Establish and Maintain a Secure Configuration Process for Network Infrastructure
Description
Establish and maintain a secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Implementation Checklist
Tool Recommendations
Automated CIS Benchmark assessment tool for configuration compliance scanning across OS, applications, and cloud
Center for Internet Security · CIS SecureSuite membership
Cloud-based configuration assessment and compliance platform with CIS Benchmark support and continuous monitoring
Qualys · Per-asset subscription
Security configuration management and file integrity monitoring platform with policy compliance and drift detection
Fortra (Tripwire) · Per-node subscription
Unified endpoint management platform for device enrollment, software deployment, configuration, and compliance across Windows, macOS, iOS, and Android
Microsoft · Per-user/per-device subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Network Device Compromise via Default Credentials
ConfidentialityAttackers gain administrative access to routers, switches, and firewalls using well-known default credentials or SNMP community strings that were never changed from vendor defaults.
Router/Switch Misconfiguration Enabling Traffic Interception
ConfidentialityNetwork devices configured without security hardening allow traffic mirroring, unauthorized VLAN access, or routing manipulation enabling man-in-the-middle attacks.
Vulnerabilities (When Safeguard Absent)
Unhardened Network Infrastructure Devices
Without a secure configuration process for network devices, routers, switches, and firewalls run with default settings that expose management interfaces and unnecessary services.
No Compliance Verification Against Network Hardening Standards
Without documented configuration processes referencing standards like CIS Benchmarks or DISA STIGs, there is no way to verify network devices meet security requirements.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Configuration compliance scan results against approved baseline | Scanned monthly |
| Document | Approved baseline configuration documentation | Reviewed quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |