Network & On‑Prem (expanded)24 items
Network & On‑Prem (expanded)24 items
Network → Zero Trust Segmentation
Question: Are HVA zones isolated with default-deny microsegmentation and east-west controls?
Applicable Requirements:
- NIST 800-53: SC-7, AC-4
- ISO 27001: A.13.1.3
Applicability: Datacenter and hybrid networks
Expected Result: Identity/workload-based policy; deny lateral; egress pinned.
Why It Matters: Reduces ransomware spread and escalation.
Technical Breakdown:
- Identity-aware proxies; SDP; combine host firewall + network ACLs.
Network → DNS Security & Egress
Question: Do you use DoT/DoH internally with egress allowlists and sinkholing?
Applicable Requirements:
- NIST 800-53: SC-20, SI-4
Applicability: Enterprise DNS and gateways
Expected Result: Approved resolvers with policy; block newly registered domains; log queries.
Why It Matters: Cuts C2 and phishing.
Technical Breakdown:
- DGA detection; block TOR/proxy categories; analyze logs.
Network → Remote Access via ZTNA
Question: Is remote admin access brokered via ZTNA with device posture and WebAuthn?
Applicable Requirements:
- NIST 800-53: AC-17
Applicability: Admins/contractors
Expected Result: No direct VPN to prod; device compliance; short-lived access; session recording.
Why It Matters: Prevents credential-only compromise.
Technical Breakdown:
- Time-bound approvals; log to SIEM; forbid split tunneling.
Network → NAC & 802.1X
Question: Is NAC with 802.1X enforced on wired/wireless and device posture checked?
Applicable Requirements:
- NIST 800-53: SC-7, SC-12, IA-5
- SOC 2: CC6.6
Applicability: Enterprise networks and edges.
Expected Result: Controls configured and evidenced; exceptions approved and time-bound.
Why It Matters: Reduces exposure and strengthens trust fabric.
Technical Breakdown:
- Baseline configs; periodic attestations; automated audits.
Network → Email Auth (SPF/DKIM/DMARC)
Question: Is DMARC p=reject with SPF/DKIM alignment enforced?
Applicable Requirements:
- NIST 800-53: SC-7, SC-12, IA-5
- SOC 2: CC6.6
Applicability: Enterprise networks and edges.
Expected Result: Controls configured and evidenced; exceptions approved and time-bound.
Why It Matters: Reduces exposure and strengthens trust fabric.
Technical Breakdown:
- Baseline configs; periodic attestations; automated audits.
Network → Proxy & TLS Inspection
Question: Is outbound web access proxied with category filtering and TLS inspection exceptions documented?
Applicable Requirements:
- NIST 800-53: SC-7, SC-12, IA-5
- SOC 2: CC6.6
Applicability: Enterprise networks and edges.
Expected Result: Controls configured and evidenced; exceptions approved and time-bound.
Why It Matters: Reduces exposure and strengthens trust fabric.
Technical Breakdown:
- Baseline configs; periodic attestations; automated audits.
Network → DLP at Egress
Question: Is outbound data monitored/controlled with DLP and alerting on sensitive tags?
Applicable Requirements:
- NIST 800-53: SC-7, SC-12, IA-5
- SOC 2: CC6.6
Applicability: Enterprise networks and edges.
Expected Result: Controls configured and evidenced; exceptions approved and time-bound.
Why It Matters: Reduces exposure and strengthens trust fabric.
Technical Breakdown:
- Baseline configs; periodic attestations; automated audits.
Network → Firewall Hygiene
Question: Are firewalls rule-basenlined, recertified, and unused rules removed quarterly?
Applicable Requirements:
- NIST 800-53: SC-7, SC-12, IA-5
- SOC 2: CC6.6
Applicability: Enterprise networks and edges.
Expected Result: Controls configured and evidenced; exceptions approved and time-bound.
Why It Matters: Reduces exposure and strengthens trust fabric.
Technical Breakdown:
- Baseline configs; periodic attestations; automated audits.
