Framework Category
Technology Infrastructure Resilience
Technology Infrastructure Resilience ensures that networks, systems, and environments remain secure and operational under both normal and adverse conditions.
It includes protection against unauthorized access and environmental threats, as well as maintaining sufficient capacity and resilience mechanisms to ensure continuous availability.
Implementation Questions
PR.IR-01
Networks and environments are protected from unauthorized logical access and usage
Has your organization implemented network segmentation that separates different trust boundaries and platform types, with controlled communications between segments?
Network segmentation involves dividing your network infrastructure into distinct zones based on security requirements, data sensitivity, and functional purposes. This includes separating IT networks from operational technology (OT), IoT devices, guest networks, and other specialized environments, with firewall rules or access controls that permit only necessary traffic between segments. Proper segmentation limits the potential impact of security breaches by containing them within a single segment rather than allowing lateral movement throughout the entire network.
Has your organization implemented network segmentation to isolate internal networks from external networks, with controls that restrict inbound traffic to only necessary communications?
Network segmentation creates boundaries between different parts of your network, limiting the ability of attackers to move laterally if they gain access. By restricting inbound traffic from external networks to only what is necessary for business operations, you reduce the attack surface and potential entry points for threats. This includes implementing technologies like firewalls, access control lists, and DMZs to create security zones.
Has your organization implemented a zero trust architecture that restricts network access to each resource based on the principle of least privilege?
Zero trust architecture operates on the principle that no user or system should be inherently trusted, requiring continuous verification before granting access to resources. This approach involves microsegmentation of networks, strong identity verification, and just-in-time, just-enough access controls to minimize the attack surface. Implementing zero trust helps prevent lateral movement by attackers if a system is compromised, as each resource has its own access controls regardless of network location.
Does your organization perform endpoint health checks before allowing devices to access production resources?
Endpoint health checks verify that devices meet minimum security requirements (such as up-to-date antivirus, patched operating systems, and enabled security controls) before they can connect to production environments. This helps prevent compromised or vulnerable devices from accessing sensitive resources and potentially spreading malware or enabling unauthorized access throughout your network.
PR.IR-02
The organization's technology assets are protected from environmental threats
Has your organization implemented physical safeguards to protect equipment from environmental threats such as flooding, fire, wind, excessive heat, and humidity?
Environmental threats can cause significant damage to critical IT infrastructure, potentially leading to data loss, service disruptions, and security breaches. Proper physical safeguards such as raised floors in server rooms, fire suppression systems, climate control, and appropriate building construction help mitigate these risks and ensure business continuity during environmental incidents.
Do you require service providers who operate systems on your behalf to implement protections against environmental threats and maintain adequate operating infrastructure?
This question assesses whether your organization enforces requirements for third-party service providers to protect systems from environmental hazards (such as fire, flooding, power outages) and maintain proper infrastructure (like cooling, backup power, physical security). These requirements are essential when outsourcing critical systems or data processing to ensure business continuity and data protection regardless of where systems are physically located.
PR.IR-03
Mechanisms are implemented to achieve resilience requirements in normal and adverse situations
Has your organization implemented redundancy measures to eliminate single points of failure across all critical systems and infrastructure?
Single points of failure represent vulnerabilities where the failure of one component can cause an entire system or service to fail. Organizations should implement redundancy through techniques such as clustering, load balancing, failover systems, and geographic distribution of resources. This includes redundant network paths, power supplies, hardware components, and data storage solutions.
Has your organization implemented load balancing solutions to enhance system capacity and reliability?
Load balancing distributes workloads across multiple computing resources to prevent any single resource from becoming overwhelmed, which improves both system performance and availability. By implementing load balancing, organizations can maintain service continuity during traffic spikes, hardware failures, or maintenance activities, reducing the risk of service disruptions that could impact security or business operations.
Has your organization implemented high-availability components such as redundant storage and power supplies to ensure system reliability?
High-availability components help minimize system downtime by providing backup mechanisms that automatically take over when primary components fail. Examples include redundant storage arrays (RAID configurations), uninterruptible power supplies (UPS), redundant network paths, and clustered servers configured for automatic failover.
PR.IR-04
Adequate resource capacity to ensure availability is maintained
Does your organization have a system in place to monitor the usage of IT resources including storage, power, compute, and network bandwidth?
Resource monitoring is essential for detecting anomalies that could indicate security incidents, such as unexpected spikes in network traffic potentially signaling data exfiltration, or unusual compute usage that might indicate cryptomining malware. Effective monitoring also helps with capacity planning, performance optimization, and can provide early warning of resource exhaustion that could lead to service disruptions or denial of service conditions.
Does your organization have a documented capacity planning process that forecasts future resource needs and scales infrastructure accordingly?
Effective capacity planning ensures that IT resources (servers, storage, network bandwidth, etc.) can meet both current and anticipated future demands without service disruptions or performance degradation. This process should include regular monitoring of resource utilization, trend analysis, and proactive scaling based on business growth projections and technology changes.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
