Skip to contentCYBERINFO
|

Control 8.20 : Network Security

Summary

Networks and network devices should be secured, managed and controlled to protect information in systems and applications. This addresses the physical and logical architecture of the network to prevent unauthorized access and data interception.

Applicability

In-Scope: Mandatory for all organizations. It covers the protection of the pipes through which data flows, including firewalls, Wi-Fi, and virtual network segments.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

  • Network Isolation: Use Azure Virtual Networks (VNet) and Network Security Groups (NSG) to segment sensitive workloads from public-facing services.

  • Secure Wi-Fi: Enforce WPA3-Enterprise for all corporate Wi-Fi, utilizing Entra ID for certificate-based authentication (802.1X) via Intune.

  • Zero Trust: Implement Entra ID Conditional Access to ensure that network access is only granted to healthy, managed devices after successful MFA.

Evidence Checklist

  • Network Architecture Diagram: A high-level map showing the segmentation, firewalls, and secure entry points of the network.

  • Configuration Baselines: Evidence of hardening for network hardware (e.g., disabled unused ports, encrypted management traffic).

  • Firewall Logs: Audit records showing blocked traffic attempts and successful VPN connections.

Practical Audit Advice

Here are some questions the auditor might ask:

  • How is the organization's guest Wi-Fi physically or logically separated from the internal corporate network?

  • What technical controls are in place to prevent IP spoofing or other common network-level attacks?

  • How are administrative interfaces for your network hardware protected from unauthorized access?

  • Can you demonstrate how you monitor for unauthorized devices (e.g., rogue access points) being physically connected to your network?