating | Label | Meaning |
| 1 | Non-existent | Controls in place do not meet the requirement and/or pose a serious risk to the confidentiality, integrity, or availability of data or information systems. |
| 2 | Initial | Controls are in place and meet the requirement but are ad hoc, manual, or rely on individual responsibility to ensure complete, accurate, and timely execution. Policies and/or procedures are not formally documented. |
| 3 | Defined | Controls are well defined and documented, there is consistency even in times of change; overall control awareness exists; control gaps are detected and remediated timely; performance monitoring is informal, placing great reliance on the diligence of people and independent audits. |
| 4 | Managed | Key performance indicators and monitoring techniques are employed to measure success; there is greater reliance on prevention versus detection controls; strong self-assessment of operating effectiveness by process owners occurs; change of accountability exists and is well understood. |
| 5 | Optimized | Controls are operating effectively, fully meet the requirements, are executed automatically. And there is extensive use of dashboards and metrics providing leadership with visibility. |
When all fields have been completed and evidence attached, click “Complete Self-Assessment”. A screen will pop-up asking to confirm the record should be submitted.
