INFRA-19 – Network Segmentation

What is this control really about?

This control is ensuring that your organization has divided its network into multiple segments in order to better control the flow of traffic. Segmentation can be used to improve monitoring, performance and enhance security.

Segmentation can help prevent unauthorized users from accessing sensitive data.

Segmentation is used a lot in the Zero Trust concept by implementing virtual firewalls to automate security provisioning.

There is no requirement on the type of segmentation.

Available tools in the marketplace

The following listing is “crowdsourced” from our customer base or from external research. TrustCloud does not personally recommend any of the tools below, because we haven’t personally used them. 

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• NIST SP-800-125B guidance on network configuration
• PCI-DSS guidance 

What is required to implement this control?

There is no requirement on the type of segmentation. You just need to demonstrate and prove there is a segmentation in place to pass this control.

To implement, installation of a tool or a manual implementation of network segmentation can be considered along with the following best practices:

• Follow least privilege
• Limit third-party access
• Audit and monitor your network
• Make legitimate paths to access easier than illegitimate paths
• Combine similar network resources
• Don’t oversegment
• Visualize your network

What evidence is the auditor looking for?

• Configuration settings of your network segmentation

An example of what an artifact can look like

1- Configuration settings of your network segmentation (diagram and configuration settings)

Screenshot of  DMZ

This configuration screenshot is not related to the diagram above. It is a visual representation of the type of screenshot to get for a configuration setting.