PCI DSS Requirement 1.1.2 is an often overlooked area within the PCI framework for assessment. That’s also a shame because it’s such a critical component for helping lay the groundwork for true clarity and transparency for the assessment itself. The problem with most organizations that have network diagrams and topology documents in place is that they are old, outdated, too high-level, void of the necessary detail you need to clearly help understand the cardholder environment for purposes of PCI DSS compliance. A good rule of thumb is to include as much information in the network diagrams and topology documents for helping assess scope and all “system components” that are directly or indirectly related to the storage, transmission, or processing of cardholder data.
Take a look at this comprehensive list I recently put together for a client regarding his network diagram and topology documents. I asked the organization to clearly identify and illustrate these system components in their drawings:
• List of ll IP Addresses in use
• Demilitarized Zone (DMZ)
• Routers and Switches
• Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS)
• Any enterprise wide applications (CRM systems, etc.)
• Remote Access
• Data transmission methods used for data traversing back and forth on the network
• Wireless Networking or Networks
• Web Servers
• Proxy Servers
• Email Servers
• DNS Servers
• Operating Systems
Quite a list, but then again, it tremendously aids in the overall PCI DSS assessment, not to mention sufficing for PCI DSS Requirement 1.1.2.