Asset Management Program Effective: xx/xx/xx
Created/Revised: yy/yy/yy
Network Diagram and System Documentation Procedure: AM1 Procedure Owner: Title Here
Boilerplate
This is a “boilerplate” of a “Network Diagram and System Documentation Procedure,” to be used as a starting point in documenting your Asset Management Program.
Copyright / Permission to Use
· Permission to use this document is conditional upon you receiving this template directly from an infotex consultant, infotex website or e-commerce site, or an infotex workshop / training presentation.
· By using this template either in its entirety or any portion thereof, you acknowledge that you agree to the terms of use as dictated in the “Transfer of Copyright Agreement” located at copyright.infotex.com. This agreement establishes that when you customize this template to your specific needs, your organization may have copyright of the customized document. However, infotex retains copyright to the template. This agreement also establishes that you will not share this or any other template with third parties other than auditors and examiners. You may not transfer ownership of the customized documents to any other organization without the express written permission of infotex.
Instructions
· Make sure to read through the template carefully as not all situations will pertain to your organization. However, to assist you in customizing the document to your specific needs, we have attempted to color code areas that will need your special attention. Color coding is as follows:
o All areas needing customization and/or consideration are in red.
o Sections that are in brown are optional sections according to our definition of best practices. These sections may be removed if they do not match your needs.
o Sections in blue are merely instructions or additional information for knowledge purposes and should be removed.
o Sections in green are examples.
· Note that you should confirm that all text has been changed to “black” before considering this template final for your organization. If there are any sections in any other color than black, then all situations or customization has not been considered.
· This section (Templates) may be removed once the document has been customized, for at that time we turn ownership of the customized document over to you.
© Copyright 2000 – 2016 infotex, Inc. All rights reserved.
Insert Financial Institution Name / Logo
Network Diagram and
System Documentation Procedure
Classified: Confidential Information
Contact if found: Name, Title
Name of Financial Institution
City, State
Policy Scope
This procedure applies to all Name of Financial Institution’s employees, temporary workers, contractors, and consultants. It applies to all computer systems that require a password; that has access to Name of Financial Institution’s network; or stores any non-public information.
The Information Security Officer is responsible for overseeing the development, implementation, and maintenance of this procedure. It should be reviewed at least annually to ensure relevant information is appropriately considered.
Senior Management is responsible for enforcing this procedure.
For questions concerning this procedure, see Senior Management.
Introduction
From time to time, outside parties request documentation of our Information System in order to provide services or quotes for services, as well as consulting regarding the design of our system. For this reason Name of Financial Institution needs to keep current a system inventory as well as network diagrams.
Objective
This document covers the procedures for taking an inventory of the Information System and documenting the network topology via a network diagram.
Distribution of Network Diagrams and System Inventory Information
As per the Data Ownership Policy and Access Management Procedure, the network is “owned” by the [Network Administrator / Windows Administrator / Unix Administrator].
Note: Clients with multiple platforms typically divide ownership up between the platforms and this should be stated in the above paragraph if necessary.
As such, the Network Owner is responsible for ensuring proper execution of this procedure. Just as important, the Network Owner must approve requests for distributing the Systems Inventory information. Because information on a network diagram and in systems inventories could give malicious attackers helpful information, it is important that access to these documents is controlled as per the safeguards related to information classified as Confidential.
If intrusion detection/prevention monitoring is being outsourced to a Managed Security Service Provider (MSSP), Network Diagrams should be delivered to the IDS/IPS vendor as per the vendor contract.
Auditors, examiners, and consultants who have undergone appropriate vendor due diligence as per the Vendor Management Procedure may receive these documents as requested, with the permission of the Network Administrator.
Network File Structure (or Information Landscape)
Restricted directories should be documented as an additional document in the System Inventory. During the annual Access Authorization Review process, as per the Access Management Procedure, the Network Administrator will run a report demonstrating access to each restricted directory.
System Inventory
A System Inventory will include an inventory of all information assets, high-level network diagrams, detailed network diagrams, and a file structure definition document. Tools used in the system inventory process include: [list tools client is using such as asset management tools, network diagramming software, Trackit, etc.]
A form has been included for clients that do not have an automated asset management tool. If this is going to be used, the following language applies: Appendix A includes a form that must be completed when the system inventory is conducted.
Network Diagram
The Network Administrator should maintain high-level diagrams showing MAN/WAN topology, as well as detailed network diagrams showing local area network configurations for each location. Diagrams should utilize standard naming conventions and iconology. WAN diagrams must state the connection type (DSL, T1, T3, ATM, etc.) as well as bandwidth constraints (256k/512k, 1MB, etc.) Servers and routers should following naming protocols established in the Network Devices Security Standards. All network diagrams should include the IP addresses of all significant network devices and servers. Workstations can be grouped in one icon expressing IP address ranges if appropriate. Diagrams should include effective date, author, name of network, distribution list, etc.
