Creating a Network Diagram
How Does Your AWS Environment Connect to the CDE?
An up-to-date, comprehensive network diagram is required by PCI Requirement 1.1.2, which states that organizations must have a “current network diagram that identifies all connections between the Cardholder Data Environment (CDE) and other networks, including any wireless networks.”
To comply with this critical element of PCI compliance for AWS environments, we recommend maintaining two types of network diagrams: a high-level diagram and a very detailed diagram. Your network diagram needs to illustrate all of the connections within your AWS environment related to traffic flow and systems, including:
· Boundaries of your in-scope networks
· All points where traffic enters and exists your networks
· Network access controls for both trusted and untrusted networks
· In-scope resources and technologies
· Any system that impacts the security of the cardholder data environment
Creating a network diagram for your AWS environment is a critical step for PCI compliance that requires thoughtfulness to achieve the level of detail required.
Transcription
Transcription
An important requirement for PCI compliance in your AWS environment is having a network diagram. In the Report on Compliance, there are actually two spots for network diagrams. There’s a place for a high-level diagram and then there’s one for a very specific, detailed diagram. It’s a good idea to maintain both of these documents. At a detailed level, you want to show all of the connections within your environment that relate to the traffic flow and systems that are connected to one another. In order to determine which systems are in scope and which systems are out of scope, you want to have something in your document that shows the out-of-scope networks. You’ll want to represent the network access controls that you have in place taking those systems out of scope. For things that are in scope, you’ll want to consider shared services such as logging services and patching servers, or directory services from active directory or something like that. Too often, people leave those out of their network diagram when they’re actually in scope because they’re providing a very important service to the environment in order to maintain the environment.
The other thing that people miss in their network diagram would be systems that are connected to the environment but also maybe affect the security of the environment. Systems that are managing the cardholder data environment, things that are providing security services, IT Professionals who are connecting in order to perform certain tasks; it’s very important to illustrate how those connections are happening because there are components that will be potentially be in scope that need to be represented on your network diagram. Be sure to check out the description below where we’ve provided some links to some examples of good network diagrams for PCI compliance. AWS has published some of those. The PCI Security Standards Council has published some as well. We want those to be good examples for you to follow, but as always, please reach out to us if you need some help putting that diagram together.
Related Videos
Creating a Data Flow Diagram
Define a Password Reset Procedure to Authenticate Requests
Define the Boundaries of Your Systems
How To Build Workforce Awareness Around Incident Response
How To Govern the Use of Mobile Devices
How to Evaluate the Maturity of Your Security Awareness Training
Improve Your Security Policy With FBI CJIS
Maintain Logs for Audit Accountability
PCI Requirement 10.9 – Document Policies & Procedures for Monitoring Access to Network Resources
PCI Requirement 11.6 – Ensure Security Policies for Security Monitoring are Documented
PCI Requirement 12- Maintain a Policy that Addresses Information Security for All Personnel
PCI Requirement 12.1 & 12.1.1 – Establish, Publish, Maintain, and Disseminate a Security Policy
PCI Requirement 12.3 – Develop Usage Policies for Critical Technologies
PCI Requirement 12.3.1 – Explicit Approval by Authorized Parties
PCI Requirement 12.3.10 – Prohibit the Moving of Cardholder Data onto Local Hard Drives
PCI Requirement 12.3.2 – Authentication for Use of the Technology
PCI Requirement 12.3.3 – A List of All Such Devices and Personnel with Access
PCI Requirement 12.3.4 – A Method to Accurately Determine Owner, Contact Information, and Purpose
PCI Requirement 12.3.5 – Acceptable Uses of the Technology
PCI Requirement 12.3.6 – Acceptable Network Locations for the Technologies
PCI Requirement 12.3.7 – List of Company-Approved Products
PCI Requirement 12.4 – Ensure Security Policies & Procedures Define Responsibilities for All
PCI Requirement 12.5.1 – Establish, Document, and Distribute Security Policies and Procedures
PCI Requirement 12.6.2 – Require Personnel to Read and Understand Security Policies and Procedures
PCI Requirement 5.4 – Ensure Security Policies and Procedures are Known to all Affected Parties
PCI Requirement 6.7 – Ensure Policies & Procedures for Systems Are Documented, in Use & Known
PCI Requirement 9.10 – Ensure Policies for Restricting Physical Access to Cardholder Data are Known
Physical Security Policy in a Remote World
Prepare for a Formal Audit
Publish and Maintain an Information Security Policy
Quarterly Reviews of Your Security Program
The Components of a System Security Plan
The Importance of Following a Remote Access Policy
The Importance of Keeping Security Training Records
The Importance of a Perimeter Security Monitoring Policy
Use Alerts to Enforce Your Access Control Policy
Verify Internal Log Processes
