# Network Security Audit Checklist

**VantagePoint Networks** | Based on CIS Controls v8 and NIST CSF

---

## Document Control

| Field | Value |
|---|---|
| Audit Date | `<YYYY-MM-DD>` |
| Site | `<SITE_NAME>` |
| Auditor | `<AUDITOR_NAME>` |
| IT Contact | `<IT_CONTACT>` |
| Scope | `<SCOPE_DESCRIPTION>` |
| Previous Audit Date | `<YYYY-MM-DD>` |

### Rating Scale
- [ ] Not Started
- [/] In Progress
- [P] Pass - Meets requirement
- [F] Fail - Does not meet requirement
- [N/A] Not applicable
- [*] Exception approved (cite approval reference)

### Finding Severity
- **Critical**: Immediate threat, remediate within 24-48 hours
- **High**: Significant risk, remediate within 30 days
- **Medium**: Moderate risk, remediate within 90 days
- **Low**: Best practice deviation, track for future

---

## 1. Physical Security

| # | Item | Status | Notes |
|---|---|---|---|
| 1.1 | Server / network rooms have controlled access (badge, biometric, or dual-factor) | [ ] | |
| 1.2 | Access logs reviewed monthly for anomalies | [ ] | |
| 1.3 | Visitor log maintained for all data centre / MDF access | [ ] | |
| 1.4 | CCTV covers all entries and equipment racks with 90-day retention | [ ] | |
| 1.5 | Rack cabinets are lockable and locked when unattended | [ ] | |
| 1.6 | Environmental controls: temperature, humidity, leak detection active | [ ] | |
| 1.7 | UPS in place with quarterly-tested battery | [ ] | |
| 1.8 | Generator (if present) tested monthly with load | [ ] | |
| 1.9 | Fire suppression appropriate for IT (clean agent, not water) | [ ] | |
| 1.10 | Cable runs labelled at both ends and in patch panels | [ ] | |
| 1.11 | Decommissioned equipment securely wiped or destroyed with certificate | [ ] | |
| 1.12 | Physical asset inventory current within last 90 days | [ ] | |

## 2. Network Perimeter

| # | Item | Status | Notes |
|---|---|---|---|
| 2.1 | Firewall rules reviewed every 6 months (documented review) | [ ] | |
| 2.2 | No "any/any/permit" rules except explicit approved exceptions | [ ] | |
| 2.3 | All rules have descriptive names and comments | [ ] | |
| 2.4 | Deny-all cleanup rule at end of every policy with logging | [ ] | |
| 2.5 | Outbound egress filtering: only required ports allowed | [ ] | |
| 2.6 | DMZ architecture: separate firewall interfaces or zones | [ ] | |
| 2.7 | DMZ hosts cannot initiate connections to trust zone (except defined DB paths) | [ ] | |
| 2.8 | IDS/IPS deployed with current signatures (< 7 days old) | [ ] | |
| 2.9 | DDoS protection: rate limiting, upstream provider contract, or cloud service | [ ] | |
| 2.10 | Anti-spoofing filters at edge (uRPF or bogon filters) | [ ] | |
| 2.11 | IKEv2 used for IPsec (no IKEv1) with strong crypto (AES-256, SHA-256+) | [ ] | |
| 2.12 | SSL VPN uses TLS 1.2 minimum, TLS 1.3 where supported | [ ] | |
| 2.13 | VPN client certificates or MFA enforced (no password-only) | [ ] | |
| 2.14 | DNS sinkhole / threat feeds applied to DMZ egress | [ ] | |
| 2.15 | Geo-blocking for countries where business has no operations | [ ] | |
| 2.16 | Web filtering categories blocking known malicious/phishing sites | [ ] | |
| 2.17 | External vulnerability scan run in last 30 days | [ ] | |

## 3. Internal Network

| # | Item | Status | Notes |
|---|---|---|---|
| 3.1 | VLANs used to segment traffic by function (users, voice, servers, guest, IoT, mgmt) | [ ] | |
| 3.2 | Inter-VLAN traffic filtered (router ACLs or firewall) | [ ] | |
| 3.3 | Native VLAN on trunks changed from default (VLAN 1) to unused VLAN | [ ] | |
| 3.4 | Unused ports administratively shut and placed in quarantine VLAN | [ ] | |
| 3.5 | Access ports configured as `switchport mode access` (not dynamic/auto) | [ ] | |
| 3.6 | Trunk ports explicit, with only required VLANs allowed | [ ] | |
| 3.7 | DHCP snooping enabled on user VLANs | [ ] | |
| 3.8 | Dynamic ARP Inspection enabled on user VLANs | [ ] | |
| 3.9 | IP Source Guard enabled on access ports | [ ] | |
| 3.10 | PortFast and BPDU Guard on access ports | [ ] | |
| 3.11 | Root Guard on designated ports (prevent rogue root bridge) | [ ] | |
| 3.12 | 802.1X or MAB on all end-user access ports | [ ] | |
| 3.13 | Private VLANs or port isolation for sensitive segments | [ ] | |
| 3.14 | Storm control (broadcast / multicast / unknown unicast) on access ports | [ ] | |
| 3.15 | Dynamic Trunking Protocol (DTP) disabled on access ports | [ ] | |
| 3.16 | Guest VLAN fully isolated from corporate networks | [ ] | |
| 3.17 | IoT VLAN isolated with explicit firewall rules | [ ] | |
| 3.18 | Management plane on separate VLAN (out-of-band where possible) | [ ] | |