Network → WAN/SD-WAN Segregation
Question: Is branch traffic segmented with policy-based routing and least-privilege access to DC/cloud?
Applicable Requirements:
- NIST 800-53: SC-7, SC-12, IA-5
- SOC 2: CC6.6
Applicability: Enterprise networks and edges.
Expected Result: Controls configured and evidenced; exceptions approved and time-bound.
Why It Matters: Reduces exposure and strengthens trust fabric.
Technical Breakdown:
- Baseline configs; periodic attestations; automated audits.
Network → Time Sync & PKI
Question: Are NTP and internal PKI managed securely with redundancy and monitoring?
Applicable Requirements:
- NIST 800-53: SC-7, SC-12, IA-5
- SOC 2: CC6.6
Applicability: Enterprise networks and edges.
Expected Result: Controls configured and evidenced; exceptions approved and time-bound.
Why It Matters: Reduces exposure and strengthens trust fabric.
Technical Breakdown:
- Baseline configs; periodic attestations; automated audits.
Network → Firewall OS Patching
Question: Are NGFW/IDS/IPS devices patched within vendor SLAs with staged rollouts?
Applicable Requirements:
- NIST 800-53: CM-6, SI-4
- SOC 2: CC7.2
Applicability: Network perimeter and core devices.
Expected Result: Patches within SLA; config change control; authenticated routing; secure time.
Why It Matters: Maintains control-plane security and auditability.
Technical Breakdown:
- Staged updates; golden configs; RPKI where applicable; redundant NTP.
Network → Config Backup & Diffing
Question: Are device configs versioned, backed up, and diffed with approvals?
Applicable Requirements:
- NIST 800-53: CM-6, SI-4
- SOC 2: CC7.2
Applicability: Network perimeter and core devices.
Expected Result: Patches within SLA; config change control; authenticated routing; secure time.
Why It Matters: Maintains control-plane security and auditability.
Technical Breakdown:
- Staged updates; golden configs; RPKI where applicable; redundant NTP.
Network → BGP/Routing Security
Question: Are routing adjacencies authenticated and monitored for anomalies?
Applicable Requirements:
- NIST 800-53: CM-6, SI-4
- SOC 2: CC7.2
Applicability: Network perimeter and core devices.
Expected Result: Patches within SLA; config change control; authenticated routing; secure time.
Why It Matters: Maintains control-plane security and auditability.
Technical Breakdown:
- Staged updates; golden configs; RPKI where applicable; redundant NTP.
Network → NTP/Time Integrity
Question: Are secure NTP sources and monitoring in place to prevent time skew attacks?
Applicable Requirements:
- NIST 800-53: CM-6, SI-4
- SOC 2: CC7.2
Applicability: Network perimeter and core devices.
Expected Result: Patches within SLA; config change control; authenticated routing; secure time.
Why It Matters: Maintains control-plane security and auditability.
Technical Breakdown:
- Staged updates; golden configs; RPKI where applicable; redundant NTP.
Network → Security Enhancements: Legacy VPN Phase-out
Question: Is the following control enforced: Legacy VPN Phase-out?
Applicable Requirements:
- NIST 800-53: SC-7, AC-17
- SOC 2: CC6.6
Applicability: Remote access
Expected Result: Transition to ZTNA; device posture; per-app access
Why It Matters: Reduces lateral movement and improves attribution/containment.
Technical Breakdown:
- Enforce device health; audit exceptions; automate quarantine.
Network → Security Enhancements: Internal TLS
Question: Is the following control enforced: Internal TLS?
Applicable Requirements:
- NIST 800-53: SC-7, AC-17
- SOC 2: CC6.6
Applicability: East-west traffic
Expected Result: TLS for internal apps/services; cert automation
Why It Matters: Reduces lateral movement and improves attribution/containment.
Technical Breakdown:
- Enforce device health; audit exceptions; automate quarantine.
Network → Security Enhancements: DHCP/DNS Logging
Question: Is the following control enforced: DHCP/DNS Logging?
