Has your organization implemented network segmentation to isolate internal networks from external networks, with controls that restrict inbound traffic to only necessary communications?
Explanation
Network segmentation creates boundaries between different parts of your network, limiting the ability of attackers to move laterally if they gain access. By restricting inbound traffic from external networks to only what is necessary for business operations, you reduce the attack surface and potential entry points for threats. This includes implementing technologies like firewalls, access control lists, and DMZs to create security zones.
Evidence of compliance could include network architecture diagrams showing segmentation, firewall rule documentation that demonstrates restricted external access, or results from a network segmentation test that validates the effectiveness of the controls.
Implementation Example
Logically segment organization networks from external networks, and permit only necessary communications to enter the organization's networks from the external networks
ID: PR.IR-01.261
Context
- Function
- PR: PROTECT
- Category
- PR.IR: Technology Infrastructure Resilience
- Sub-Category
- Networks and environments are protected from unauthorized logical access and usage
Related questions
- Has your organization implemented network segmentation that separates different trust boundaries and platform types, with controlled communications between segments?
- Has your organization implemented a zero trust architecture that restricts network access to each resource based on the principle of least privilege?
- Does your organization perform endpoint health checks before allowing devices to access production resources?
- Has your organization implemented physical safeguards to protect equipment from environmental threats such as flooding, fire, wind, excessive heat, and humidity?
- Do you require service providers who operate systems on your behalf to implement protections against environmental threats and maintain adequate operating infrastructure?
- Has your organization implemented redundancy measures to eliminate single points of failure across all critical systems and infrastructure?

