14.1: Segment the Network Based on Sensitivity

Segment the network based on the label or classification level of the information stored on the servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).

Asset Type

Security Function

Implementation Groups

Network

Protect

2, 3

Dependencies

  • Sub-control 13.1: Maintain an Inventory of Sensitive Information

Inputs

  1. Sensitive Information Inventory including which systems store, process, or transmit that sensitive information.

  2. Network Architecture information outlining network separation including VLANs

Assumption

  • A system’s overall sensitivity level shall be the highest sensitivity level of the data it stores/processes/transmits. If a system contains any sensitive information, that system should be treated accordingly, and should be properly separated from networks or network segments that don’t have a need to access that type of sensitive information.

Operations

  1. For each system that stores, processes, or transmits sensitive information identified in Input 1, use the information in Input 2 to identify any networks/VLANs the system is connected to and ensure that each of those networks/VLANs are adequately separated from less sensitive networks (note: this might be a manual review).

  2. Use these results to create a list of systems that are adequately separated from less sensitive networks (M1)

  3. Use these results to create a list of systems that are not adequately separated (M2) noting the less sensitive networks that they are connected to.

Measures

  • M1 = List of sensitive systems that are adequately separated from less sensitive networks (compliant list)

  • M2 = List of sensitive systems that are not adequately separated from less sensitive networks (non-compliant list)

  • M3 = Count of sensitive systems that are adequately separated from less sensitive networks (count of M1)

  • M4 = Total count of sensitive systems (count of Input 1)

Metrics

Coverage

Metric
The ratio of adequately separated sensitive systems to the total number of sensitive
systems.

Calculation

M3 / M4