Home · Synthesis · cl-network-protection

Network protection — segmentation, monitoring, perimeter, and data leak prevention

ISO 27001 NIST CSF 2.0 PCI DSS RBI CSF RBI ITGRCA SEBI CSCRF CIS Controls v8.1 CSA CCM v4 IRDAI 2026 ISO 27017 NCIIPC NIST 800-53 SOC 2

Primary statement

Network protection operates as a layered architecture: (1) network segmentation isolating critical systems from general corporate IT, with zero-trust principles (no implicit trust between segments, identity-based connection authorisation, micro-segmentation for highly sensitive zones); (2) authorised data flows mapped and maintained current; (3) network monitoring for anomalous behaviour (intrusion detection / prevention); (4) Data Loss Prevention (DLP) at endpoint + email + network egress + cloud SaaS; (5) perimeter protection — firewalls + IDS/IPS + DDoS mitigation for internet-facing services; (6) secure remote access with MFA mandatory.

Audit-fatigue payoff

A single network protection architecture — segmentation diagram + zero-trust policy + data flow inventory + DLP deployment matrix + monitoring coverage — satisfies network-security requirements across all 18 contributing frameworks. The strictest specification draws segmentation depth from SEBI CSCRF PR.2 (zero-trust), DLP scope from SEBI CSCRF PR.17 / RBI CSF PR.5 (four channels), data flow mapping from NIST CSF ID.AM-03, monitoring from NIST CSF DE.CM-01. Without unification, network controls are tested as 8–10 independent capabilities; with unification, the architecture is the evidence.

Strictness matrix

Scope

Scope: ALL networks within the organisation's control — corporate IT, production, payment, customer-facing, partner-connected. Network segmentation isolates critical systems from general corporate IT with controlled connections between segments. Zero-trust principles apply WITHIN the perimeter, not just AT the perimeter — east-west traffic is authenticated and authorised, not implicitly trusted. Ceiling source: sebi_cscrf:CSCRF.PR.2 Rationale: SEBI CSCRF PR.2 with the August 2025 zero-trust expectations specifies the broadest scope including east-west traffic. Other frameworks address perimeter / north-south; the zero-trust extension is the strictest scope formulation.

Threshold

Threshold for network control: any data flow involving sensitive or critical-system data triggers documented authorisation. Network communication and data flows shall be MAPPED (authorised flows documented; unauthorised flows blocked or alerted). The mapping is the operational threshold — if a flow is not mapped, it should not exist. Ceiling source: nist_csf:ID.AM-03 Rationale: NIST CSF ID.AM-03 sets the strictest threshold articulator — data flows are mapped, and the mapping is the authorisation basis. This enables zero-trust enforcement; without flow mapping, segmentation is theoretical.

Method

Method: (1) network segmentation with documented zones (perimeter, DMZ, internal corporate, production, payment, partner-connected); (2) zero-trust between zones — identity-based connection authorisation, mutual TLS for service-to-service, micro-segmentation for high-sensitivity zones; (3) authorised data flow inventory maintained current; (4) firewalls + IDS/IPS at zone boundaries with rule reviews; (5) DDoS mitigation for internet-facing services; (6) DLP at endpoint + email + network egress + cloud SaaS per SEBI PR.17 / RBI PR.5; (7) network monitoring (continuous) with anomaly detection per NIST DE.CM-01; (8) secure remote access via VPN + MFA + endpoint posture validation. Ceiling source: sebi_cscrf:CSCRF.PR.2 Rationale: SEBI CSCRF PR.2 with zero-trust + PR.17 DLP combine to the most prescriptive method specification. The east-west zero-trust requirement closes the common "flat internal network behind a hardened perimeter" failure pattern.

Frequency

Network monitoring: continuous. Firewall rule review: quarterly minimum (with annual deeper review). Data flow inventory refresh: continuous through change management + annual completeness review. Network architecture documentation refresh: on material change + annual review. Penetration testing of network controls: annual + after material change (per VAPT cadence). Ceiling source: nist_csf:DE.CM-01 Rationale: Continuous network monitoring is the universal floor. Quarterly firewall rule reviews is the strictest operational cadence — many organisations review annually only; quarterly review catches stale rules before they accumulate.

Evidence

Required evidence: (1) network architecture diagram (current) showing zones + connections + zero-trust enforcement points; (2) authorised data flow inventory; (3) firewall rule review records (quarterly); (4) IDS/IPS deployment and tuning evidence; (5) DDoS protection evidence for internet-facing services; (6) DLP deployment matrix (endpoint + email + network + cloud); (7) DLP rule inventory and incident sample; (8) network monitoring evidence (SIEM rules covering network events; sample alerts to response); (9) penetration testing evidence covering network controls (segmentation testing, lateral movement testing). Ceiling source: sebi_cscrf:CSCRF.PR.2 Rationale: SEBI CSCRF PR.2 evidence list combined with PR.17 DLP evidence and CSCRF DE.3 monitoring evidence produces the most comprehensive package. The segmentation testing requirement (verifying east-west isolation actually works) is uniquely strict.

Auditor test pattern

Step 1: Inspect the network architecture diagram; verify it is current (within 12 months) and shows zones with documented connections. Step 2: Sample 1 critical system; verify it is in a segmented zone with controlled connections. Step 3: Conduct a segmentation test — attempt to reach the critical system from a general corporate network endpoint; verify the attempt is blocked or logged. Step 4: Inspect firewall rule review records; verify quarterly cadence and verify "any-any" rules are documented as exceptions. Step 5: Inspect DLP deployment matrix; verify coverage at all four channels (endpoint, email, network, cloud). Step 6: Sample 3 DLP rules; trace each to recent incidents (or absence of incidents) to verify rule effectiveness. Step 7: Inspect the data flow inventory; verify it is current and reconciles with actual network traffic patterns.

Common findings

Common 2024–26 findings: (1) Network diagram outdated by 12+ months; (2) Flat networks behind the perimeter — east-west traffic uncontrolled (the classic failure mode); (3) Zero-trust claimed in policy but enforcement absent — the perimeter is still the primary boundary; (4) MFA for remote admin access bypassable via legacy accounts; (5) Firewall rule sprawl with "any-any-tcp" rules never cleaned up; (6) DLP deployed at email but not endpoint or web — exfiltration channels open; (7) Data flow inventory exists but is not used operationally — flows added without authorisation update; (8) Segmentation testing never performed — the segmentation policy is theoretical.