A Picture is Worth a Thousand Words
And now another topic that is sure to cause fear, trepidation, pain, and agony for LASOs everywhere: Network Diagrams! Cue the shower scene music from Psycho.
This requirement was such that when I was at FDLE, we did not keep network diagrams after an audit concluded. Sounds strange, until next audit cycle rolled around and we’d ask the agency for their network diagram. The standard response was, as you can probably guess, “we gave it to you last time.”
A legitimate response, but the CJIS Security Policy (CSP) doesn’t say that the CSA will maintain network diagrams for the agencies within its jurisdiction.
Checking the CSP, Section 220.127.116.11 specifically says “The agency shall ensure that a complete topological drawing depicting the interconnectivity of the agency network, to criminal justice information, systems and services is maintained in a current status.”
So why do you reckon we sat around all those years ago and decided to inflict this pain on ourselves? Remember, I was a CSA Information Security Officer when we rewrote the version 4 series into the current version 5. The reason? It really is good stuff.
As a LASO you’re required to “Identify and document how the equipment is connected to the state system.” CSP 3.2.9. The network diagram helps you to fulfill that requirement. It visually describes your network.
Another reason, you need to know what you have and how it’s connected to ensure you have your network and IT resources properly secured and patched. Not knowing what you have and how it’s connected is a recipe for disaster.
Finally, it defines what is on the “inside” and what’s on the “outside”. The idea being stuff on the inside is good and needs protecting from stuff on the outside, i.e., the Internet, and all of its evils.
So, even though putting a diagram together can be a pain in sit-upon, it’s a vital tool in protecting your agency.
Luckily, when they updated the CSP, the good folks at FBI CJIS ISO Staff (Hi George, Jeff, Chris, and Steve) gave us some good ideas of what is needed.
The CSP provides a number of examples of network diagrams; you can find them in Appendix C. For most of y’all, you’re probably interested in the ones on page C-5 (Conceptual Topology Diagram For A County Law Enforcement Agency) and page C-6 (Conceptual Topology Diagram For A Municipal Law Enforcement Agency.)
Alright, I heard some scoffing out there by some of the large agencies; you’re thinking these would be just one corner of your diagram. Y’all calm down. Remember, these are examples. Most of the time, folks go to the examples because they’re not sure what they’re supposed to do. These also help to demonstrate what’s needed, and what’s not.
I’m quite confident if you follow the examples (don’t copy ’em and change the name), you’ll meet your needs and the requirements of the CSP.
Couple o’ tips (I know it’s three):
It helps if you identify those segments where encryption occurs, and at what “level”, e.g., FIPS 140-2, 128K symmetrical (be prepared to provide the FIPS certificate.)
You don’t have to show every computer and laptop, but you will need to provide a count of how many you have.
Finally, this one is mainly for small agencies, you don’t need fancy software to map out your network topology. For larger networks, specialized software is extremely helpful. For smaller ones, I’ve seen hand drawings that were scanned and submitted.
Bottomline, as long as everything — firewalls, routers, switches, hubs, servers, encryption devices, and computer workstations — is accounted for, you’ll be OK. Again, just a count of workstations is sufficient.
I will admit that creating a network diagram can be a bit of a pain. The good thing is, once you’ve done it, you’ll just need to tweak it when you make changes your network topology.
Also, don’t be afraid to ask your CSA to review it before an audit; don’t wait until you get the notification that it’s audit time again before you ask. They’re not trying to get you, they do want to help you.
Oh by the way, and this is a biggie, let me borrow a quote from Gandalf in Fellowship of the Ring, “Is it secret? Is it safe?” You must protect this document from unauthorized access and modification.
This is the roadmap to your kingdom. In the hands of a threat, it can cause grave damage. Unauthorized changes can potentially have you running around looking something that not’s there.
Keep that document protected!
Y’all take care.