Bonus Question: Has the organization defined and implemented a network security architecture with clear segmentation and trust boundaries?

Why This Matters

Network segmentation and zoning form the backbone of resilient infrastructure. Properly structured trust boundaries prevent lateral movement, contain threats, and align with zero-trust principles.

Maturity

0 — Unaware
Flat network; no segmentation or documentation.

1 — Ad Hoc
Basic VLANs or firewall rules configured informally.

2 — Defined
Documented network diagram with identified zones (internal, DMZ, external).

3 — Managed
Segmentation policy enforced; changes approved via formal workflow.

4 — Integrated
Zero-trust or micro-segmentation controls applied and continuously monitored.

5 — Optimized
Architecture reviewed quarterly against threat models with automated validation.

How to Level Up

| From → To | Actions | |—|—| | 0 → 1 |Map subnets and assets; draw baseline diagram.| | 1 → 2 |Define network zones and document traffic rules.| | 2 → 3 |Implement change management and rule review workflows.| | 3 → 4 |Apply zero-trust and network access control (NAC).| | 4 → 5 |Automate segmentation verification and drift detection.|

Enablers

People: Network Architect, Security Engineer, IT Operations
Process: Change control, diagram review, zone audits
Technology: Firewalls, NAC/SDN, segmentation analyzers

Evidence

Approved network diagram
Segmentation and firewall policy
Rule-review and validation logs

KPIs

Percentage of rules reviewed quarterly
Number of unauthorized inter-zone connections
Time to remediate segmentation issues

Low-Cost / Open-Source Options (MSME)

Common Pitfalls

Outdated diagrams after network changes
No linkage between data sensitivity and zoning
Unused or shadowed firewall rules

Compliance Mapping