Network Architecture Review

Network Architecture Review Information

A Network Architecture Review is a detailed analysis of relevant network artifacts (e.g. network diagrams, security and regulatory requirements, technology inventory, exposed applications and APIs, public/private cloud utilization) to ensure that the network elements and overall solution architecture optimally protect critical assets, sensitive data stores and business-critical interconnections.

Key activities include:

Consult with members of the network, security, enterprise architecture, and applications teams and management to understand:

• the business goals as they relate to the enterprise public/private/hybrid cloud infrastructure;
• the contractual obligations, laws/regulations, and internal/third-party objectives relating to the data being stored/processed/transited (e.g., PCI/CMMC segregation requirements, CSA STAR, ISO 27001, a “zero trust” model)
• the key applications and services that need to be exposed to employees, contractors, and business partners;
• key controls integral to securing the network, applications and critical data (e.g., firewalls, multi-factor authentication, Network Access Control, Cloud Access Security Brokers, Web Application Firewalls, key management/encryption, vulnerability/asset/configuration management, logging, incident response, data loss prevention (DLP), vendor risk management); and,
• results for previous risk assessments, gap assessment, penetration tests, and/or security incidents.

Assess the current/planned architecture and security controls against relevant frameworks (e.g., ISO 27002, CIS Critical Security Controls, OWASP ASVS).

• Perform technical testing as required to validate the design, operation and effectiveness of the architecture (e.g.,, segmentation testing, data exfiltration, penetration testing, firewall configuration/rule-base review)
• Formally report results and relevant findings, and generate a gap remediation plan.   Where possible, the report will also include: root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries.
• Analysis against relevant standards, laws/regulations, and prevailing good practice; and,
• Formal reporting on the process, gap analysis, relevant findings, and mitigation roadmap. Where possible the report will also include: root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries.

The predominant benefits realized by a Network Architecture Review are:

• Minimizes the risk (and potential of a security incident) by verifying the design and operation of the key architectural and operations controls intended to secure key systems, applications, and data;
• Provides independent/objective assurance to key stakeholders including regulators, clients, and third-party auditors (e.g., ISO 27001, SOC2, SEC); and,
• Ensures compliance with key regulations and contractual obligations.