Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show notes: How Proactive Planning Reduces Compliance Stress
Quick Take
On this episode of Compliance Unfiltered, we give you the ins and outs of Network Diagrams and how to navigate them successfully. For beginners, Adam breaks down the basics of a network diagram.
We also cover:
- Why the diagrams matter
- What level of detail needs to be included
- What types of things should be on the physical vs. the logical network diagram.
Curious about network diagram maintenance? The CU Guys have you covered there as well. All these topics and more, on this week’s episode of Compliance Unfiltered!
Remember to follow Compliance Unfiltered on Twitter
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside a man who is far from his first compliance know well, Mr. Adam Goslin, how the heck are you, sir? I am doing great today. Hard to beat great, hard to beat great, but today we’re actually going to talk about a spicy topic, and I say spicy because it’s something that’s been on everybody’s tongue recently, and that is how to succeed with network diagrams.
Let’s start with the basics, Adam. Tell me more about what a network diagram is for the listeners that don’t know, or that are not necessarily responsible for that in their organization. Okie dokie. So, what is network diagram? When you have a network, you have places where all of your devices reside. Sometimes, you’ve got physical hosts, sometimes there’s virtual hosts. In either case, whether it’s a physical or a virtual network, the network sits somewhere, and the network diagram just visually depicts the connectivity between your network and other systems, as well as interactivity between various systems that are on your network.
So, the diagram will show a couple of different things. It will show the physical layout of your network, where are things, where do they reside, or how they fit into your network, physically connect, as well as the logical segmentation of it. So, that physical network diagram that we were talking about a minute ago, it just shows where everything’s located, that interact connectivity, things like connected vendors, external systems that your system interacts with, methods that clients, employees, vendors are using to connect in, where is that logical network. It’s the logical connections between systems, and as well as the various ways to segment that particular landscape. So, it’s depicting how the network is segmented, what devices are grouped together in a typical environment, there are all sorts of different devices. There’s file servers, email servers, authentication servers. So, as an example, a web server would reside in one particular network segment, and that particular segment is allowed access to the internet where a database server that sits on an internal network segment, that doesn’t have access to the internet, but allows connectivity between the segment where the database server is, and the segment where the web application server is. So, that’s kind of the high level overview of the network diagram.
Sure. Well, the next logical question there is, is the network diagram important? Well, number one, almost every compliance standard requires you to keep and maintain an accurate network diagram. Why? Because it’s considered to be one of the core elements of your compliance documentation. It’s also important for daily business operations. As you’re going through modifying your environment, you know, you now can visually see, where is everything? Where do I have stuff? What all is connected to what? It makes it a really easy reference tool, to be able to go in, look, hey, if I wanted to make changes, whatever, I want to replace this system, well, now I can go in and I’ve got a bit of visual aid to be able to say, what are all the ripple impacts of me yanking out this thing and, put a new one in its place. Now, I can kind of tell what other systems are interfacing, interacting, communicating, connected, dependent. It’s another tool that allows an organization to make sure that they aren’t, overlooking any particular systems that may be impacted as they’re managing, maintaining.
Now, what level of detail should be included in a network diagram? I think that’s an important question to ask at this point. Well, it’s tempting for folks to just put everything under the sun on the network diagram, but honestly, it depends on the scale of the organization, right? If I’m a smaller shop, and I’ve got whatever, eight total assets that I need to go ahead and represent on my network diagram, well, that’s gonna be a whole scale different notion, than an organization that has 1500 things that it needs to depict on its network diagram. So, at some point in the game, we were talking about people just throwing everything into the network diagram, but at some point in the game, you just have too much information, so that the usefulness of being able to use it as a reference tool and be able to clearly see and understand what’s up, starts to get lost. So, often organizations will use a high level network diagram to give an overview of that network landscape. So, as an example, let’s say you’ve got 70 different remote employees, one could go ahead and put 67 little bubbles showing remote employees, and them connecting in, or make it easy on yourself and depict it philosophically. There’s a bubble that represents the remote workers and their connectivity and etc. You can then add some type of a reference number at that point on the network diagram, and then have a secondary tracking sheet so that you can, yes, you still have your list of your 70 employees with remote access over here, but it’s not blurring the lines on your network diagram. In some cases, organizations will choose to create that additional absolute network diagram of their environment. And, my recommendation would be, if you’re in a complex arena, create that high level so that you’ve got something that’s usable for discussions, and planning, and things along those lines, as well as to support your compliance stuff, then separately maintain that kind of really detailed, granular level type diagram. But, what I found generally speaking is that most organizations don’t bring it to that level of an extreme, where they’re literally putting all 70 of the remote people on their diagram type of thing. The detailed diagram does create a lot more work for the organization, if you’re in that kind high range or high level network diagram, there’s a lot less in terms of modifications and changes that would then thereby impact it. Or if you have a monumental detail level, then just about everything happens within the environment is going to impact it.
