Back

Maintain up-to-date network diagrams.


CONTROL ID
00531
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a network configuration standard., CC ID: 00530

This Control has the following implementation support Control(s):
  • Include the date of the most recent update on the network diagram., CC ID: 14319
  • Include virtual systems in the network diagram., CC ID: 16324
  • Include the organization's name in the network diagram., CC ID: 14318
  • Use a passive asset inventory discovery tool to identify assets when network mapping., CC ID: 13735
  • Include Internet Protocol addresses in the network diagram., CC ID: 16244
  • Include Domain Name System names in the network diagram., CC ID: 16240
  • Accept, by formal signature, the security implications of the network topology., CC ID: 12323
  • Disseminate and communicate network diagrams to interested personnel and affected parties., CC ID: 13137


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Overall responsibility for network management should be clearly assigned to individuals who are equipped with the know-how, skills and resources to fulfill their duties. Network standards, design, diagrams and operating procedures should be formally documented, kept up-to date, communicated to all r… (6.1.2, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • The configuration management department should create and maintain network connection diagrams, configuration diagrams, and other required system diagrams. (O66.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • In addition, the department in charge should document and maintain the system configuration and network connection diagrams in order to respond to system configuration changes adequately. (P48.2. ¶ 3, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Organization charts and emergency communication networks should be kept up-to-date and made known to all employees at all levels and functions within the organization. (P73.3., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Mapping the internal and external connectivity between various network segments (Critical components of information security 24) iv. Bullet 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Documenting network architecture and identifying systems that serve critical functions or contain sensitive information that require additional levels of protection. (Critical components of information security 24) viii. ¶ 1 j., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Identifying all access points to the network including various telecommunications channels like ethernet, wireless, frame relay, dedicated lines, remote dial-up access, extranets, internet (Critical components of information security 24) iv. Bullet 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Virtual devices: ensure that virtual devices for guest OSs are associated with the appropriate physical devices on the host system, such as the mapping between virtual network interface cards (NICs) to the proper physical NICs. (EMERGING TECHNOLOGIES AND INFORMATION SECURITY 1 ¶ 9 f., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Redundancy or fault-tolerant solutions should be implemented for IT systems which require high system availability. The FI should perform a periodic review of its IT system and network architecture design to identify weaknesses in the existing design. The review should include a mapping of internal … (§ 8.1.2, Technology Risk Management Guidelines, January 2021)
  • A review of the FI's network architecture, including the network security design, as well as system and network interconnections, should be conducted on a periodic basis to identify potential cyber security vulnerabilities. (§ 11.2.8, Technology Risk Management Guidelines, January 2021)
  • Network documentation includes a high-level network diagram showing all connections into the network; a logical network diagram showing all network devices, critical servers and services; and the configuration of all network devices. (Security Control: 0516; Revision: 4, Australian Government Information Security Manual, March 2021)
  • Network documentation includes high-level network diagrams showing all connections into networks and logical network diagrams showing all critical servers, high-value servers, network devices and network security appliances. (Control: ISM-0516; Revision: 5, Australian Government Information Security Manual, June 2023)
  • Network documentation includes high-level network diagrams showing all connections into networks and logical network diagrams showing all critical servers, high-value servers, network devices and network security appliances. (Control: ISM-0516; Revision: 5, Australian Government Information Security Manual, September 2023)
  • The Key Management Plan should include diagrams and descriptions of the cryptographic system topology, that includes the data flows. (Control: 0510 Table Row "Topology", Australian Government Information Security Manual: Controls)
  • The organization must have a high-level diagram, for each network, that shows all connections to the network. (Control: 0516 Bullet 1, Australian Government Information Security Manual: Controls)
  • The organization must have a logical network diagram, for each network, that shows all network devices. (Control: 0516 Bullet 2, Australian Government Information Security Manual: Controls)
  • The network diagram must be updated whenever network changes are made. (Control: 0518 Bullet 1, Australian Government Information Security Manual: Controls)
  • The network diagrams must include a "current as at (date)" statement on each page. (Control: 0518 Bullet 2, Australian Government Information Security Manual: Controls)
  • The organization should review the gateway security architecture and the security risks of all connected security domains at least annually. (Control: 1041, Australian Government Information Security Manual: Controls)
