Bonus Question: Are firewalls, routers, and switches configured with secure baselines and periodic rule reviews?
Why This Matters
Infrastructure devices must be hardened and reviewed regularly to prevent misconfigurations that attackers exploit. Secure baselines maintain consistency across environments.
Maturity
Default configurations used; no reviews performed.
Manual configuration; no documented baseline.
Baseline configuration established and approved.
Periodic rule reviews and change logs maintained.
Automated compliance checks and configuration backups.
Continuous validation and real-time deviation alerts.
How to Level Up
| From → To | Actions | |—|—| | 0 → 1 |Harden all network devices; disable unused services.| | 1 → 2 |Document approved baseline templates.| | 2 → 3 |Perform quarterly rule and ACL reviews.| | 3 → 4 |Automate compliance checks and backups.| | 4 → 5 |Integrate alerts for unauthorized configuration changes.|
Enablers
- People: Network Security Engineer, Change Manager
- Process: Baseline maintenance, audit, backup validation
- Technology: Firewall analyzer, config management tools
Evidence
- Approved baseline documents
- Configuration change logs
- Audit reports and backup records
KPIs
- Percentage of devices reviewed quarterly
- Average time to remediate misconfigurations
- Number of unauthorized rule changes
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes | |—|—|—| | Baseline backup | RANCID / Oxidized | Auto-archive configs | | Rule review | Nipper / FireFlow | Validate ACLs | | Compliance check | Lynis | Baseline hardening scans |
Common Pitfalls
- Untracked manual changes
- Backups not validated or tested
- Baselines drift over time
Compliance Mapping
| Standard | Clauses / Notes | |—|—| | ISO/IEC 27001 | A.8.8 / A.8.23 | | CERT-In 2022 | Section 17 | | NIST CSF 2.0 | PR.PT / DE.CM | | NIRMATA Mapping | IS-Q14B enhances infrastructure hygiene via controlled and auditable configuration baselines. |