Skip to contentCYBERINFO
|

Control 8.22 : Segregation of Networks

Summary

Groups of information services, users and information systems should be segregated on networks. This limits the blast radius of a security incident by preventing an attacker from moving easily between different parts of the organization's infrastructure.

Applicability

In-Scope: Mandatory for protecting sensitive environments (like production or HR data) from general-purpose office traffic. It is a core component of a Zero Trust architecture.

Out-of-Scope: Only partially reducible in extremely small, flat networks, though logical segregation (e.g., Guest Wi-Fi) remains a requirement.

Implementation Guidance

Microsoft 365 / Entra ID

  • Virtual Segregation: Use Azure Virtual Networks (VNets) and Subnets to logically separate production workloads from development and testing environments.

  • Micro-segmentation: Implement Network Security Groups (NSGs) and Application Security Groups (ASGs) to restrict traffic between specific servers or services within a VNet.

  • Identity-Based Segregation: Utilize Entra ID Conditional Access to ensure that only authorized users on managed devices can access specific sensitive network segments or applications.

Evidence Checklist

  • Network Segmentation Diagram: A technical map showing the different network zones and the firewalls or filters that separate them.

  • Firewall/NSG Rules: Current configuration logs showing the deny-all or restricted rules between different network segments.

  • Access Logs: Evidence that users in one segment (e.g., Guest) are unable to communicate with sensitive internal resources.

Practical Audit Advice

Here are some questions the auditor might ask:

  • How is the organization's production environment physically or logically isolated from the employee Wi-Fi or guest network?

  • What is the process for approving a new rule that allows traffic to flow between two previously segregated network zones?

  • Can you demonstrate that a compromised workstation in the general office area cannot initiate a connection to the primary database server?

  • How do you manage and monitor the point of entry between the internal network and the public internet?