  • A site/floor cabling diagram and a network diagram (showing all connections and devices) should be developed, updated on a regular basis, and contain a "current as of (date)" on each page. (§ 2.7.24, § 3.10.6, Australian Government ICT Security Manual (ACSI 33))
  • Critical systems should have an available, up-to-date system description that details the physical arrangements, logical arrangements, data flows, and interfaces with other processes or systems; hardware prerequisites; software prerequisites; and security measures. (¶ 4.3, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
  • Prepare a network plan and examine any existing graphic diagrams of the network, for example the network topology plans. (4.2.3 Bullet 1, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Prepare a network plan and update the existing network plans or create new ones. (4.2.3 Bullet 2, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • IT systems, i.e. clients and servers, active network components (§ 3.2.4 Subsection 3 ¶ 1 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Network connections between such systems (§ 3.2.4 Subsection 3 ¶ 1 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Outward connections of the considered area (§ 3.2.4 Subsection 3 ¶ 1 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • A rudimentary network plan should be created as an overview on the basis of the acquired information. If an up-to-date network is available, this can be used. A network plan is a graphical representation of the components used in the information and communications technology under consideration and … (§ 3.2.4 Subsection 3 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • However, the graphical network summary should not be limited to physical components, but should also include virtualised structures. Here, either virtual structures (suitably identified) can be inserted directly into the graphical network summary, or they can be entered into a separate network summa… (§ 3.2.4 Subsection 3 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Sift through existing graphical depictions of the network, e.g. the network topology plans (§ 8.1.4 Subsection 2 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • If necessary update or produce network plans (§ 8.1.4 Subsection 2 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The ICS area can be operated as an autonomous network. When acquiring network connections also the interfaces should be acquired (list of allowed and blocked interfaces). Also the Internet connection out of the ICS area should be acquired. Separation of the networks between the office area and the I… (§ 8.1.4 ¶ 7, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Consider dependencies, the maximum principle and, if necessary, the cumulative or distribution effect (§ 8.2.6 Subsection 1 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The decisions on which communication links are to be considered to be critical should be documented by table or should be highlighted graphically in the network plan. (§ 8.2.8 ¶ 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Areas with different protection need should be marked. The network plan should be created and maintained in electronic form as far as possible. If the information technology in the organisation has gone beyond a particular size, it is appropriate to use a suitable programme to acquire and maintain t… (§ 8.1.4 ¶ 8, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The area of industrial control also should be integrated into the network plan. In addition to the persons responsible for IT and the administrators, also the members of the building services teams are contact persons. (§ 8.1.4 Subsection 1 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Both the networked and non-networked IT systems, i.e. in particular those not incorporated into the network plan, are to be included. IT systems which have been grouped together in the network plan can be viewed from now on as a single object. Even IT systems that are not listed in the network plan … (§ 8.1.5 Subsection 1 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The architecture of the network is documented comprehensibly and currently (e. g. in the form of diagrams) in order to avoid errors in the management during live operation and ensure timely restoration according to the contractual duties in the event of damage. Different environments (e. g. administ… (Section 5.9 KOS-06 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The components of the IT systems and their connections with each other shall be administered in a suitable way, and the inventory data collected for this shall be updated regularly and on an ad hoc basis. (II.7.46, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Inventory of each access point to the network is called for to identify potential points of vulnerability. Proper system configuration suggested as well as a frequently reviewed network topology diagram. Organizations should scan for unknown system users and unidentified access attempts. (§ I.20, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Does a network topology diagram exist? (Table Row I.20, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Is the network topology diagram kept up-to-date? (Table Row I.20, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • What is the update process for the network topology diagram, and how often is it kept current? (Table Row I.20, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • What trigger event must occur for the network topology diagram to be updated? (Table Row I.20, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Verify that a current network diagram (for example, one that shows how cardholder data flows over the network) documents all connections to cardholder data, including any wireless networks. (§ 1.1.2.a, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Check the network diagram date to ensure the organization keeps it current. (§ 1.1.2.b, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Verify that the current network diagram is consistent with the firewall configuration standards. (§ 1.1.3.b, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Observe the network configuration and examine network diagrams to verify a current network diagram exists and it documents all network connections to cardholder data, including wireless connections. (Testing Procedures § 1.1.2.