{"id":1250,"date":"2021-03-26T07:51:26","date_gmt":"2021-03-26T07:51:26","guid":{"rendered":"https:\/\/www.pcidssguide.com\/?p=1250"},"modified":"2023-10-09T16:25:21","modified_gmt":"2023-10-09T16:25:21","slug":"how-to-prepare-network-documentation-for-pci-dss-compliance-requirements","status":"publish","type":"post","link":"https:\/\/pcidssguide.com\/how-to-prepare-network-documentation-for-pci-dss-compliance-requirements\/","title":{"rendered":"How to Prepare Network Documentation for PCI DSS Compliance Requirements?"},"content":{"rendered":"\n\n\n\n\n
PCI DSS requires organizations to establish and maintain a secure network with a secure configuration of firewalls and routers. By taking advantage of network security controls, organizations can prevent criminals from accessing payment system networks and stealing cardholder data.<\/p>\n\n\n\n
The development and maintenance of network documentation are covered by PCI DSS Requirements 1.1.2 and 1.1.3. Basically, network documentation consists of a network diagram and data flow diagram.<\/p>\n\n\n\n
See Also: PCI DSS Requirement 1 Explained<\/a><\/strong><\/p>\n\n\n\n Some of the diagrams’ requirements include the creation of network infrastructure and data flow diagrams for the Cardholder Data Environment (CDE). Correct documentation assures both your company and your QSA that your network is set up securely.<\/p>\n\n\n\n See Also: PCI DSS Network and Data Flow Diagrams<\/a><\/strong><\/p>\n\n\n\n PCI DSS Requirement 1.1.2 states that organizations must have an existing network diagram that defines all connections between the Cardholder Data Environment (CDE) and other networks, including all wireless networks.<\/p>\n\n\n\n See Also: PCI DSS Firewall Requirements<\/a><\/strong><\/p>\n\n\n\n PCI DSS Requirement 1.1.3 requires organizations to have an up-to-date diagram showing all cardholder data flows between systems and networks.<\/p>\n\n\n\n Network documentation is essential for network maintenance, security design, and incident response tasks. Network documentation will always be essential for your institution. Network diagrams help define and visualize the entire PCI DSS scope or CDE.<\/p>\n\n\n\n Your network documentation should include the following:<\/p>\n\n\n\n The first step in PCI compliance is to make sure you meet the minimum requirements described below. With the tips below, you can streamline the process of creating professional diagrams and networking documentation that meet PCI compliance and help manage your network through the exchange.<\/p>\n\n\n\n A systematic testing procedure for any firewall and router settings changes should be included in network documentation and information security policy. One way to test for changes in the firewall configuration is to perform a detailed port scan of the hosts protected by the firewall. Another way to test changes to the router configuration is to use the ping and traceroute commands common to most network-enabled operating systems.<\/p>\n\n\n\n The network documentation should include an up-to-date network diagram showing all network connections to cardholder data. You must specify all network devices in the PCI DSS scope, especially the components that store, transmit, and store cardholder data in your network diagram.<\/p>\n\n\n\n The network diagram should also consider all entities in your environment, or at least asset types. You need to specify exactly where your assets are, how they access media and define the methods and tools you use to control traffic.<\/p>\n\n\n\n As part of the network documentation, you need to indicate where your firewalls and routers are located, whether you have wireless devices. Whether they are covered or not, if wireless devices are in your environment, they should be shown in the network diagram.<\/p>\n\n\n\n See Also: What Is Documentation Security and Why It Matters?<\/a><\/strong><\/p>\n\n\n\n If you are being evaluated against PCI standards, you must have a firewall between your cardholder data environment and your wireless access points.<\/p>\n\n\n\n Your network diagram should also show where your IPS \/ IDS is located. Evaluators need to see that they are positioned in front of your network and other areas in your environment that you can identify to be critical.<\/p>\n\n\n\n Once all relevant network devices are paired, draw the network connections between them, including wireless connections, and make connections between external networks such as the Internet. Ensure you keep the network diagram up to date and delegate responsibility for maintaining network documentation to qualified personnel.<\/p>\n\n\n\n The aim of data flow and network diagrams is to help your company and employees understand where these assets should be completely protected. You’re probably not defending your properties properly if you don’t know where they are.<\/p>\n\n\n\n Determine where cardholder data is stored on your network and how it flows across the network. Make a copy of the network diagram and add the necessary information to explain cardholder data flow.<\/p>\n\n\n\n The purpose of having data flowcharts is for your organization to understand precisely where sensitive assets such as cardholder data are located across your entire network. If you are not aware of where your assets are currently located, you are probably not properly protecting them.<\/p>\n\n\n\n\n
Create a formal testing process and attach it to the network document.<\/strong><\/h2>\n\n\n\n
Create your updated network diagram and attach it to the network document.<\/strong><\/h2>\n\n\n\n
Create your cardholder data flow diagram and attach it to your network document.<\/strong><\/h2>\n\n\n\n