12.2: Establish and Maintain a Secure Network Architecture
Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
Network |
Protect |
2, 3 |
Dependencies
Safeguard 12.4: Establish and Maintain Architecture Diagram(s)
Safeguard 2.1: Establish and Maintain a Software Inventory
Inputs
GV4: Enterprise network architecture documentationGV5: Authorized software inventory
Operations
Use the network architecture
GV4to identify and enumerate the segments within the enterprise networkGV36(M1)- For each network segment identified in Operation 1, attempt to connect an unauthorized device
Identify and enumerate segments that allow you to connect unauthorized devices (M2)
Identify and enumerate segments that do not allow you to connect unauthorized devices (M3)
Use
GV5to identify authorized availability monitoring software- For eah network segment identified in Operation 1, determine whether an authorized availability monitoring software from Operation 3 covers the segment
Identify and enumerate segments that are covered by availability monitoring software (M4)
Identify and enumerate segments that are not covered by availability monitoring software (M5)
Measures
M1 = Count of network segments within the enterprise
M2 = Count of segments not compliant with least privilege
M3 = Count of segments compliant with least privilege
M4 = Count of segments monitored for availability
M5 = Count of segments not monitored for availability
Metrics
Segmentation
Metric |
If M1 is equal to 1, this metric is measured at a 0. Subsequent
metrics can still be assessed.
|
Calculation |
|
Least Privilege
Metric |
The percentage of network segements implementing least privilege
|
Calculation |
|
Availability
Metric |
The percentage of network segments monitored for network availability
|
Calculation |
|