Well, what types of things should be on the physical versus the logical network diagram? Well, on your physical network diagram, the objective here is to include every type of device, and type of system that you’ve got. You also want to add indicators for how are connections being made, especially on a physical network diagram. A lot of the things that are going to be on there are going to be external to the organization depicting those, so the remote employee connectivity, connected vendors, systems that we use, etc. So, on there, making sure that you’ve got the indicators for the connections being made, how they’re being made, over what ports are those coming across? You also want to have the information clear about what all is moving from the outside toward the inside of the network, at a high level, at that kind of physical level, etc. You want to make sure that you’ve got the IP addresses for any of those assets on that network diagram, including all of their externals, and their internals on that kind of physical network diagram. On the logical network diagram, again, you could have many devices in a particular segment, that choice of easing up, putting representations within areas where you have a ton of redundancy. Make sure that you can go in and leverage that, again, with the references to secondary sheets, etc. But for each of the segments, you want to make sure that you’ve got philosophically what all is in that segment. You’ve got all your references in there to two secondaries. You definitely want to be able to make sure that you’ve got, whether it’s within the segment, or outside of the segment, sorry, let me restate that, whether it’s within the segment because you don’t have a ton of devices, or if you have that reference, then on the reference point, making sure you’ve got the IP addresses for kind of everything in those various segments. So, you could depict the workstations philosophically, go out to the secondary sheet, and then be able to leverage that. Now, what I’ll see a lot of times, what’ll happen is that organizations will take advantage of the fact that, hey, we already have an inventory that we have to manage or maintain anyway. So, what they’ll do is when they put those reference points onto their network diagram, they’ll actually reference back to the inventory, to give them one last asset that they have to go ahead and manually, or automated fashion maintain. The key there is just making sure that you can clearly tell on that network diagram, what are the elements that would have gone into that network segment, some way, shape, or form, making that connection as you’re putting together the documentation, because the one thing that folks need to realize is that at some point in the game, somebody else is going to go in and look at this thing, aka your assessor, whatever, they have to be able to actually understand the hieroglyphics that, you know, that constitutes this compendium of internal knowledge. So, you know, just make sure that you get it buttoned up. A lot of times what I’ll do, what I recommend to folks is with those network diagrams is you almost need a fresh pair of eyes and have them go in and look at it, I mean you can’t take someone that’s completely non technical and hand them a network diagram and expect them to understand it, but take someone that’s semi-technical, and knows enough to ask dumb questions, you know poking and prodding at comprehension of what you put together. Using them as a sounding board is often a good step. And, especially if you’re lucky enough to have the advantage of a consultant, definitely leverage them as a sounding board for, hey, does this make sense? How can I make this a little bit easier to get through? Because at the end of the day, you want the assessors to be able to understand it, you want your internal personnel to be able to understand it, it’s important to have that purview of comprehension across all those spectrums.
