Creating a Data Flow Diagram
How Does Data Flow Through Your AWS Environment?
The need for comprehensive data flow diagram is called out in PCI Requirement 1.1.3, which requires that organizations have a “current diagram that shows all cardholder data flows across systems and networks.” Creating a data flow diagram specifically for your AWS environment is a critical step for PCI compliance and it will be used from the start, during scoping. Without a documented data flow diagram, you cannot accurately define the scope or functions of your cardholder data environment.
An effective data flow diagram should be sequenced, should follow the data lifecycle, and should ultimately address where your cardholder data is, who interacts with it, and if it’s subject to PCI DSS requirements. Once your data flow diagram is created, you should understand the entire flow of cardholder data through your AWS environment.
Transcription
For PCI compliance in your AWS environment, one of the critical steps that you have to take is documenting a data flow diagram. It’s a PCI requirement, but really from a practical sense, you have to understand the flow of data through your environment in order to understand how you should be protecting it. Your diagram needs to represent exactly what’s happening from your client’s system. When they’re initiating a transaction with the application that’s hosted in AWS, the traffic passes through your web application firewall and through your API endpoint into the VPC and the instances that are contained within. There’s traffic that happens from the web services to the backend database. You want to document this flow exactly where the traffic goes, and you want to illustrate the protocols that are utilized and the security mechanisms that are used to encrypt data at certain points throughout the transaction. If you need an example of a good data flow diagram, AWS has published materials that are very helpful for considering how to comply with PCI in your environment. Check the description down below for a link to a good example. If you need help putting your diagram together, please reach out to us here at KirkpatrickPrice.
Transcription
For PCI compliance in your AWS environment, one of the critical steps that you have to take is documenting a data flow diagram. It’s a PCI requirement, but really from a practical sense, you have to understand the flow of data through your environment in order to understand how you should be protecting it. Your diagram needs to represent exactly what’s happening from your client’s system. When they’re initiating a transaction with the application that’s hosted in AWS, the traffic passes through your web application firewall and through your API endpoint into the VPC and the instances that are contained within. There’s traffic that happens from the web services to the backend database. You want to document this flow exactly where the traffic goes, and you want to illustrate the protocols that are utilized and the security mechanisms that are used to encrypt data at certain points throughout the transaction. If you need an example of a good data flow diagram, AWS has published materials that are very helpful for considering how to comply with PCI in your environment. Check the description down below for a link to a good example. If you need help putting your diagram together, please reach out to us here at KirkpatrickPrice.
Related Videos
Creating a Network Diagram
Define a Password Reset Procedure to Authenticate Requests
Define the Boundaries of Your Systems
How To Build Workforce Awareness Around Incident Response
How To Govern the Use of Mobile Devices
How to Evaluate the Maturity of Your Security Awareness Training
Improve Your Security Policy With FBI CJIS
Maintain Logs for Audit Accountability
PCI Requirement 10.9 – Document Policies & Procedures for Monitoring Access to Network Resources
PCI Requirement 11.6 – Ensure Security Policies for Security Monitoring are Documented
PCI Requirement 12- Maintain a Policy that Addresses Information Security for All Personnel
PCI Requirement 12.1 & 12.1.1 – Establish, Publish, Maintain, and Disseminate a Security Policy
PCI Requirement 12.3 – Develop Usage Policies for Critical Technologies
PCI Requirement 12.3.1 – Explicit Approval by Authorized Parties
PCI Requirement 12.3.10 – Prohibit the Moving of Cardholder Data onto Local Hard Drives
PCI Requirement 12.3.2 – Authentication for Use of the Technology
PCI Requirement 12.3.3 – A List of All Such Devices and Personnel with Access
PCI Requirement 12.3.4 – A Method to Accurately Determine Owner, Contact Information, and Purpose
PCI Requirement 12.3.5 – Acceptable Uses of the Technology
PCI Requirement 12.3.6 – Acceptable Network Locations for the Technologies
PCI Requirement 12.3.7 – List of Company-Approved Products
PCI Requirement 12.4 – Ensure Security Policies & Procedures Define Responsibilities for All
PCI Requirement 12.5.1 – Establish, Document, and Distribute Security Policies and Procedures
PCI Requirement 12.6.2 – Require Personnel to Read and Understand Security Policies and Procedures
PCI Requirement 5.4 – Ensure Security Policies and Procedures are Known to all Affected Parties
PCI Requirement 6.7 – Ensure Policies & Procedures for Systems Are Documented, in Use & Known
PCI Requirement 9.10 – Ensure Policies for Restricting Physical Access to Cardholder Data are Known
Physical Security Policy in a Remote World
Prepare for a Formal Audit
Publish and Maintain an Information Security Policy
Quarterly Reviews of Your Security Program
The Components of a System Security Plan
The Importance of Following a Remote Access Policy
The Importance of Keeping Security Training Records
The Importance of a Perimeter Security Monitoring Policy
Use Alerts to Enforce Your Access Control Policy
Verify Internal Log Processes
