Three tips for PCI compliant network diagrams.

If you were to ask network architects and engineers about their favorite part of the job, I doubt any of them will respond with “creating and maintaining network documentation.” It’s not the most glamorous task—yet requirements 1.1.2 and 1.1.3 of the Payment Card Industry Data Security Standard (PCI DSS), along with general good security hygiene, render it a necessary one.

Part of this requirement involves creating network infrastructure and data-flow diagrams related to the Cardholder Data Environment (CDE). Although the diagramming process can be tedious and time-consuming—preventing many companies from diagramming at all, much less taking adequate time to make diagrams accurate and keep them up to date—you can’t overstate the importance of network documentation. Accurate documentation leads to accurate scoping and an assurance, for both your company and your QSA, that your network has been set up securely.

Follow these three tips to keep your network well-documented, in turn making your life and your QSA’s life easier.

SEE ALSO: IT Checklists for PCI Compliance 

1. Find a program to streamline the process

If you found yourself nodding in agreement as we mentioned the tedium of network documentation, you need to find a program that removes at least some of the hassle. Solutions like Lucidchart or Visio can simplify the diagramming process greatly.

For example, Lucidchart has created shape libraries specific to many different network types, including Cisco networks, Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and general network infrastructure. Instead of tracking down or drawing crude sketches of network shapes, you have professional stencils representing a wide variety of network components, reducing the overall time it takes to build an accurate and professional-looking network diagram.

Lucidchart’s platform also offers an AWS architecture import. Users can simply enter their AWS credentials or run a bash script to import data and automatically generate a completed AWS diagram. Internally, this feature has saved us thousands of dollars a year in assessments and compliance.

This makes it easier to keep your documentation up to date because you simply add new components, lines, or segments whenever you add them to your network.

SEE ALSO: PCI FAQs

2. Create a single source of truth

In an ideal world, only one person would be responsible for keeping a given piece of documentation up to date and accurate. However, multiple people are typically involved with maintaining network infrastructure, handling card data, and completing other work that affects your PCI compliance . As a result, numerous (and conflicting) versions of the same documentation are commonly found in emails, network shares, and individual machines, making it difficult to nail down the most recent and complete document.

Maintain a single source of truth—with permission-based controls for viewing, commenting, and editing—so you can easily share documentation as you gather input and make changes to your infrastructure.

Selecting the right diagramming solution can help you collaborate more effectively with others and manage storage and version control of your network documentation in a secure, accessible way. Whichever platform you choose should include access rights and revision history, so you can limit access to authoritative documents, see who changed what, access previous diagrams to correct errors, and get a historical view of the system.

As you create this collaborative network documentation workspace, keep in mind that you can leverage the network documentation for more than just evidence of PCI compliance—you can create diagrams with different levels of complexity to share externally with your vendors, customers, partners, etc.