PCI DSS Requirement 1.1.2 and 1.1.3: Network Documentation

by KirkpatrickPrice / April 18th, 2017

What are PCI Requirement 1.1.2 & 1.1.3?

PCI DSS Requirements 1.1.2 and 1.1.3 are all about maintaining network documentation. Network documentation consists of two things: a network diagram and a data flow diagram. An updated network diagram is required by PCI Requirement 1.1.2, which states that organizations must have a “current network diagram that identifies all connections between the Cardholder Data Environment (CDE) and other networks, including any wireless networks.” A data flow diagram is required by PCI Requirement 1.1.3, which requires that organizations have a “current diagram that shows all cardholder data flows across systems and networks.”

The Importance Behind PCI Requirements 1.1.2 & 1.1.3

The purpose of having network and data flow diagrams is so that your organization can fully understand where sensitive assets, such as cardholder data, exist throughout your network. If you are unaware of where your assets currently reside, you probably are not appropriately protecting them. Keeping updated network documentation, such as a network diagram and data flow diagram, can prevent your organization from unknowingly overlooking cardholder data that has been left out of the security controls and is susceptible to unauthorized access.

As an assessor, we look for evidence of your policies, procedures, and processes surrounding the maintenance of your network documentation and that your organization is keeping these network diagrams and data flow diagrams appropriately updated. Ideally, assessors look for some sort of tie into your Change Control Program as part of Requirement 1.1.1.

What Should Be Included in Network Documentation for PCI Compliance?

When your assessor is reviewing your network diagram and data flow diagram, they are verifying that your organization knows where your assets are located and how the connections in to and out of those environments exist. Your network documentation should include things such as:

  • Methods used for controlling traffic in and out of your network
  • Where your firewalls are located
  • Where your routers and switches are located
  • Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS)
  • Demilitarized Zone (DMZ)
  • Applications
  • Anti-virus
  • Wireless Networks
  • Remote access points
  • Operating systems
  • Email servers
  • DNS servers
  • Databases

Have questions on how you can comply with the PCI DSS Requirements? Contact us today. 

More PCI Resources

PCI Demystified Video Series 

Beginner’s Guide to PCI Compliance 

When Will You See the Benefit of an Audit? 

PCI Requirements 1.1.2 & 1.1.3 – Network Documentation

When your organization makes a change to your networking environment, you need to ensure that you maintain network documentation. This consists of two things; one is a data flow diagram and the other is a network diagram. So, if you’re going to be making a change to your networking environment, we want to make sure that you keep these documents appropriately updated. This doesn’t mean just changing the date. As an assessor, we often come into your environment and we’ll look at the documentation and see that the date is current. But understand that just because you changed the data doesn’t necessarily mean that the network diagram is current. So we’re looking for evidence of your processes and your procedures around maintaining your network documentation.

Ideally, what we look for in a perfect world, is that you have some type of tie into your Change Control Program. That change control will be held open until such time that the network documentation has been appropriately updated.

This network diagram should also be considerate of all assets, or at least types of assets, within your environment. With the networking clouds that we have today, such as Amazon or Microsoft Azure, the number of assets will often wax and wane. From an assessment perspective, what we’re looking for is that you fully understand where your assets are at, how connections into and out of those environments exist, and define the methods and means that you’re using for controlling that traffic.

So as part of this network documentation, we look to see that several things exist. We look to examine where your firewalls and routers exists, we look to see that if you have wireless devices. Whether they’re in scope or not, if the wireless devices are in your environment, they need to be demonstrated on that network diagram.

The purpose of this is that if you’re being assessed against the PCI standards, there’s a requirement that says you must adhere to the requirement that says you need to have a firewall between your cardholder data environment and your wireless access points – so we look for that as assessors.

Your network diagram should also demonstrate where your IPS/IDS is. Assessors need to see that those are standing in front of your network and other areas that you might determine as being critical in your environment.

The whole point of having data flow and network diagrams is so that your organization and your staff can fully understand where those assets are at that need to be protected. If you don’t know where your assets are at, chances are you’re probably not appropriately protecting them.