 |
| Nathan Cooper, CISSP |
Three tips for PCI compliant network diagrams.
If you were to ask network architects and engineers about their favorite part of the job, I doubt any of them will respond with “creating and maintaining network documentation.” It’s not the most glamorous task—yet requirements 1.1.2 and 1.1.3 of the Payment Card Industry Data Security Standard (PCI DSS), along with general good security hygiene, render it a necessary one.
Part of this requirement involves creating network infrastructure and data-flow diagrams related to the Cardholder Data Environment (CDE). Although the diagramming process can be tedious and time-consuming—preventing many companies from diagramming at all, much less taking adequate time to make diagrams accurate and keep them up to date—you can’t overstate the importance of network documentation. Accurate documentation leads to accurate scoping and an assurance, for both your company and your QSA, that your network has been set up securely.
Follow these three tips to keep your network well-documented, in turn making your life and your QSA’s life easier.
SEE ALSO: IT Checklists for PCI Compliance
If you found yourself nodding in agreement as we mentioned the tedium of network documentation, you need to find a program that removes at least some of the hassle. Solutions like Lucidchart or Visio can simplify the diagramming process greatly.
For example, Lucidchart has created shape libraries specific to many different network types, including Cisco networks, Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and general network infrastructure. Instead of tracking down or drawing crude sketches of network shapes, you have professional stencils representing a wide variety of network components, reducing the overall time it takes to build an accurate and professional-looking network diagram.
Lucidchart’s platform also offers an AWS architecture import. Users can simply enter their AWS credentials or run a bash script to import data and automatically generate a completed AWS diagram. Internally, this feature has saved us thousands of dollars a year in assessments and compliance.
This makes it easier to keep your documentation up to date because you simply add new components, lines, or segments whenever you add them to your network.
SEE ALSO: PCI FAQs
In an ideal world, only one person would be responsible for keeping a given piece of documentation up to date and accurate. However, multiple people are typically involved with maintaining network infrastructure, handling card data, and completing other work that affects your PCI compliance. As a result, numerous (and conflicting) versions of the same documentation are commonly found in emails, network shares, and individual machines, making it difficult to nail down the most recent and complete document.
Maintain a single source of truth—with permission-based controls for viewing, commenting, and editing—so you can easily share documentation as you gather input and make changes to your infrastructure.
Selecting the right diagramming solution can help you collaborate more effectively with others and manage storage and version control of your network documentation in a secure, accessible way. Whichever platform you choose should include access rights and revision history, so you can limit access to authoritative documents, see who changed what, access previous diagrams to correct errors, and get a historical view of the system.
As you create this collaborative network documentation workspace, keep in mind that you can leverage the network documentation for more than just evidence of PCI compliance—you can create diagrams with different levels of complexity to share externally with your vendors, customers, partners, etc.
Part of this requirement involves creating network infrastructure and data-flow diagrams related to the Cardholder Data Environment (CDE). Although the diagramming process can be tedious and time-consuming—preventing many companies from diagramming at all, much less taking adequate time to make diagrams accurate and keep them up to date—you can’t overstate the importance of network documentation. Accurate documentation leads to accurate scoping and an assurance, for both your company and your QSA, that your network has been set up securely.
Follow these three tips to keep your network well-documented, in turn making your life and your QSA’s life easier.
SEE ALSO: IT Checklists for PCI Compliance
1. Find a program to streamline the process
If you found yourself nodding in agreement as we mentioned the tedium of network documentation, you need to find a program that removes at least some of the hassle. Solutions like Lucidchart or Visio can simplify the diagramming process greatly.
For example, Lucidchart has created shape libraries specific to many different network types, including Cisco networks, Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and general network infrastructure. Instead of tracking down or drawing crude sketches of network shapes, you have professional stencils representing a wide variety of network components, reducing the overall time it takes to build an accurate and professional-looking network diagram.
Lucidchart’s platform also offers an AWS architecture import. Users can simply enter their AWS credentials or run a bash script to import data and automatically generate a completed AWS diagram. Internally, this feature has saved us thousands of dollars a year in assessments and compliance.
This makes it easier to keep your documentation up to date because you simply add new components, lines, or segments whenever you add them to your network.
SEE ALSO: PCI FAQs
2. Create a single source of truth
In an ideal world, only one person would be responsible for keeping a given piece of documentation up to date and accurate. However, multiple people are typically involved with maintaining network infrastructure, handling card data, and completing other work that affects your PCI compliance. As a result, numerous (and conflicting) versions of the same documentation are commonly found in emails, network shares, and individual machines, making it difficult to nail down the most recent and complete document.
Maintain a single source of truth—with permission-based controls for viewing, commenting, and editing—so you can easily share documentation as you gather input and make changes to your infrastructure.
Selecting the right diagramming solution can help you collaborate more effectively with others and manage storage and version control of your network documentation in a secure, accessible way. Whichever platform you choose should include access rights and revision history, so you can limit access to authoritative documents, see who changed what, access previous diagrams to correct errors, and get a historical view of the system.
As you create this collaborative network documentation workspace, keep in mind that you can leverage the network documentation for more than just evidence of PCI compliance—you can create diagrams with different levels of complexity to share externally with your vendors, customers, partners, etc.
3. Review and update documentation quarterly or after any infrastructure changes
Businesses constantly evolve, scale, and look to become more efficient. These efforts often bleed into the way business networks are set up and the different methods companies use to accept, process, and store credit cards. For example, many companies have moved their network infrastructure into the cloud using services like AWS, Azure, and GCP to better accommodate fluctuating bandwidth demands, offload system maintenance, and transfer the compliance burden.
Once you’ve created your initial network documentation, review and update your diagrams when changes are made to ensure that your document reflects an accurate representation of your current network and business processes. This practice will keep you aware of potential network security vulnerabilities and provide the required documented information your auditor will need in order to validate your PCI compliance during your next assessment.
Network documentation will always be necessary—but it doesn’t have to be a necessary evil. With these tips, you can streamline the process for creating professional diagrams that meet compliance and help you manage your network through growth and change.
Lucidchart allows users to build high-quality network infrastructure and data-flow diagrams related to the Cardholder Data Environment (CDE). These diagrams help to define and visualize the entire PCI DSS scope or the CDE. If your business uses Amazon Web Services (AWS) for your network infrastructure, see how our company saved nearly 12 hours while documenting our network.
Nathan Cooper has been working to protect Lucid and Lucid's customers since he joined the team in 2015. He obtained his Masters of Information Systems Management from Brigham Young University and is a current Certified Information Systems Security Professional (CISSP).