Data Flow Diagrams
To be at baseline in the FFIEC’s Cybersecurity Assessment, we must document where customer data leaves our control in our outsourcing relationships. Meanwhile, we want to benefit from the awareness advantages of teaching management where data is going. Thus, we want to maintain the following “data flow diagrams:”
· E-communications: E-mail, Secure Messaging, Instant Messaging
· New Accounts
· Compliance Data Processing: BSA, OFAC, and Other Data Connections Out for Compliance Purposes
· Mortgage Loan Processing
· Commercial Loan Processing
· Consumer Loan Processing
· Branchless Banking: Internet Banking, Mobile Banking, ATMs, Billpay, P2P, etc.
· Collections Access Database designed in 2003.
Data flow diagrams will be maintained by the Information Security Officer. The <IT Steering Committee / Technology Team / Information Security Officer> will determine who should receive data flow diagrams. As data flow drawings should be explained as a means of understanding, those receiving data flow diagrams will participate in a meeting where the Information Security Officer explains the drawings. The [IT Steering Committee Meeting Minutes] will reflect the review of the data flow diagrams. (Note: Infotex uses GoToMeeting for this next sentence): The review of the data flow diagram will be conducted in an environment where the review can be recorded.
Management is free to choose conventions and standards for data flow diagrams, other than the following requirements:
· All entities receiving data should be represented on the drawing.
· All persons involved in the process should be represented on the drawing.
· All drawings should be dated and author noted.
· Drawings should be approved by the <IT Steering Committee / Technology Team / Information Security Officer.>
· The audience for each drawing, in the form of a “distribution list,” should be identified on each drawing.
· Drawings for which the audience is “technical” should follow appropriate symbol conventions.
Updating Schedule
Network Diagrams should be updated quarterly as well as whenever major modifications are made. System Inventories should be updated semi-annually or whenever major acquisitions are made. The File Structure documentation should be updated as new restricted root-directories are created. Data Flow Diagrams should be updated annually, when we perform our risk assessment, or whenever a new change, product, service, application, process, or vendor would create a major change in data flow.
Due Diligence
The Information Security Officer / Compliance Officer is responsible for creating and executing a due diligence process to ensure that this procedure is being enforced. All other workforce members will be required to funnel materials gathered as a part of this procedure to the Information Security Officer for processing. The Information Security Officer will also be responsible for gathering annual documentation as required by this procedure, and working with the Internal Auditor / Compliance Officer to ensure procedure enforcement.
Status Reporting
The Compliance Officer will ensure that this procedure has been met during ongoing auditing practices and will report to the Audit Committee annually that this procedure has been met. The Audit Committee will then report this to the Board of Directors.
Contribution to Control Objectives for Information Technology
Enforcement of this procedure contributes to the achievement of CobiT:
· P05: Manage the IT investment.
· PO9: DS3: Manage performance and capacity.
· DS6: Identify and allocate costs.
· DS9: Manage the configuration.
· DS13: Manage operations.
Noncompliance
Violation of this procedure may result in disciplinary action which may include termination for employees and temporaries; termination of employment relations in the case of contractors or consultants; or dismissal for interns. Additionally, individuals are subject to loss of Name of Financial Institution’s Information Resources access privileges, and civil and/or criminal prosecution.
Procedure Training
The Information Security Officer, Network Administrator, and Senior Management will review this procedure annually and hold training to ensure that all appropriate personnel understands the provisions of this procedure, as well as the implications upon their job description responsibilities.
Distribution List
The following positions will receive this procedure and any changes to this procedure:
· List those individuals. Consider establishing an e-mail alias corresponding to the individuals.
Storage of Procedure
The active copy of this procedure will be stored in the [list location of procedure].
Note: We recommend that the Financial Institution develop a method of off-site, on-line, secure storage of policies and procedures such as in a portal, mirrored intranet site, etc.
Procedure Owner
· Title Here
Procedure Reviewers
· Titles Here
Related Policies / Procedures / Tools
· Network Diagram and System Documentation Procedure
· System Inventory Form
Page 6 of 8
Information Security Policies Effective: xx/xx/xx
Created/Revised: yy/yy/yy
Network Diagram and System Documentation Procedure: P36 Author: Title Here
Appendix A: System Inventory Form
Location: / Date:______System Inventory Form: P36A1
Inventory Number / Serial # / Device Name / Dept / Location / IP Address / Vendor / Date Ordered / Cost / Out of Service / Comments
Page 6 of 8