It’s not uncommon for organizations to underestimate the importance of developing good network diagrams. Your company’s network diagrams are a critical component of your PCI compliance program and should not be overlooked or underdeveloped.
According to requirement 1.1.2 of the Payment Card Industry Data Security Standards (PCI DSS), your company must have “a current network diagram that identifies all connections between the cardholder data environment and other networks, including wireless networks.” For requirement 1.1.3, you must have “a current diagram that shows how all cardholder data flows across systems and networks.”
These diagrams are important for two reasons:
- First and foremost, they are intended to be tools for your team to better understand your company’s scope of compliance by illustrating the critical components of your cardholder data environment (CDE) and how cardholder data flows through the CDE.
- They also help your assessor understand where cardholder data is stored, processed, and transmitted in order to confirm whether you’ve properly defined your CDE.
We tend to look at these PCI DSS requirements simply to prove compliance, but they’re also in place to help us. Network diagrams ensure that both your team and your assessor are clear on what is and isn’t within scope.
Your compliance team is responsible for knowing exactly where CDE systems are located in the corporate network environment and how cardholder data moves throughout the environment. The goal of your network diagrams is to synthesize that information into an easy-to-understand illustration of your CDE.
A poorly designed or incomplete network diagram can imply that your team does not fully understand its environment. This gap is often a sure sign to an assessor that he or she should be on the lookout for potentially deeper issues.
We’re here to help you understand how to best meet Requirements 1.1.2 and 1.1.3. Here are a few qualities of good network diagrams.
It’s simple and easy to understand.
Often, we see network diagrams that go into too much detail about the individual system, network segment, and connectivity elements. The overload of information can make it difficult to distinguish between in-scope and out-of-scope components or to follow the flow of cardholder data through the environment.
Good PCI network diagrams should be easily understood by someone who is not familiar with the network environment and/or an information technology expert. People who are unfamiliar with the network should be able to easily identify systems, network segments, and the flows of credit card data that comprise your CDE.
Elements of a simple network diagram include:
- A clear indication of what is and is not in scope. Color-coding is very effective for this.
- A minimal structure with only necessary details. Start simple and add only as much detail as needed to represent the critical components of the CDE.
- A simple key that explains symbols, data flow paths, and color-coding.
It’s human nature to over-explain in an attempt to cover all our bases. While it’s important to present a full picture of your CDE, it’s just as important not to muddle the information with unnecessary, distracting details.
It clearly illustrates your CDE and the flow of cardholder data.
The keyword here is “clearly” and should go hand-in-hand with simplicity.
Your team will use symbols, pictures, and color-coding to illustrate your CDE and how data flows through it. Using appropriate symbols for types of systems or groupings of systems, and boxes or shading around network segments and physical locations is very helpful. Also, use brief descriptions of these elements (e.g. Internet Firewall, Account Database Server, or DMZ Network) in addition to or instead of system or network names. While FWADSRV001 may make perfect sense to you, to the unfamiliar reader it may not. As mentioned before, include a key with your diagram for others to easily decipher symbols and color-coding.
A common problem is that network diagrams show where systems are located and how they’re connected (meeting Requirement 1.1.2) but fail to illustrate how cardholder data moves through the environment (Requirement 1.1.3). It’s necessary to show exactly where cardholder data enters the corporate environment, how it travels through your critical systems and networks, where it’s stored (if applicable), and where it exits for processing.
Remember, your diagram should include all critical systems that play a role in storing, processing, or transmitting cardholder data and provide a clear understanding of where they are located. In accordance with Requirement 2.4, your organization should maintain an inventory of in-scope system components. This inventory will be integral in identifying the critical systems to be clearly represented in your diagram.
It’s updated after every change to the CDE.
Diagrams that are consistently updated show that there is a sufficient level of oversight for compliance and that the team is aware of their standing. As changes are made to your CDE, ensure that your team is modifying the network diagram to reflect those changes. You should schedule regular reviews of your network diagrams to ensure they’re up to date. Don’t wait until your annual assessment to find out all the ways the environment has changed over the last year, and that those changes have significantly affected your scope of compliance! The PCI DSS does not specify frequency but scheduling semi-annual reviews would be a good start.
Because there is likely more than one person contributing to these diagrams, it is also helpful to add version and permission-based controls to your document. This step will keep versions of your diagram consistent. Your team will need to document the date of each diagram modification to show your assessor that it’s current.
PCI compliance is more than a once-per-year assessment. Compliance requires your team to have a well-rounded understanding of its CDE and to adjust as changes are made. An up-to-date diagram makes it clear to your assessor that your company is actively monitoring your CDE to meet your PCI compliance objectives and not simply going through the motions when your assessment comes around.
It may feel as though PCI requirements are making your life more difficult, or that you’re having to jump through hoops to stay compliant. The reality of compliance, though, is that these requirements are there to help you and, more importantly, your customers and business partners who are relying on you to keep their data secure.
LBMC Information Security is here to help you understand your PCI requirements. Contact us today to learn more about your company’s PCI compliance.