Answering "yes" is always preferred. It feels great to say "Of course we do that!" and is the easiest way to remove potential InfoSec blockers.
(When we say "yes" we mean the organization's desired answer)
Many of your SAQ and DDQ answers will be an obvious yes. Great, that was easy, next!
But what if it's not an obvious yes? The first thing to do is consider question intent:
- Why did the organization ask this?
- What are they guarding against?
We have a favorite example that we see often, which always invokes gritting teeth:
Do you perform daily, weekly, and monthly backups, including incremental backups?
Here at RFPHead, the answer is no - in fact, we don't do any traditional backups at all, but that doesn't mean our data isn't safe and highly durable - we keep it in S3 with versioning enabled which famously has 11 "9s" of durability. This exceeds any durability we would likely achieve if we did our own daily, weekly, and monthly backups.
For this question the intent is obvious: it's likely that the organization doesn't care how we do backups, just that we have them, test them, and can recover data if things go wrong. With this in mind, we have no problem answering yes to this question, highlighting our approach and data durability in the comment.
Sidebar: the reason we have a strong opinion about this type of question is that it implies a specific technical solution instead of asking for what matters. A much better question would be
What is your expected data durability, and what are your Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs) in case of data loss or corruption?