Maintain up-to-date network diagrams.

UCF ID: 00531
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

    Establish and maintain documentation for controlling the network configuration. [UCF Control ID 00530]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – E-Banking, August 2003, Pg 28; FFIEC IT Examination Handbook – Information Security, Pg 11, Exam Tier I Obj 2.3, Exam Tier II Obj B.1, Exam Tier II Obj M.1; FFIEC IT Examination Handbook – Operations, July 2004, Pg 6, Exam Tier I Obj 4.2; Federal Information System Controls Audit Manual (FISCAM), February 2009, AC-3.2(B); The Standard of Good Practice for Information Security, NW1.4.2(a), NW1.4.2(c), NW1.4.3; DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4, § 2.2 (WIR2080); OECD / World Bank Technology Risk Checklist, Version 7.3, § I.20; Australian Government ICT Security Manual (ACSI 33), § 2.7.24, § 3.10.6; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 1.1.2; Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009, § 4.3.1.G; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1, § 1.1.2.a, § 1.1.2.b, § 1.1.3; DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3, § 2.2 (WIR3080)

Banking and Finance Guidance

An up-to-date network diagram should be maintained. The diagram should document the network connectivity to include internal databases, remote users, and gateway servers to any third party. [Pg 28, FFIEC IT Examination Handbook – E-Banking, August 2003]

The network diagram should identify service providers and how the information is passed between the systems. [Pg 11, Exam Tier I Obj 2.3, Exam Tier II Obj B.1, Exam Tier II Obj M.1, FFIEC IT Examination Handbook – Information Security]

Management should maintain an up-to-date network map. [Pg 6, Exam Tier I Obj 4.2, FFIEC IT Examination Handbook – Operations, July 2004]

Payment Card Guidance

The organization must maintain an up to date network diagram. The diagram should show all connections, including wireless access, to cardholder data. [§ 1.1.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

Maintain a current topology of all physical locations of access points. [§ 4.3.1.G, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009]

§ 1.1.2.a The organization must maintain an up to date network diagram. The diagram should show all connections, including wireless access, to cardholder data.
§ 1.1.2.b Check the network diagram date to ensure the organization keeps it current.
§ 1.1.3 Verify that the current network diagram is consistent with the firewall configuration standards. [§ 1.1.2.a, § 1.1.2.b, § 1.1.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2.1]

US Federal Security Guidance

All network access paths must be identified and controlled. Careful analysis is needed to identify all of the systems entry points and paths to sensitive files. [AC-3.2(B), Federal Information System Controls Audit Manual (FISCAM), February 2009]

Other Configuration Guidance

The wireless e-mail system should be set up with the required components and the handheld devices should have the appropriate software installed. The required components are: Microsoft Exchange Server 2003 SP2 or Microsoft Exchange Server 2007 SP1; Microsoft Internet Security and Acceleration (ISA) Server 2006 (optional); Mobile Device Security Policy Manager (Trust Digital 7.3 or later); Microsoft Active Directory Domain Controller Windows Server 2003 SP1 or SP2; Enclave Firewall; and either a BAI baiMobile Bluetooth Smart Card Reader, an Apriva BT100-C Bluetooth Smart Card Reader, or an Apriva BT200 Bluetooth Smart Card Reader. Windows Mobile PDAs or smart phones should have the following software installed and implemented: Windows Mobile 5.0 with AKU2 or higher, Windows Mobile 6.0, or Windows Mobile 6.1; S/MIME hot fix for Windows Mobile 5.0; Security Policy Management client; antivirus software; a personal firewall; and either the BAI Smart Card Reader drivers and middleware or the Apriva Smart Card Reader drivers and middleware. [§ 2.2 (WIR2080), DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4]

The wireless e-mail system should be set up with the required components and the handheld devices should have the appropriate software installed. Good Mobile Messaging Server 5.0 or later; Good Mobile Internet Server 1.9 or later; DoD enclave email malware scanner. If not available, a DoD smartphone antivirus product must be installed on each Windows mobile handheld; Apriva BT100-C or BT200 Bluetooth Smart Card Reader; Microsoft Exchange 2003 SP2 or Microsoft Exchange 2007 SP1 or later; Microsoft Active Directory Domain Controller 2003 SP1 or SP2 or later. Windows Mobile compatible PDA or smartphone with the following software: a) Windows Mobile 5.0, 6.0, or 6.1; b) Good Mobile Messaging Client 5.0 or later; c) Apriva Smart Card Reader Drivers; d) Good Application Lock Installer cab files (Q-Locked.cab, Q-Default.cab, and Carrier_Q_Certs_Restored.cab); e) Bluetooth disablement cab file (BTD.cab); f) DoD consent banner cab file (DoD_Splash.cab); g) DoD licensed smartphone antivirus application (only required if the site does not use an enclave Email scanner). NOTE: A personal firewall is not required on the Windows Mobile device because the system is configured to force all Internet browsing through the secure connection to the Good Mobile Messaging Server and Good Mobile Internet Server to the enclave web-proxy. [§ 2.2 (WIR3080), DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3]

General Guidance

The network diagram should note all nodes and connections, including in-house cable runs, and should be kept up-to-date, readily accessible, reviewed regularly, and generated automatically. [NW1.4.2(a), NW1.4.2(c), NW1.4.3, The Standard of Good Practice for Information Security]

EU Guidance

Inventory of each access point to the network is called for to identify potential points of vulnerability. Proper system configuration suggested as well as a frequently reviewed network topology diagram. Organizations should scan for unknown system users and unidentified access attempts. [§ I.20, OECD / World Bank Technology Risk Checklist, Version 7.3]

Asia and Pacific Rim Guidance

A site/floor cabling diagram and a network diagram (showing all connections and devices) should be developed, updated on a regular basis, and contain a "current as of (date)" on each page. [§ 2.7.24, § 3.10.6, Australian Government ICT Security Manual (ACSI 33)]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.