How an Auditor Looks at Your Network Diagram

A question that comes up pretty often for our auditors is what they want to see in the agency's network diagram.  When that question comes up, the auditors generally assume that question means the agency wants to ensure the network diagram they have reflects all the appropriate details.  For the smaller agencies using only the CBI-provided OpenFox solution, the diagram can be very simple. For larger agencies, we anticipate a little more complexity when things like file servers, records management systems and computer aided dispatch are in the picture.

The CJIS Security Policy contains this standard for network diagrams: Network Diagram
The agency shall ensure that a complete topological drawing depicting the interconnectivity of the agency network, to criminal justice information, systems and services is maintained in a current status. See Appendix C for sample network diagrams.
The network topological drawing shall include the following:
  1. All communications paths, circuits, and other components used for the interconnection, beginning with the agency-owned system(s) and traversing through all interconnected systems to the agency end-point.
  2. The logical location of all components (e.g., firewalls, routers, switches, hubs, servers, encryption devices, and computer workstations). Individual workstations (clients) do not have to be shown; the number of clients is sufficient.
  3. “For Official Use Only” (FOUO) markings.
  4. The agency name and date (day, month, and year) drawing was created or updated.
 That's pretty specific, so in order to provide a little more insight, here is a picture of what else auditors look for when they look at an agency or vendor's network diagram:

For a closer look at this network diagram, which is an example from the the CJIS Security Policy, see Appendix C, Figure C-1-C.  As we review these diagrams, the auditor may have additional questions for clarification. CBI always encourages agencies to make updates to their network diagrams. Although CBI's focus is on ascertaining CJIS compliance, the diagrams can also be used for other purposes, such as validating security testing results, assessing the impact of an issue, or even just knowing what hardware is on site.  Of course these diagrams can also serve nefarious purposes, so keep them protected!

For questions on CBI's auditing, please feel free to email us at

Also, for additional reading on network diagrams and CJIS Policy, LASOs may want to read this article: written by retired Florida CJIS ISO Larry Coffee.


Popular posts from this blog

Just Dropped: CJIS Security Policy 5.6

When does the CJIS security policy apply to Criminal Justice and Non-Criminal Justice Information Systems?