Network Infrastructure Management
Establish and maintain the secure configuration of network infrastructure devices, including firewalls, routers, and switches.
Why Is This Control Critical?
Secure network infrastructure is an essential defense against attacks, especially when data is moved across enterprise boundaries. Attackers can take advantage of vulnerabilities in network infrastructure, gain access, and then route all traffic to a system that allows them to monitor and record all network traffic. This allows the attacker to intercept credentials, redirect traffic to malicious sites, or inject malicious content. Network infrastructure changes are often made with less oversight and rigor than typical enterprise asset configurations. Organizations should ensure that the network infrastructure is securely configured and managed.
Related Policy Templates
Safeguards (8)
| ID | Title | Function | IG | Checklist Items | Evidence |
|---|---|---|---|---|---|
| 12.1 | Ensure Network Infrastructure is Up>to>Date | Protect |
IG1
IG2
IG3
|
5 | 3 |
| 12.2 | Establish and Maintain a Secure Network Architecture | Protect |
IG2
IG3
|
6 | 3 |
| 12.3 | Securely Manage Network Infrastructure | Protect |
IG2
IG3
|
5 | 3 |
| 12.4 | Establish and Maintain Architecture Diagram(s) | Identify |
IG2
IG3
|
5 | 3 |
| 12.5 | Centralize Network Authentication, Authorization, and Auditing (AAA) | Protect |
IG2
IG3
|
9 | 3 |
| 12.6 | Use of Secure Network Management and Communication Protocols | Protect |
IG2
IG3
|
5 | 3 |
| 12.7 | Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure | Protect |
IG2
IG3
|
7 | 3 |
| 12.8 | Establish and Maintain Dedicated Computing Resources for All Administrative Work | Protect |
IG3
|
8 | 5 |
Audit Verification Details
Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Network segmentation is implemented between defined trust zones.
Network architecture diagram, segmentation test results
Changes to protection controls follow the change management process.
Change tickets, approval records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
An inventory or catalog is maintained, accurate, and complete.
Inventory export with timestamps showing recent updates
Inventory is reviewed and reconciled on the defined schedule.
Review meeting minutes, sign-off records, or change logs
New assets/items are added to the inventory within the defined onboarding window.
Sample of recently onboarded assets with inventory timestamps
| Type | Evidence Item | Frequency |
|---|---|---|
| Document | Current inventory or catalog documentation | Maintained continuously, reviewed quarterly |
| Document | Process/procedure documentation for identification activities | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Centralize network AAA.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Audit logging is enabled on all in-scope systems and forwarded to centralized SIEM.
SIEM source status dashboard, log forwarding configuration
Multi-factor authentication is enforced on all in-scope systems and accounts.
MFA enrollment status reports, conditional access policy config
Changes to protection controls follow the change management process.
Change tickets, approval records
Logs are retained per the defined retention period and reviewed on schedule.
Retention policy config, log review records
MFA exceptions are documented, approved, and compensating controls are in place.
Exception records with compensating control documentation
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or greater).
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Multi-factor authentication is enforced on all in-scope systems and accounts.
MFA enrollment status reports, conditional access policy config
Changes to protection controls follow the change management process.
Change tickets, approval records
MFA exceptions are documented, approved, and compensating controls are in place.
Exception records with compensating control documentation
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Audit logging is enabled on all in-scope systems and forwarded to centralized SIEM.
SIEM source status dashboard, log forwarding configuration
Network segmentation is implemented between defined trust zones.
Network architecture diagram, segmentation test results
Changes to protection controls follow the change management process.
Change tickets, approval records
Logs are retained per the defined retention period and reviewed on schedule.
Retention policy config, log review records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | SIEM dashboard showing log sources and collection status | Captured monthly |
| Record | Log review records and findings | Per review cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |