Is your network segmented so a compromise can be contained (admin tier, server tier, user tier, OT/IoT)?
Demonstrate that the organization enforces logical or physical network boundaries between administrative, server, user, and OT/IoT tiers to restrict lateral movement and contain security breaches.
Description
What this control does
Network segmentation divides the enterprise network into isolated trust zones—typically administrative workstations, servers, user endpoints, and operational technology/IoT devices—using VLANs, firewalls, access control lists, or software-defined networking. Each tier has distinct security policies, traffic flows are controlled at boundaries, and lateral movement between zones requires explicit authorization. This architectural control limits the blast radius of credential theft, malware propagation, and insider threats by preventing attackers who breach one segment from freely pivoting to high-value assets in another.
Control objective
What auditing this proves
Demonstrate that the organization enforces logical or physical network boundaries between administrative, server, user, and OT/IoT tiers to restrict lateral movement and contain security breaches.
Associated risks
Risks this control addresses
- Attackers with initial access to user workstations can directly reach domain controllers or critical servers without detection or hindrance
- Ransomware spreads rapidly across all network hosts because flat topology allows broadcast or SMB propagation without segmentation controls
- Compromised IoT or OT devices provide pivoting platforms into corporate data environments due to lack of zone isolation
- Privileged administrative credentials are stolen from user-tier endpoints because administrators access both tiers from the same network segment
- Insider threats with standard user access can directly scan and exfiltrate data from backend databases or file servers
- Vulnerability in OT control systems allows attacker access to IT environment and business operations due to bridged network segments
- Lateral movement post-compromise cannot be detected because all traffic flows within a single flat network without choke points for monitoring
Testing procedure
How an auditor verifies this control
- Obtain and review current network architecture diagrams, VLAN configuration files, firewall rule sets, and subnet assignment documentation to identify defined segmentation boundaries.
- Interview network engineering and security teams to confirm operational definitions of admin, server, user, and OT/IoT tiers and understand enforcement mechanisms.
- Identify a representative sample of assets from each tier using asset inventory or configuration management database (CMDB) and record their IP addresses, VLANs, and subnets.
- Review firewall rules, ACLs, or network access control (NAC) policies governing traffic between tiers to confirm deny-by-default posture and explicit allow rules.
- Perform network connectivity tests from sampled endpoints in each tier, attempting to reach hosts in other tiers using common protocols (SMB, RDP, SSH, HTTP) to validate enforcement.
- Examine logs from inter-segment firewalls or network intrusion detection systems (NIDS) for evidence of blocked cross-tier traffic attempts and alerting on violations.
- Verify that administrative access to servers and infrastructure devices originates exclusively from the dedicated admin tier, reviewing jump host or bastion host configurations and access logs.
- Confirm OT/IoT network isolation by testing that OT devices cannot initiate connections to corporate user or server segments without passing through monitored gateways or data diodes.