Applicable Requirements:
- NIST 800-53: SC-7, AC-17
- SOC 2: CC6.6
Applicability: Core services
Expected Result: Correlate DHCP leases to users/devices; log DNS queries
Why It Matters: Reduces lateral movement and improves attribution/containment.
Technical Breakdown:
- Enforce device health; audit exceptions; automate quarantine.
Network → Security Enhancements: Printer/IoT Segmentation
Question: Is the following control enforced: Printer/IoT Segmentation?
Applicable Requirements:
- NIST 800-53: SC-7, AC-17
- SOC 2: CC6.6
Applicability: Unmanaged devices
Expected Result: Separate VLANs/SDN segments; egress-only where needed
Why It Matters: Reduces lateral movement and improves attribution/containment.
Technical Breakdown:
- Enforce device health; audit exceptions; automate quarantine.
Network → Security Enhancements: NAC Posture with EDR
Question: Is the following control enforced: NAC Posture with EDR?
Applicable Requirements:
- NIST 800-53: SC-7, AC-17
- SOC 2: CC6.6
Applicability: Endpoints
Expected Result: Block/quarantine non-compliant endpoints
Why It Matters: Reduces lateral movement and improves attribution/containment.
Technical Breakdown:
- Enforce device health; audit exceptions; automate quarantine.
Network → Advanced Controls: 802.11 WPA3 & MFP
Question: Is the following control enforced: 802.11 WPA3 & MFP?
Applicable Requirements:
- NIST 800-53: SC-7, SI-4
- SOC 2: CC6.6
Applicability: Wi-Fi
Expected Result: WPA3 enterprise and protected management frames
Why It Matters: Hardens Wi‑Fi, switching, and specialized networks.
Technical Breakdown:
- Enable L2 protections; rigorous OT segmentation; clarify TLS-visibility approach.
Network → Advanced Controls: Guest/Corp Wi-Fi Separation
Question: Is the following control enforced: Guest/Corp Wi-Fi Separation?
Applicable Requirements:
- NIST 800-53: SC-7, SI-4
- SOC 2: CC6.6
Applicability: Campus WLAN
Expected Result: Separate SSIDs/VLANs; captive portal; rate limits
Why It Matters: Hardens Wi‑Fi, switching, and specialized networks.
Technical Breakdown:
- Enable L2 protections; rigorous OT segmentation; clarify TLS-visibility approach.
Network → Advanced Controls: East-West TLS Visibility Strategy
Question: Is the following control enforced: East-West TLS Visibility Strategy?
Applicable Requirements:
- NIST 800-53: SC-7, SI-4
- SOC 2: CC6.6
Applicability: Monitoring
Expected Result: Metadata-based detection when TLS everywhere
Why It Matters: Hardens Wi‑Fi, switching, and specialized networks.
Technical Breakdown:
- Enable L2 protections; rigorous OT segmentation; clarify TLS-visibility approach.
Network → Advanced Controls: OT/SCADA Segmentation
Question: Is the following control enforced: OT/SCADA Segmentation?
Applicable Requirements:
- NIST 800-53: SC-7, SI-4
- SOC 2: CC6.6
Applicability: Industrial
Expected Result: Isolate OT networks; one-way diodes where needed
Why It Matters: Hardens Wi‑Fi, switching, and specialized networks.
Technical Breakdown:
- Enable L2 protections; rigorous OT segmentation; clarify TLS-visibility approach.
Network → Advanced Controls: DHCP Snooping & ARP Inspection
Question: Is the following control enforced: DHCP Snooping & ARP Inspection?
Applicable Requirements:
- NIST 800-53: SC-7, SI-4
- SOC 2: CC6.6
Applicability: Switches
Expected Result: Enable to prevent spoofing/poisoning
Why It Matters: Hardens Wi‑Fi, switching, and specialized networks.
Technical Breakdown:
- Enable L2 protections; rigorous OT segmentation; clarify TLS-visibility approach.