12.2: Establish and Maintain a Secure Network Architecture¶
Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
Network |
Protect |
2, 3 |
Dependencies¶
Safeguard 12.4: Establish and Maintain Architecture Diagram(s)
Safeguard 2.1: Establish and Maintain a Software Inventory
Inputs¶
GV4: Enterprise network architecture documentationGV5: Authorized software inventory
Operations¶
Use the network architecture
GV4to identify and enumerate the segments within the enterprise networkGV36(M1)- For each network segment identified in Operation 1, attempt to connect an unauthorized device
Identify and enumerate segments that allow you to connect unauthorized devices (M2)
Identify and enumerate segments that do not allow you to connect unauthorized devices (M3)
Use
GV5to identify authorized availability monitoring software- For eah network segment identified in Operation 1, determine whether an authorized availability monitoring software from Operation 3 covers the segment
Identify and enumerate segments that are covered by availability monitoring software (M4)
Identify and enumerate segments that are not covered by availability monitoring software (M5)
Measures¶
M1 = Count of network segments within the enterprise
M2 = Count of segments not compliant with least privilege
M3 = Count of segments compliant with least privilege
M4 = Count of segments monitored for availability
M5 = Count of segments not monitored for availability
Metrics¶
Segmentation¶
Metric |
If M1 is equal to 1, this metric is measured at a 0. Subsequent
metrics can still be assessed.
|
Calculation |
|
Least Privilege¶
Metric |
The percentage of network segements implementing least privilege
|
Calculation |
|
Availability¶
Metric |
The percentage of network segments monitored for network availability
|
Calculation |
|