AuditRubric
id-am-3 high Identify / Asset Management

Authorized network communication and data flow representations are maintained

Knowing what devices and software you own is not enough if you do not know how they talk to each other. Network diagrams and data flow maps let you spot unauthorized connections, scope firewall rules accurately, and explain your environment to auditors or incident responders. Without them, detecting lateral movement or a data exfiltration path becomes guesswork.

Estimated effort: 6h
networkdata-flowstopologyinventory
Complete first: id-am-1 , id-am-2

Implementation steps

  1. 1

    Draw a logical network diagram

    Capture all network segments (internal LAN, DMZ, cloud VPCs, remote access), how they connect, and the major systems that sit in each. Tools like Lucidchart or draw.io work well. For larger environments, use automated discovery tools that generate topology maps from live traffic or routing tables.

    lucidchartdraw.ionetbrainauviknmap
  2. 2

    Document internal and external data flows

    For each application or service, record: what data it sends and receives, the protocol and port used, the source and destination (internal system, cloud service, or third party), and whether the data is encrypted in transit. Prioritize flows that carry sensitive or regulated data.

    zeekwiresharkaws-vpc-flow-logsnetflow
  3. 3

    Review and update diagrams on a defined schedule

    Assign an owner and set a quarterly review cadence. Trigger an out-of-cycle update whenever a new system is deployed, a network segment is added or removed, or a major architecture change is made. Store diagrams in a version-controlled location so changes are traceable.

    confluencesharepoint

Evidence required

Network topology diagram

A current diagram showing all network segments, their interconnections, and the major systems in each zone.

  • · Lucidchart or Visio export showing LAN, DMZ, and cloud segments
  • · Auvik or NetBrain auto-generated topology map
  • · AWS VPC diagram exported from the console

Data flow documentation

Records showing the source, destination, protocol, and sensitivity of key data flows, especially those crossing trust boundaries.

  • · Data flow diagram (DFD) for a primary application
  • · Spreadsheet mapping services to their inbound and outbound connections
  • · VPC Flow Logs or firewall rule export annotated with business purpose

Evidence of recent review

Proof that the diagrams were reviewed and validated within the last quarter.

  • · Dated change log entry or version history on the diagram file
  • · Ticket or meeting notes from a quarterly architecture review
  • · Pull request updating the network diagram after an infrastructure change

Related controls

id-am-1 critical

Inventories of hardware assets are maintained

Asset Management
id-am-2 high

Inventories of software assets are maintained

Asset Management
id-am-4 high

Inventories of services provided by suppliers are maintained

Asset Management
id-am-7 high

Inventories of data and corresponding metadata for designated data types are maintained

Asset Management