Well, I mean, that actually leads to a really great point that you brought up kind of briefly in there. And that is kind of maintaining this. So tell me more about the maintenance of the network diagram. Well, it’s not enough to just go, hey, we created back in 2015 a network diagram. Bottom line is, is it needs to be maintained. for most of the compliance certifications out there, there’s a requirement to at least once or twice a year you need to sanity check your network diagram, etc. Now that said, what I recommend to folks is to hey, go in, go poke your nose in at your network diagram, like once a year, I’ve seen some organizations where the pace of change is just breathtaking. And so, do you really want to have to go back and re-assimilate, an entire year’s worth of that pace of change? No. I mean, I urge clients to listen, if you’re making modifications that are going to affect your diagram. And again, this goes back to that earlier comment that we were talking about, about what level of detail, right? If I’ve got every individual workstation on there with the names of the personnel that they were presently assigned IP addresses, etc. That means, every single time that I have somebody leaves the company, join the company, now I’ve got to go update the network diagram. So that’s why most organizations kind of take that middle ground stance. But every single time that you have a change that impacts that diagram, as part of your change control, integrate it right in there. So, as you’re going in, as you’re rolling through change control, you know, one of the steps is, I need to make up associative updates to any associated documentation. Make sure your network diagram is on that list, so that you just update it as you go. You want to mirror your change control off to your documentation as you go, because it’s going to make it so much easier as you’re going through the process. Everything’s always up to date, it’s going to save time when you’re going through that kind of periodic review twice a year, once a year, etc., where we have to just sanity check it. You know, it’s going to make that easier. It’s also kind of an active protection mechanism for the company. Every, from time to time, you do want to go in and sanity check it, but you want to make sure you’ve got something that’s valid, so that you can leverage it in that day by day we were talking about earlier. Depending on if the organization only does this update every now and then, depending on what’s missing, you know, inaccurate network diagrams or ones that don’t line up with other internal documentation, that could have significant ripple impacts if somebody’s depending on it. So, you know, if your network diagram, we talked about kind of aligning to all of your internal stuff, I’ll just give an example, if you’ve got items on your network diagram that aren’t in your inventory, but your inventory is being used to drive assessor sampling, and evidence collection, now you could have some seriously expensive ripple impacts if the assessor deems that they now need to perform additional sampling, because they had miscounts off of your inventory. Not only is the assessor justifiably going to come back and say, well, we’re going to have to do a whole bunch of rework, so, you hear the truck beeping as it backs up and they dump the new invoice off to you, you don’t want to be in there. So, you know, one of the things that I really recommend to folks is when they’re going through, you know, we talked earlier about making all your associative internal updates to documentation as you go, and that would include all of the things I’m about to talk about, but when you’re going through and doing that annual or semi-annual sanity check, don’t just go in and look at your network diagram and go, oh, it looks right, but compare it to your firewall rules, compare it to your device inventory, compare it to your list of service providers, take those four and come bounce them off one another, when you go through to do that periodic review, and make sure that you don’t have any discrepancies, between there. The upside is, if you go through and do that type of a sanity check, you’re almost bound to find some form of inconsistency. Human beings, are human beings, they make mistakes, they drop balls, what are you going to do? The bottom line is that you want this stuff to be all in lockstep, because if you don’t, your assessor is going to be comparing them when they come in to do the annual assessment. The last thing on earth you want is, you don’t want the assessor being the one to say, hey, I’m seeing things on this that don’t match here. When assessors find discrepancies in your documentation, it erodes trust, it leads to further questions, deeper lines of questioning. It’s a hell of a lot easier to go take care of it all on the front end, than having your assessor feeling like they need to do a cavity search. You know what I mean? Definitely. That’s the last damn thing on earth anybody wants.
Parting shots and thoughts for the folks this week, Adam. Yeah, I mean, bottom line, I think I drilled it home as we were kind of going through the discussion. But your network diagram is essential. It’s important. A lot of people really are dismissive of that network diagram. And I look at it as an important part of the core suite of documentation. The secret really is, put what you need to on there without going absolutely nuts, and keeping it current throughout the year. I’ve seen companies that failed to keep their network diagram up to speed, and the assessor happened to get a hold of it in advance of them getting it kind of aligned, if you will. And it led to some really serious headaches, both with their assessors and their pocketbooks. So if you do take compliance seriously, then a kickass network diagram should be an easy one.
That right there, that’s a good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.
