Network diagrams are a foundational aspect of many compliance standards, but often I see clients struggle unnecessarily with them. At first glance, a network diagram seems like a simple task that you can easily check off your list. But there are important aspects to them that can trip you up.
Let’s take a look at best practices for succeeding with network diagrams.
What Is a Network Diagram?
When you have a network, you have places where your devices reside — sometimes it’s physical hosts, sometimes it’s virtual hosts. In either case, the network resides somewhere. A network diagram visually depicts the connectivity between your network and other systems, as well as the locations of all your systems.
The diagram shows the physical layout of your network, as well as logical segmentation of it.
Related: Network Architecture Best Practices — and Things to Watch Out For — Under PCI DSS 4.0
The physical network
The physical network diagram depicts where your devices are physically located, as well as the interconnectivity between your systems and other systems. It should include information like connected vendors, external systems that your system interacts with, and the methods that clients, employees, and vendors use to connect to your environment.
The logical network
A network isn’t merely physical. There are logical connections between systems, as well, and various ways to segment that landscape.
The logical network diagram depicts how the network is segmented and what devices are grouped together. In a typical environment, there are all sorts of devices — there are file servers, email servers, authentication servers.
For example, a web server would reside in a particular network segment, and that segment has access to the internet. A database server would be on an internal network segment that doesn’t have access to the internet yet allows connectivity between it and the web application server.
How Important Is the Network Diagram?
Nearly every compliance standard requires you to keep and maintain an accurate network diagram. It’s considered to be one of the core elements of your compliance documentation.
The network diagram is important in your daily business operations as well. As you modify your environment, you can visually see everything you have. The diagram makes it easy to spot potential impacts of any changes you make, and to ensure you don’t overlook any of your systems.
Are You Making These Common Compliance Management Mistakes?
What Should You Include in a Network Diagram?
It’s tempting to put everything you can think of in your network diagram — but at some point you have so much information that it ceases to be useful. Often, organizations will use a high-level diagram that gives an overview of their network landscape.
For example, you might have 67 remote employees. You could try to show 67 little bubbles of remote employees logging into the systems, or you could make it easy on yourself and depict it philosophically with one bubble that represents all of your remote workers. You can add a reference number here, and have a secondary tracking sheet of the details to keep the noise on the diagram within reason.
Some organizations choose to create an additional absolute network diagram of their environment. In that case, you can include a very granular level of detail if you want. But generally speaking, most organizations don’t take it to that extreme — and there’s usually no need to.
Besides, a detailed diagram creates a lot more work for you, because every little change will require an update to the diagram.
What to include on the physical diagram
On the physical network diagram, include every type of device and system. Also provide indicators for the connections that are being made. How are they being made? Over what ports are they made? You want clarity about how information is being transmitted from an external entity to the internal network and vice versa.
Include the IP addresses associated with any assets on the network diagram, including all of their assigned external and internal addresses.
What to include on the logical diagram
You may have many devices in a particular segment. Don’t make the diagram too noisy by depicting every device where you have high volumes of similar devices (such as internal workstations). Instead, simply show the segment, describe what it contains, and add references to secondary elements and documentation as needed.
For example, you can depict all of your workstations philosophically on the logical diagram and have a reference to a secondary sheet that lists out all of the workstations that exist within that segment. A great place to reference would be the inventory you’re needing to maintain for security / compliance anyhow!
Depict the interconnectivity between all of the segments. You want to be able to tell what systems can talk to each other, and how.
Also include all of the IP addresses within each segment.
Maintaining the Network Diagram
It’s not enough to have a network diagram — you need to maintain it and keep it accurate as well. Most compliance standards require that you review your network diagram at least once or twice per year.
I urge clients to maintain it every time you make a change that affects the diagram — as you have change control come into play, or as you make modifications to your firewall rules. Mirror those modifications back to your internal documentation and keep it current.
Not only does it save time during the periodic review, it also protects your company. From time to time, people in your organization depend on your network diagram to be accurate as they make decisions based on the diagram.
Depending on what’s missing, an inaccurate network diagram or one that doesn’t line up with other internal documentation could have significant ripple impacts. For example, if you have items on your network diagram that aren’t on your inventory, but your inventory is being used to drive assessor sampling and evidence collection, your assessor might decide to perform additional sampling. That can be a costly mistake and a waste of time.
When you review your network diagram, compare it to your firewall rules, device inventory, and list of service providers. Go through all of those assets to discover any discrepancies. By comparing those three assets to your network diagram, you have a better chance to ensure continuity between your critical internal documentation. If you haven’t done this recently, I guarantee you’ll find inconsistencies.
I also guarantee that your Assessor will compare them during your annual Assessment. And you don’t want the Assessor to find discrepancies between these documents, because that will erode trust, lead to further investigations, and deeper lines of questioning.
It’s a hell of a lot easier to take care of it yourself on the front end than to have an Assessor feeling like they need to do a deep dive into causal effects of discontinuity between your internal documentation.
Stressing Out Over Compliance Management? Here’s How to Keep Your Cool.
Get an Easy Win with Your Network Diagram
Your organization’s network diagram isn’t a difficult part of security and compliance, but it is an essential one. The trick is to include what you need, without going overboard on details — and to keep it current. For many companies, failing to stay on top of network changes has led to some serious headaches — both with the Assessor and with the pocketbook.
If your company takes compliance seriously, a kick-ass network diagram can be an easy win.
Get industry insider expertise delivered to your inbox
Subscribe to the TCT blog