Establish and maintain architecture diagram(s) and/or other network system documentation. Review
and update documentation annually, or when significant enterprise changes occur that could impact
this Safeguard.
To establish and maintain architecture diagrams and network system documentation, the organization undertakes tasks such as maintaining a comprehensive listing of data systems.
The organization assigns owners who are responsible for completing associated documentation and security measures, ensuring it is regularly reviewed and updated.
Documentation of interfaces and connections between data systems is meticulously maintained and reviewed to integrate any changes.
An owner is defined for an organization's networks. The owner is responsible for planning the structure of the network and documenting it.
Separate network areas are used in network design as needed. Domain areas can be defined by e.g.:
Separation can be implemented either with physically separate networks or with logically separate networks.
The data processing environment is separated from public data networks and other environments with a lower security level in a sufficiently safe manner.
Separation of data systems is one of the most effective factors in protecting confidential information. The goal of separation is to delimit the processing environment of confidential information into a manageable entity, and in particular to be able to limit the processing of confidential information to sufficiently secure environments only. Separation of environments can be implemented, for example, with the help of a firewall solution.
Current configurations of devices, data systems and networks are documented and a log is maintained of configuration changes.
Changes to configurations must be controlled and go through the change management procedure. Only authorized personnel are allowed to make changes to the configurations.
Configuration information may include e.g.: