Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]
Maintain documented security configuration standards for all authorized network devices.
All configuration rules that allow traffic to flow through network devices should be documented in a configuration management system with a specific business reason for each rule, a specific individual's name responsible for that business need, and an expected duration of the need.
Compare all network device configuration against approved security configurations defined for each network device in use, and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring elevated access. This machine shall be segmented from the organization's primary network and not be allowed Internet access. This machine shall not be used for reading email, composing documents, or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the business use of that network, relying on separate VLANs or, preferably, on entirely different physical connectivity for management sessions for network devices.