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview responsible personnel to verify the network diagram is kept up-to-date. (Testing Procedures § 1.1.2.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Verify the network diagram and the firewall configuration standards are consistent. (Testing Procedures § 1.1.4.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Establish a firewall and router configuration standard that includes a current network diagram. (§ 1.1.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that a current network diagram (for example, one that shows cardholder data flows over the network) documents all connections to cardholder data, including any wireless networks. (§ 1.1.2.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Check the network diagram date to ensure the organization keeps it current. (§ 1.1.2.b Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that the current network diagram is consistent with the firewall configuration standards. (§ 1.1.3.b Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Establish and implement firewall configuration standards and router configuration standards that include current network diagrams identifying all connections between the cardholder data environment and other networks, including wireless networks. (PCI DSS Requirements § 1.1.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Network diagram is updated to reflect changes. (A3.2.2.1 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Is the current network diagram consistent with the firewall configuration standards? (1.1.4 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Is the current network diagram consistent with the firewall configuration standards? (1.1.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Is there a process to ensure the diagram is kept current? (1.1.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Is there a current network diagram that documents all connections between the cardholder data environment and other networks, including any wireless networks? (1.1.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Is there a process to ensure the diagram is kept current? (1.1.2 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Is the current network diagram consistent with the firewall configuration standards? (1.1.4 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Is the current network diagram consistent with the firewall configuration standards? (1.1.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Is there a process to ensure the diagram is kept current? (1.1.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Is there a current network diagram that documents all connections between the cardholder data environment and other networks, including any wireless networks? (1.1.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Is there a process to ensure the diagram is kept current? (1.1.2 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Is the current network diagram consistent with the firewall configuration standards? (1.1.4 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Is the current network diagram consistent with the firewall configuration standards? (1.1.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Is there a process to ensure the diagram is kept current? (1.1.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Is there a current network diagram that documents all connections between the cardholder data environment and other networks, including any wireless networks? (1.1.2 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is there a process to ensure the diagram is kept current? (1.1.2 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is the current network diagram consistent with the firewall configuration standards? (1.1.4 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is the current network diagram consistent with the firewall configuration standards? (1.1.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Is there a process to ensure the diagram is kept current? (1.1.2(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Maintain a current topology of all physical locations of access points. (§ 4.3.1.G, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
  • An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, including any wireless networks. (1.2.3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine documentation and interview responsible personnel to verify that the network diagram(s) is accurate and updated when there are changes to the environment. (1.2.3.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine diagram(s) and network configurations to verify that an accurate network diagram(s) exists in accordance with all elements specified in this requirement. (1.2.3.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Is the current network diagram consistent with the firewall configuration standards? (PCI DSS Question 1.1.4(b), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Is there a current network diagram that documents all connections between the cardholder data environment and other networks, including any wireless networks? (PCI DSS Question 1.1.2(a), PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
  • Is there a process to ensure the network diagram is kept current? (PCI DSS Question 1.1.2(b), PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
  • Is the current network diagram consistent with the firewall configuration standards? (PCI DSS Question 1.1.4(b), PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
