11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

Maintain documented security configuration standards for all authorized network devices.

All configuration rules that allow traffic to flow through network devices should be documented in a configuration management system with a specific business reason for each rule, a specific individual's name responsible for that business need, and an expected duration of the need.

Compare all network device configuration against approved security configurations defined for each network device in use, and alert when any deviations are discovered.

Install the latest stable version of any security-related updates on all network devices.

Manage all network devices using multi-factor authentication and encrypted sessions.

Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring elevated access. This machine shall be segmented from the organization's primary network and not be allowed Internet access. This machine shall not be used for reading email, composing documents, or surfing the Internet.

Manage the network infrastructure across network connections that are separated from the business use of that network, relying on separate VLANs or, preferably, on entirely different physical connectivity for management sessions for network devices.