PCI DSS and the Network Diagram
December 16, 2011
This post is designed to give a high level overview of what should be included in a network diagram and how to incorporate simple data flow indicators to help address the all important question of what is the scope of your PCI DSS assessment.
Network Documentation Overview Network documentation is extremely valuable to a PCI DSS assessor, so valuable in fact that is one of the first requirements listed in the Payment Card Industry Data Security Standard (PCI DSS). Requirement 1.1.2 in the PCI DSS requires the assessor to validate that a current network diagram with all connections to cardholder data, including any wireless networks, be available and also ensure that a process is in place to keep the diagram current. What I recommend to clients in addition to a network diagram is to highlight the card data flow on top of the network diagram. This is often not thought of because it is not called out as a specific requirement, however, documenting card data flows on top of the network diagram can serve to be invaluable. When combined, a network diagram and card data flow information can help a company come to a unified and clear understanding of where card data is stored, processed or transmitted within their environment as well as identify all supporting and connected systems and devices. So what does a network diagram do for you? A quality network diagram will illustrate 3 key points about your network:
- What devices exist on your network
- How are those devices connected
- Where are those devices physically located
Data flow indicators on your diagram will map out the following:
- Where does my data go
- Where the hand-offs are between encrypted data and unencrypted data
- Where data could possibly be stored
Now that we all agree we need network diagrams with a data flow illustration to document a PCI environment, the next logical question is to what level of detail do the diagrams need to be? Like many other subjective questions related to IT and security, the answer is it depends. Network Diagram Detail Levels When talking about data flow diagrams there are typically 4 levels of diagrams that are referenced; each increase in level indicates more detail:
- Level 0 (context level) – The highest level view of a system, show a system as a whole and its inputs and outputs from/to external factors.
- Level 1 – Illustrates primary processes, data stores and destinations that are linked.
- Level 2 – expansion of detail in level 1 diagram that shows how information moves from and to each of the devices and processes. Any decision routines in the data flow should be clearly called out.
- Level 3 - expansion of detail in level 2 diagram.
In my approach to constructing network diagrams I take a very similar view of the level of detail outlined in a data flow diagram. I start with a Level 0 (context) diagram and map out key locations and connection points. From there I can begin to expand the level of detail across connection points and at each site by identifying key systems, data stores, and show some segmentation if it exists on the network. Finally, if needed, I can expand the level of detail again to get to a level 2 or 3 diagram.
Once the network diagrams are in good shape, it is very easy to document the card data flow by either using color coded connection lines or eve drawing arrows along the path(s) the card data will travel.
Most of the time, a level 1 diagram will be sufficient to document the logical layout of a network environment and highlight the card data flow. It is important to note that you do not have to have a single all encompassing network diagram. For larger networks or as the level of detail increases it may be feasible to create multiple diagrams with links to each corresponding diagram.
Below are some simple examples of possible level 0, level 1 and level 2 diagrams for a merchant with a remote store location, a central processing center and branch offices.
Level 0 diagram – the diagram identifies key locations on the network and the arrows highlight the expected flow of card data.
In a PCI DSS assessment scenario, this level of diagram helps to identify the key locations that should be the focus of the assessment; however, it does not provide much insight into the number of devices or logical layout of the physical sites.
Level 1 Diagram – the diagram indicates primary connection points and devices in the data flow.
This diagram expands the level 0 diagram and highlights the key components at each physical location as well as a view into the logical layout within each physical location. Some companies will include additional detail like hostnames and IP addresses of network devices. While this is a good practice, this is not required for PCI.
Depending on the complexity of your network, this level of diagram may satisfy the assessor needs for requirement 1.1.2.
A Level 2 Diagram could be created for each physical site by expanding the level of detail to all network components and devices including the telecom room, demarcation points, wiring, workstations and POS terminals.
This diagram expands the level 1 diagram and highlights devices and the logical layout within the merchant store location. Some diagrams can be very creative and even be documented on top of a floor map.
Network Diagramming Tools
Once you have an idea of the level of detail you want your diagrams to have, what tool should you use to build the diagrams? Any software with drawing capability can be used to create a network diagram; I have seen some very good diagrams created using tools like Microsoft PowerPoint. However, working with a tool that is designed to produce diagrams is recommended. These tools will include things like component symbols, the ability to embed object properties into a graphic, diagram linking and transitions. Some examples of tools that provide this functionality and more are Microsoft Visio, SmartDraw, and Network Notepad. There are many others, including free tools that will get the job done. Use the tools that fit your needs and budget.
If your company doesn't already have these types of diagrams available, you will be required to have one for a PCI DSS assessment and, once you have a quality diagram available for use and illustration I am willing to bet you will continue to document other key processes in the same manner. Now get to diagramming!