Three tips for PCI compliant network diagrams
Part of this requirement involves creating network infrastructure and data-flow diagrams related to the Cardholder Data Environment (CDE). Although the diagramming process can be tedious and time-consuming—preventing many companies from diagramming at all, much less taking adequate time to make diagrams accurate and keep them up to date—you can’t overstate the importance of network documentation. Accurate documentation leads to accurate scoping and an assurance, for both your company and your QSA, that your network has been set up securely.
Follow these three tips to keep your network well-documented, in turn making your life and your QSA’s life easier.
1. Find a program to streamline the network diagram process
For example, Lucidchart has created shape libraries specific to many different network types, including Cisco networks, Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and general network infrastructure. Instead of tracking down or drawing crude sketches of network shapes, you have professional stencils representing a wide variety of network components, reducing the overall time it takes to build an accurate and professional-looking network diagram.
Lucidchart’s platform also offers an AWS architecture import. Users can simply enter their AWS credentials or run a bash script to import data and automatically generate a completed AWS diagram. Internally, this feature has saved us thousands of dollars a year in assessments and compliance.
This makes it easier to keep your documentation up to date because you simply add new components, lines, or segments whenever you add them to your network.
SEE ALSO: PCI FAQs
2. Create a single source of truthIn an ideal world, only one person would be responsible for keeping a given piece of documentation up to date and accurate. However, multiple people are typically involved with maintaining network infrastructure, handling card data, and completing other work that affects your PCI compliance. As a result, numerous (and conflicting) versions of the same documentation are commonly found in emails, network shares, and individual machines, making it difficult to nail down the most recent and complete document.
Maintain a single source of truth—with permission-based controls for viewing, commenting, and editing—so you can easily share documentation as you gather input and make changes to your infrastructure.
Selecting the right diagramming solution can help you collaborate more effectively with others and manage storage and version control of your network documentation in a secure, accessible way. Whichever platform you choose should include access rights and revision history, so you can limit access to authoritative documents, see who changed what, access previous diagrams to correct errors, and get a historical view of the system.
As you create this collaborative network documentation workspace, keep in mind that you can leverage the network documentation for more than just evidence of PCI compliance—you can create diagrams with different levels of complexity to share externally with your vendors, customers, partners, etc.
3. Review and update documentation quarterly or after any infrastructure changes
Businesses constantly evolve, scale, and look to become more efficient. These efforts often bleed into the way business networks are set up and the different methods companies use to accept, process, and store credit cards. For example, many companies have moved their network infrastructure into the cloud using services like AWS, Azure, and GCP to better accommodate fluctuating bandwidth demands, offload system maintenance, and transfer the compliance burden.
Lucidchart allows users to build high-quality network infrastructure and data-flow diagrams related to the Cardholder Data Environment (CDE). These diagrams help to define and visualize the entire PCI DSS scope or the CDE. If your business uses Amazon Web Services (AWS) for your network infrastructure, see how our company saved nearly 12 hours while documenting our network.
Nathan Cooper has been working to protect Lucid and Lucid's customers since he joined the team in 2015. He obtained his Masters of Information Systems Management from Brigham Young University and is a current Certified Information Systems Security Professional (CISSP).