Secure Controls Framework
Download The SCF

Network Security (NET)

Domain Principle

Architect and implement defense-in-depth network protections that segment, restrict and monitor access to Technology Assets, Applications, Services and Data (TAASD).

Domain Intent

Organizations architect and operate security, compliance and resilience controls that protect the Confidentiality, Integrity, Availability and Safety (CIAS) of network infrastructure through segmentation, traffic control, secure connectivity and situational awareness of network activity.

Domain Guide

Networks remain the primary path through which attackers move between systems after initial access. The NET domain governs the architecture and operation of defense-in-depth network protections: segmentation that limits lateral movement, traffic controls that restrict access to authorized paths, secure connectivity for remote access and monitoring that maintains situational awareness of network activity.

 

The SCF's intent for NET is least access. This helps enforce the concept of Confidentiality, Integrity, Availability and Safety (CIAS). The addition of Safety to the traditional CIA triad reflects operational technology environments where network compromise can have physical safety consequences, consistent with the EMB domain's scope. NET protections that fail in an OT environment aren't just a data breach; they may be an industrial incident.

 

Segmentation deserves emphasis because it is frequently cited and frequently under-implemented. Flat networks where any compromised endpoint can reach any other system are still common even in organizations that believe they have network security controls. NET requires architectural decisions that actually limit reachability, not just network security tools installed on a flat environment.