  • Is there a current network diagram that documents all connections between the cardholder data environment and other networks, including any wireless networks? (PCI DSS Question 1.1.2(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is there a process to ensure the network diagram is kept current? (PCI DSS Question 1.1.2(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is there a current network diagram that shows all cardholder data flows across systems and networks? (PCI DSS Question 1.1.3(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is there a process to ensure the network diagram is kept current? (PCI DSS Question 1.1.3(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is the current network diagram consistent with the firewall configuration standards? (PCI DSS Question 1.1.4(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is there a current network diagram that documents all connections between the cardholder data environment and other networks, including any wireless networks? (PCI DSS Question 1.1.2(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Is there a process to ensure the network diagram is kept current? (PCI DSS Question 1.1.2(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Is there a current network diagram that shows all cardholder data flows across systems and networks? (PCI DSS Question 1.1.3(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Is there a process to ensure the network diagram is kept current? (PCI DSS Question 1.1.3(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Is the current network diagram consistent with the firewall configuration standards? (PCI DSS Question 1.1.4(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, including any wireless networks. (1.2.3, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, including any wireless networks. (1.2.3, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, including any wireless networks. (1.2.3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, including any wireless networks. (1.2.3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • A network architecture diagram that shows all network interconnections and perimeter security devices (routers, firewalls, and intrusion detection systems) should exist. Based on the diagram, management will be able to understand how vulnerabilities on one network may impact the security of assets o… (§ 3.1 (Scoping Systems) ¶ 2, IIA Global Technology Audit Guide (GTAG) 6: Managing and Auditing IT Vulnerabilities)
  • Networks should be supported by documentation, which includes network configuration diagrams, showing nodes and connections. (CF.09.02.03a, The Standard of Good Practice for Information Security)
  • Networks should be supported by documentation, which includes one or more diagrams of in-house cable runs for each physical location. (CF.09.02.03c, The Standard of Good Practice for Information Security)
  • Networks should be supported by documentation, which includes network configuration diagrams, showing nodes and connections. (CF.09.02.03a, The Standard of Good Practice for Information Security, 2013)
  • Networks should be supported by documentation, which includes one or more diagrams of in-house cable runs for each physical location. (CF.09.02.03c, The Standard of Good Practice for Information Security, 2013)
  • The organization should setup automated processes to find the critical network diagrams that are stored online and in cleartext. (Critical Control 20.5 Bullet 2, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Network environments and virtual instances shall be designed and configured to restrict and monitor traffic between trusted and untrusted connections, reviewed at planned intervals, supported by documented business justification for use of all services, protocols, and ports allowed, including ration… (IVS-06, Cloud Controls Matrix, v3.0)
  • Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. (CIS Control 12: Safeguard 12.4 Establish and Maintain Architecture Diagram(s), CIS Controls, V8)
  • Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. (CIS Control 12: Safeguard 12.2 Establish and Maintain a Secure Network Architecture, CIS Controls, V8)
  • The organization's asset inventory includes maps of network resources, as well as connections with external and mobile resources. (ID.AM-3.3, CRI Profile, v1.2)
  • The organization identifies, establishes, documents and manages a baseline mapping of network resources, expected connections and data flows. (DE.AE-1.1, CRI Profile, v1.2)
  • The organization's asset inventory includes maps of network resources, as well as connections with external and mobile resources. (ID.AM-3.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization identifies, establishes, documents and manages a baseline mapping of network resources, expected connections and data flows. (DE.AE-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • the service organization's network environment and the information and systems the service organization uses when interacting with customers, and (¶ 3.59 Bullet 2 Sub-Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • the service organization's use of technology, including its applications, infrastructure, network architecture, use of mobile devices, use of cloud technologies, and the types of external party access or connectivity to the system; (¶ 3.59 Bullet 9 Sub-Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Members should maintain an inventory of critical information technology hardware with network connectivity, data transmission or data storage capability and an inventory of critical software with applicable versions. Members should identify the significant internal and external threats and vulnerabi… (Information Security Program Bullet 2 Security and Risk Analysis ¶ 2, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • For cloud computing services, are cloud topology and architecture diagrams available during a client audit? (§ V.1.20.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • For cloud computing services, are connectivity diagrams available during a client audit? (§ V.1.20.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • The wireless e-mail system should be set up with the required components and the handheld devices should have the appropriate software installed. Good Mobile Messaging Server 5.0 or later; Good Mobile Internet Server 1.9 or later; DoD enclave email malware scanner. If not available, a DoD smartphone… (§ 2.2 (WIR3080), DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3)
