A comprehensive checklist for securing networks, infrastructure, and connectivity across an organisation.
[ ] Network diagram documented and kept up to date
[ ] Segmentation between user, server, and sensitive zones
[ ] Critical systems isolated (PCI, HR, finance, production)
[ ] Guest Wi‑Fi separated from internal network
[ ] VLANs used to limit lateral movement
[ ] Zero Trust principles applied (verify every connection)
[ ] Cloud networks (VPC/VNet) segmented with subnets and firewalls
[ ] Firewalls configured with deny‑all, allow‑by‑exception rules
[ ] Unused ports and services blocked
[ ] Firewall rules reviewed quarterly
[ ] Intrusion Detection/Prevention (IDS/IPS) enabled
[ ] Geo‑blocking applied where appropriate
[ ] Web Application Firewall (WAF) used for public‑facing apps
[ ] DDoS protection enabled (cloud or on‑prem)
[ ] VPN or Zero Trust Network Access (ZTNA) required for remote users
[ ] MFA enforced for all remote connections
[ ] Split tunnelling disabled unless justified
[ ] Remote admin access restricted and monitored
[ ] SSH/RDP access locked down to specific IPs or jump hosts
[ ] Remote access logs monitored for anomalies
[ ] All devices enrolled in MDM/Endpoint Manager
[ ] Full‑disk encryption enabled
[ ] Local admin rights removed for standard users
[ ] EDR/XDR deployed on all endpoints
[ ] Automatic patching enabled
[ ] USB and removable media restricted
[ ] Device compliance required before network access
[ ] WPA3 or WPA2‑Enterprise used
[ ] Default SSIDs and passwords changed
[ ] Hidden or non‑broadcast SSIDs avoided (security through obscurity)
[ ] MAC filtering not relied on as a security control
[ ] Wireless intrusion detection enabled
[ ] Guest Wi‑Fi isolated and bandwidth‑limited
[ ] Centralised logging (SIEM/SOC) enabled
[ ] Alerts configured for:
Suspicious traffic
Port scanning
Lateral movement
Failed authentication
New devices joining network
[ ] NetFlow or equivalent traffic analysis enabled
[ ] DNS logging and filtering enabled
[ ] Logs protected from tampering
[ ] Regular vulnerability scans performed
[ ] Critical patches applied within 24–72 hours
[ ] Network devices (firewalls, switches, routers) patched regularly
[ ] Unsupported hardware/software removed
[ ] Penetration testing conducted annually
[ ] Cloud security posture monitored (CSPM)
[ ] Cloud firewalls (NSGs, Security Groups) configured with least privilege
[ ] No public IPs unless required
[ ] Private endpoints used for internal services
[ ] VPC/VNet peering configured securely
[ ] Cloud DDoS protection enabled
[ ] Cloud WAF enabled for web apps
[ ] Identity‑based access enforced (IAM, Conditional Access)
[ ] TLS 1.2+ enforced for all connections
[ ] Certificates managed and renewed automatically
[ ] Sensitive data encrypted end‑to‑end
[ ] Secure protocols used (HTTPS, SFTP, SSH)
[ ] Legacy protocols disabled (FTP, Telnet, SMBv1)
[ ] NAC solution deployed (802.1X or equivalent)
[ ] Only authorised devices allowed on network
[ ] Device posture checks enforced (patching, AV, encryption)
[ ] IoT devices isolated on separate VLANs
[ ] Rogue device detection enabled
[ ] Vendor network access restricted and monitored
[ ] Third‑party connections reviewed regularly
[ ] Contracts include network‑security requirements
[ ] External integrations use secure APIs
[ ] VPN access for vendors time‑limited
[ ] Network incident response plan documented
[ ] Playbooks for:
Ransomware
DDoS
Network intrusion
Data exfiltration
[ ] Backups tested regularly
[ ] Network isolation procedures defined
[ ] Lessons learned reviewed after incidents