Summary

The organization network must be segmented.

Description

By segmenting the network, the organizations can minimize the attack surface. Attackers have limited visibility and access. This is a greater challenge for them, for example, to make lateral movement across the network. Each network segment can have its own access controls and security policies tied to the specific needs and requirements of the systems and users within that segment. This allows a grained control over who can access what resources.

References

• CIS-9_2. Use DNS filtering services
• CIS-3_12. Segment data processing and storage based on sensitivity
• CWE-923. Improper restriction of communication channel to intended endpoints
• OWASP10-A5. Security misconfiguration
• OWASP10-A10. Server-side request forgery
• MITRE-M1030. Network segmentation
• CMMC-SC_L1-3_13_5. Public-access system separation
• HITRUST-01_m. Segregation in networks
• HITRUST-09_m. Network controls
• ISO27002-8_8. Management of technical vulnerabilities
• ISO27002-8_23. Segregation in networks
• IEC62443-RDF-5_1. Network segmentation
• NISTSSDF-PO_5_1. Implement and maintain secure environments for software development
• C2M2-9_2_b. Implement network protections for cybersecurity architecture
• PCI-1_3_1. Inbound traffic to the cardholder data environment is restricted
• PCI-1_3_2. Outbound traffic to the cardholder data environment is restricted
• SIGLITE-SL_88. Is development, test, and staging environment separate from the production environment?
• SIG-D_9_2. Asset and information management
• SIG-N_1_7. Network security
• CAPEC-700. Network Boundary Bridging
• ISO27001-8_8. Management of technical vulnerabilities
• ISO27001-8_23. Segregation in networks
• RESOLSB-Art_26_11_l. Information Security
• NIST-PR_IR-01. Networks and environments are protected from unauthorized logical access and usage