  • The wireless e-mail system should be set up with the required components and the handheld devices should have the appropriate software installed. The required components are: Microsoft Exchange Server 2003 SP2 or Microsoft Exchange Server 2007 SP1; Microsoft Internet Security and Acceleration (ISA) … (§ 2.2 (WIR2080), DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4)
  • Must follow a change management and connection approval process that documents all aspects of approved connections and system modification (Section 5.10.1.1.2 ¶ 3 Bullet 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • As a condition for a DoD Level 4 or Level 5 PA the CSP, when the CSP's network which supports a DoD contracted CSO is privately connected to the NIPRNet via a NIPRNet BCAP (or other DoD network via their BCAP) and the Internet, the CSP must provide evidence that the CSP's network or the CSO cannot p… (Section 5.10.1.1.4 ¶ 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Vendors shall provide a complete list of their commercial IP subnets that need to be routed on NIPRNet in order to effect such routing. (Section 5.10.4.1 ¶ 8 Bullet 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • The agency shall ensure a complete and current network map is maintained showing all interconnectivity of the agency network to criminal justice information, systems, and services. (§ 5.7.1.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The network map shall include all communications paths, circuits, and other components that are used for interconnections, from the agency-owned systems, through interconnected systems, and to the agency endpoint. (§ 5.7.1.2 ¶ 2(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The network map shall include the logical location of all components, except individual workstations do not have to be shown (the total number is sufficient). (§ 5.7.1.2 ¶ 2(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The network map shall include "For Official Use Only" markings. (§ 5.7.1.2 ¶ 2(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The network map shall include the agency name and the day, month, and year the network map was created or updated. (§ 5.7.1.2 ¶ 2(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Identify and document how the equipment is connected to the state system. (§ 3.2.9 ¶ 1(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • All communications paths, circuits, and other components used for the interconnection, beginning with the agency-owned system(s) and traversing through all interconnected systems to the agency end-point. (§ 5.7.1.2 ¶ 2(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The agency shall ensure that a complete topological drawing depicting the interconnectivity of the agency network, to criminal justice information, systems and services is maintained in a current status. See Appendix C for sample network diagrams. (§ 5.7.1.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The logical location of all components (e.g., firewalls, routers, switches, hubs, servers, encryption devices, and computer workstations). Individual workstations (clients) do not have to be shown; the number of clients is sufficient. (§ 5.7.1.2 ¶ 2(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Identify and document how the equipment is connected to the state system. (§ 3.2.9 ¶ 1 2., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • The agency shall ensure that a complete topological drawing depicting the interconnectivity of the agency network, to criminal justice information, systems and services is maintained in a current status. See Appendix C for sample network diagrams. (§ 5.7.1.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • All communications paths, circuits, and other components used for the interconnection, beginning with the agency-owned system(s) and traversing through all interconnected systems to the agency end-point. (§ 5.7.1.2 ¶ 2 1., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • The logical location of all components (e.g., firewalls, routers, switches, hubs, servers, encryption devices, and computer workstations). Individual workstations (clients) do not have to be shown; the number of clients is sufficient. (§ 5.7.1.2 ¶ 2 2., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • A network diagram is in place and identifies all external connections. (Domain 4: Assessment Factor: Connections, CONNECTIONS Baseline 1 ¶ 3, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Network diagrams, including configuration or component changes and the entity's internal and external connections. (App A Objective 1:3c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management documents and maintains accurate representations (e.g., network diagrams, data flow diagrams, business process flow diagrams, and business process narratives) of the current IT and business environments and employs processes to update the representations. (App A Objective 5:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Periodically reviews documented diagrams and narratives to confirm the accuracy of the representations of the IT and business environment. (App A Objective 5:2c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Aligns diagrams and narratives with each other and across the entity's lines of business. (App A Objective 5:2b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Identification of infrastructure assets (e.g., hardware and software) and associated interconnectivity critical to business and IT operations. (App A Objective 2:8b Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Placement and selection of storage, design of network topology, availability of bandwidth, and need for management reporting systems, as well as implementation of monitoring tools. (App A Objective 12:5d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Maintenance of representations (e.g., blueprints, network diagrams, and topologies) of the IT environment, review of existing infrastructure and operations to determine IT systems capabilities and needs. (App A Objective 2:9a Bullet 5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Maintains accurate network diagrams and data flow charts. (App A Objective 6.10.