Regulatory Compliance, Governance and Security

Jan 28 2009   12:47PM GMT

PCI DSS Requirement 1.1.2 | Network Diagrams | Easier Said Than Done



Posted by: Charles Denyer
Tags:
1.1.2 netowrk diagram
cardholder data pci dss
firewalls
firewalls pci dss
payment card industry data security standards (PCI DSS)
PCI DSS
pci dss requirement 1.1.2
qualified security assessor (QSA)
remote access pci dss
routers and switches
system components
wireless networking pci dss

PCI DSS Requirement 1.1.2 is an often overlooked area within the PCI framework for assessment. That’s also a shame because it’s such a critical component for helping lay the groundwork for true clarity and transparency for the assessment itself. The problem with most organizations that have network diagrams and topology documents in place is that they are old, outdated, too high-level, void of the necessary detail you need to clearly help understand the cardholder environment for purposes of PCI DSS compliance. A good rule of thumb is to include as much information in the network diagrams and topology documents for helping assess scope and all “system components” that are directly or indirectly related to the storage, transmission, or processing of cardholder data.

Take a look at this comprehensive list I recently put together for a client regarding his network diagram and topology documents. I asked the organization to clearly identify and illustrate these system components in their drawings:

• List of ll IP Addresses in use
• Firewalls
• Demilitarized Zone (DMZ)
• Routers and Switches
• Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS)
• Any enterprise wide applications (CRM systems, etc.)
• Remote Access
• Data transmission methods used for data traversing back and forth on the network
• Wireless Networking or Networks
• Web Servers
• Proxy Servers
• Email Servers
• DNS Servers
• Operating Systems
• Databases
• Applications
• Anti-virus

Quite a list, but then again, it tremendously aids in the overall PCI DSS assessment, not to mention sufficing for PCI DSS Requirement 1.1.2.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: