Assets that are important to the delivery of the function are logically or physically segmented into distinct security zones based on asset cybersecurity requirements
Context and Guidance: This practice expands on ARCHITECTURE-2b to include assets important to delivery of the function. The practice goes on to note that the segmentation should be based on defined cybersecurity requirements. Criteria for creation of different security zones may be based on several factors. These are some examples of factors: • specific safety, reliability, and security requirements • importance of the asset to the function • the tasks performed by the asset • whether the asset is managed by a third party • who has access to the asset • whether remote access to the asset is enabled • the degree of trust associated with the asset • applying cybersecurity controls to groups of assets • limiting the impacts of potential cyber intrusions Additionally, these criteria should be clearly documented in the cybersecurity architecture or in a similar document. This helps those not privy to the original decision-making process understand why each criterion is needed. For example, OT assets that have unique characteristics (e.g., those that depend on insecure legacy software or have high availability requirements) may require a specific cybersecurity architecture design to achieve the operational goals of the organisation. Additionally, organisations should consider standards and guidelines when planning for segmentation.
Related Practices • Input From: Implementing ASSET-1a and ASSET-2a provides input that may be useful for implementing this practice. • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: ARCHITECTURE-2b, ARCHITECTURE-2d, ARCHITECTURE-2h, ARCHITECTURE-2i, ARCHITECTURE-2j, ARCHITECTURE-2l.