Segmentation tested annually
Demonstrate that network segmentation boundaries are tested at least annually to verify they effectively prevent unauthorized traffic flows and lateral movement between security zones.
Description
What this control does
Network segmentation testing validates that logical and physical boundaries between security zones effectively prevent unauthorized lateral movement and data flow. Annual testing uses penetration testing, firewall rule audits, and traffic simulation to confirm that segmentation controls remain properly configured and enforce intended security policies. This control ensures that segmentation implemented to isolate critical assets, separate production from development, or contain compromises does not degrade over time due to configuration drift, rule accumulation, or architectural changes.
Control objective
What auditing this proves
Demonstrate that network segmentation boundaries are tested at least annually to verify they effectively prevent unauthorized traffic flows and lateral movement between security zones.
Associated risks
Risks this control addresses
- Attackers exploit misconfigured firewall rules or routing errors to move laterally from compromised low-trust zones to high-value assets
- Configuration drift over time creates unintended pathways that bypass segmentation controls and allow unauthorized access
- Firewall rule bloat or shadowing causes permissive rules to override restrictive policies, creating security gaps
- Inadequate VLAN tagging or routing misconfigurations allow traffic to leak between supposedly isolated network segments
- Compromised systems in one segment access sensitive data or services in protected segments due to untested segmentation failures
- Cloud security group misconfigurations permit unexpected cross-zone communication that violates security architecture design
- Changes to network architecture or application connectivity requirements inadvertently weaken previously effective segmentation controls
Testing procedure
How an auditor verifies this control
- Obtain the current network segmentation architecture documentation identifying all security zones, trust boundaries, and intended traffic flows between segments
- Request and review the most recent annual segmentation test report, penetration test results, or firewall rule audit documentation showing testing dates and scope
- Verify that testing methodology included both automated scanning and manual validation of segmentation controls across all critical boundaries
- Select a sample of 5-7 critical segmentation boundaries (e.g., DMZ-to-internal, production-to-development, cardholder data environment perimeter) and review specific test evidence for each
- Examine firewall rule sets, access control lists, and security group configurations governing sampled boundaries to confirm they align with documented security policies
- Review test results to identify any discovered segmentation bypasses, rule misconfigurations, or unintended traffic flows and verify remediation evidence
- Interview network security personnel to understand testing procedures, tools used, and how segmentation testing integrates with change management processes
- Validate that testing occurred within the past 12 months and that subsequent network changes triggered additional segmentation validation
Where this control is tested