Network Security Controls

1. Inventory of Authorized & Unauthorized Devices

Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and
unauthorized and unmanaged devices are found and prevented from gaining access.

The hardware you will eventually list in the inventory may include:

 Desktop, laptop computers

 Smartphones and tablets (M2M) devices
 Printers, scanners, and VoIP phones
 Servers, storages, routers, and switches
 Firewalls, Load Balancers
 Any other devices authorized to use the network
S.NO Name IP MAC Device Type Manufacturer Make Model Serial# OS Version Firmware Version Primary User Function Location

2. Inventory of Authorized and Unauthorized Software

Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and
that unauthorized and unmanaged software is found and prevented from installation or execution

Systems are often breached by exploiting software vulnerabilities – i.e. security holes in the software. Vendors regularly release updates or
“patches” to fill these holes and improve the software.

This is why it’s important to track the software used on network devices and to control the software packages that are allowed to execute, and
also to ensure the packages you use are patched.

Similar to the network inventory described above, this security control requires a list of authorized an unauthorized software. It should cover
each type of device on the network – whether workstations, servers, smartphones, or otherwise. (NAC tools can be used for this controls).

Application whitelisting must be done which allows only an admin-defined list of software suites to run. All other applications must be blocked
and blacklisted as PUP (Potentially unwanted programs).
 3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a
rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

The default configuration settings for operating systems in new workstations, Servers, Storages and network devices are often designed for
ease-of-use, not security. While the software may be up-to-date, its configuration can leave the system vulnerable.

The hardware and software configurations must be secured across all devices. Need to set a secure baseline and establish security controls to
prevent users from changing important settings.

Create a secure system image to deploy new workstations, laptops, servers, and other systems. Store them in a secure location without internet
or network access.