Unused rules removed quarterly
Demonstrate that the organization systematically identifies and removes unused or obsolete security rules every quarter, maintaining a clean and auditable rule base.
Description
What this control does
This control requires organizations to review and remove unused firewall rules, access control list entries, or security policy rules on a quarterly basis. Over time, rules accumulate as systems are deployed, modified, or decommissioned, creating bloat that obscures active security logic and introduces risk. Regular pruning ensures that only necessary, documented, and intentional rules remain active in production environments. The quarterly cadence balances operational effort with the rate at which rule sprawl typically occurs.
Control objective
What auditing this proves
Demonstrate that the organization systematically identifies and removes unused or obsolete security rules every quarter, maintaining a clean and auditable rule base.
Associated risks
Risks this control addresses
- Unused rules containing overly permissive access paths remain exploitable by attackers who discover them through scanning or misconfiguration
- Rule sprawl obscures security policy intent, making it difficult for analysts to understand actual traffic flows and identify malicious activity
- Conflicting or shadowed rules create unintended access paths or block legitimate traffic, causing security gaps or operational disruptions
- Accumulation of obsolete rules increases firewall processing overhead, degrading performance and increasing latency for legitimate traffic
- Unused rules referencing decommissioned systems or IP addresses create confusion during incident response and forensic investigations
- Failure to remove rules tied to former employees, contractors, or deprecated applications violates least-privilege principles and expands attack surface
- Large, unmaintained rule sets make compliance audits more difficult and increase the likelihood of failing to identify unauthorized access paths
Testing procedure
How an auditor verifies this control
- Obtain the documented quarterly rule review schedule and confirm the expected review dates for the current and prior audit periods.
- Request and review the rule review reports or change tickets for the last four quarters, verifying that reviews occurred within the required timeframe.
- Select a representative sample of network security devices (firewalls, routers, next-generation firewalls) and obtain their current rule base exports.
- For each sampled device, review the rule review documentation to identify rules flagged as unused based on traffic logs, hit counters, or flow analysis.
- Verify that rules identified as unused in prior quarterly reviews have been removed or have documented business justification for retention.
- Examine the methodology used to identify unused rules, confirming it includes log analysis, hit count monitoring, or automated rule usage tracking over at least 30 days.
- Interview security operations personnel to confirm the approval process for rule removal and verify that removals are tested in non-production environments before production changes.
- Cross-reference removed rules against change management records to ensure proper ticketing, approval, and rollback procedures are documented.
Where this control is tested