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should secure access to computer networks through multiple layers of access controls by doing the following: - Establishing zones (e.g., trusted and untrusted) according to the risk profile and criticality of assets contained within the zones and appropriate access requirements within an… (II.C.9 Network Controls, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Current network diagrams and data flow diagrams, including changes to configuration or components. (App A Objective 1:3 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • An up-to-date network diagram should be maintained. The diagram should document the network connectivity to include internal databases, remote users, and gateway servers to any third party. (Pg 28, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • Management should maintain an up-to-date network map. (Pg 6, Exam Tier I Obj 4.2, FFIEC IT Examination Handbook - Operations, July 2004)
  • Obtain and review the topology of the financial institution's network, and determine the components involved in the RDC process. Identify the network interfaces with customers using RDC and the technology controls in place. (App A Tier 2 Objectives and Procedures N.1 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • All network access paths must be identified and controlled. Careful analysis is needed to identify all of the systems entry points and paths to sensitive files. (AC-3.2(B), Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Does the Credit Union have a detailed network map that describes the connection points, Operating Systems, hardware components, location of security devices, services, addressing schemes, and more. (IT - Networks Q 18, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does documentation (i.e., topology maps) exist to identify the routers on the Credit Union network, if the routers are maintained by a third party? (IT - Routers Q 1, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does documentation, i.e., topology maps, exist to identify the routers that exist on the Credit Union network? (IT - Routers Q 11, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Credit Union have a network map to identify the operational servers? (IT - Servers Q 1, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the network map identify the servers in the Demilitarized Zone? (IT - Servers Q 18a, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Are Wireless Local Area Network equipment and security devices included in the Credit Union network infrastructure map? (IT - WLANS Q 3, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Complete and up-to-date logical network diagram. (§ 6.2.6.2 ICS-specific Recommendations and Guidance ¶ 1 Bullet 5, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Identify network mapping and operating system (OS) fingerprinting activities. (T0299, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Prepare detailed workflow charts and diagrams that describe input, output, and logical operation, and convert them into a series of instructions coded in a computer language. (T0189, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Identify network components and their functionality to enable analysis and target development. (T0722, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Perform or support technical network analysis and mapping. (T0850, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Produce network reconstructions. (T0775, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Reconstruct networks in diagram or report format. (T0803, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Automated determination of proper container networking surfaces, including both inbound ports and process-port bindings; (4.4.2 ¶ 3 Bullet 1, NIST SP 800-190, Application Container Security Guide)
  • Telecommunications documentation. Physical and logical telecommunications diagrams should be up to date. The physical diagram should display the physical layout of the facility that houses the LAN and/or WAN, and cable jack numbers should be documented on the physical diagram. Diagrams should also i… (§ 5.3.1 ¶ 1 Bullet 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Identify network mapping and operating system (OS) fingerprinting activities. (T0299, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Reconstruct networks in diagram or report format. (T0803, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Produce network reconstructions. (T0775, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Prepare detailed workflow charts and diagrams that describe input, output, and logical operation, and convert them into a series of instructions coded in a computer language. (T0189, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Perform or support technical network analysis and mapping. (T0850, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Representations of the organization's authorized network communication and internal and external network data flows are maintained (ID.AM-03, The NIST Cybersecurity Framework, v2.0)