Network protections incorporate the principles of least privilege and least functionality
Context and Guidance: Network segments should be designed to separate activities that present a greater risk to the organisation. For example, the administration of network infrastructure should be done on a separate management network that is restricted to only specific administrative accounts and uses stronger authentication techniques like multifactor authentication. Similarly, the organisation may restrict management of OT devices to specific workstations on the same logical network.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: ARCHITECTURE-2a, ARCHITECTURE-2c, ARCHITECTURE-2e, ARCHITECTURE-2f, ARCHITECTURE-2g, ARCHITECTURE-2k.