Anyone have any recommendations for internal collaboration software and final ROC delivery reporting. I was thinking of using MS Sharepoint to build the 12 requirements and sub-points and provide comments under each one with links to procedures, policies, and network diagrams, but this doesn't seem to work well for ROC delivery to the processor. Any recommendations for a logical one-stop shop of internal collaboration and ROC reporting?

I really don't think you'll be able to get ROC automation with Sharepoint, Word, VBA and macros just because of the requirements to consolidate and distill the results of your efforts in the ROC. Even if you do this somewhere in Sharepoint, you could have just as easily done it in the ROC to begin with.

That said, we have a number of clients that are using Sharepoint, Lotus Notes, Hummingbird and a number of other document management solutions to track and manage work papers and other artifacts related to the ROC process.

OK. Thanks. Do you have any recommendations for ROC automation software. From what I've seen most compliance management software is centered around the scan reporting, but less focus on document repositories for procedures and such.

OK. Thanks. Do you have any recommendations for ROC automation software. From what I've seen most compliance management software is centered around the scan reporting, but less focus on document repositories for procedures and such.

Try OneComply. This allows you to track PCI, ISO, BITS initiatives.
http://www.sourcesentry.com/OneComply.htm

If you already have Sharepoint, Lotus Notes/Domino, Hummingbird or other document management solution, they are more than capable of tracking your PCI compliance effort. You may have some minor development effort, but it should not be a large effort.

I have some clients that track everything from the PCI Security Audit Procedures (SAP) Word document and embedding the supporting documentation in the relevant boxes in the SAP. They keep the document in a public folder on their Exchange system.

However, I would not necessarily invest a significant amount in a specialized commercial solution unless you have to.