PR.IR-01.260
Has your organization implemented network segmentation that separates different trust boundaries and platform types, with controlled communications between segments?
Explanation
Network segmentation involves dividing your network infrastructure into distinct zones based on security requirements, data sensitivity, and functional purposes. This includes separating IT networks from operational technology (OT), IoT devices, guest networks, and other specialized environments, with firewall rules or access controls that permit only necessary traffic between segments. Proper segmentation limits the potential impact of security breaches by containing them within a single segment rather than allowing lateral movement throughout the entire network. Evidence of compliance could include network architecture diagrams showing segmentation boundaries, firewall rule documentation that defines permitted cross-segment communications, and configuration screenshots of network devices implementing the segmentation controls.
Implementation Example
Logically segment organization networks and cloud-based platforms according to trust boundaries and platform types (e.g., IT, IoT, OT, mobile, guests), and permit required communications only between segments
ID: PR.IR-01.260
Context
- Function
- PR: PROTECT
- Category
- PR.IR: Technology Infrastructure Resilience
- Sub-Category
- Networks and environments are protected from unauthorized logical access and usage