## 4. Wireless Security

| # | Item | Status | Notes |
|---|---|---|---|
| 4.1 | Corporate SSID uses WPA3-Enterprise (fallback WPA2-Enterprise) | [ ] | |
| 4.2 | Guest SSID uses captive portal with terms of acceptance | [ ] | |
| 4.3 | Guest SSID isolated from corporate networks (firewall or VLAN) | [ ] | |
| 4.4 | 802.1X authentication uses EAP-TLS (certificate-based) where feasible | [ ] | |
| 4.5 | Rogue AP detection enabled on WLC | [ ] | |
| 4.6 | Rogue AP containment policy defined and tested | [ ] | |
| 4.7 | Management Frame Protection (802.11w) enabled | [ ] | |
| 4.8 | Wireless IDS/IPS monitors for KRACK, deauth floods, Karma attacks | [ ] | |
| 4.9 | AP firmware up to date (< 6 months old or N-1) | [ ] | |
| 4.10 | SSID names do not leak business information (avoid "Finance-WiFi") | [ ] | |
| 4.11 | Channel and power management automatic (RRM, DCA, TPC) | [ ] | |
| 4.12 | Pre-shared keys (if used) are 20+ chars, rotated annually | [ ] | |
| 4.13 | WPS disabled on all APs | [ ] | |
| 4.14 | Wireless client isolation enabled on guest network | [ ] | |

## 5. Device Hardening

| # | Item | Status | Notes |
|---|---|---|---|
| 5.1 | All default credentials changed on every device | [ ] | |
| 5.2 | SSH v2 only (no Telnet, no SSH v1) | [ ] | |
| 5.3 | HTTPS-only for GUI (HTTP disabled) | [ ] | |
| 5.4 | Strong SSH ciphers (AES-256-GCM, ChaCha20) and KEX (DH group14-SHA256+) | [ ] | |
| 5.5 | SNMP v3 only (authPriv); no v1/v2c with public/private | [ ] | |
| 5.6 | NTP authentication enabled (MD5 or SHA) | [ ] | |
| 5.7 | Centralised logging enabled (syslog to aggregator/SIEM) | [ ] | |
| 5.8 | Firmware within N-1 of vendor current release | [ ] | |
| 5.9 | No end-of-support (EoS) devices in production | [ ] | |
| 5.10 | Unused services disabled (CDP on untrusted, mDNS, LLDP, bootps, finger) | [ ] | |
| 5.11 | Control Plane Policing (CoPP) configured on routers/L3 switches | [ ] | |
| 5.12 | TCP keepalives and session timeouts configured | [ ] | |
| 5.13 | Encrypted configuration backups stored off-device | [ ] | |
| 5.14 | Configuration change logs enabled (archive log config) | [ ] | |
| 5.15 | IP source routing disabled | [ ] | |
| 5.16 | Gratuitous ARP disabled | [ ] | |
| 5.17 | Proxy ARP disabled except where explicitly needed | [ ] | |
| 5.18 | ICMP redirects and unreachables disabled where not needed | [ ] | |
| 5.19 | MOP, finger, and small services disabled | [ ] | |

## 6. Access Control

| # | Item | Status | Notes |
|---|---|---|---|
| 6.1 | AAA centralised via TACACS+ or RADIUS (not just local) | [ ] | |
| 6.2 | Local accounts limited to named emergency break-glass only | [ ] | |
| 6.3 | Break-glass account credentials stored in sealed envelope or vault | [ ] | |
| 6.4 | Role-based access control (RBAC) enforced: read-only, operator, admin tiers | [ ] | |
| 6.5 | Privileged accounts require MFA | [ ] | |
| 6.6 | Session timeout on CLI/GUI (max 10 min idle) | [ ] | |
| 6.7 | Login banner displayed before authentication (legal warning) | [ ] | |
| 6.8 | Failed login lockout (3-5 attempts then 30s+ lockout) | [ ] | |
| 6.9 | Password policy: min 12 chars, complexity, history, max age | [ ] | |
| 6.10 | Privilege escalation logged and alerted | [ ] | |
| 6.11 | Command authorisation logged (what command, by whom, when) | [ ] | |
| 6.12 | Access reviews conducted quarterly (who still needs access?) | [ ] | |
| 6.13 | Leavers process ensures account deprovisioning within 24 hours | [ ] | |

## 7. Monitoring and Logging

| # | Item | Status | Notes |
|---|---|---|---|
| 7.1 | All devices send syslog to central collector/SIEM | [ ] | |
| 7.2 | Log retention meets compliance requirements (90 days hot, 1 year archive minimum) | [ ] | |
| 7.3 | Time sync: all devices use same NTP sources (< 50 ms skew) | [ ] | |
| 7.4 | Critical alerts defined (auth fail burst, config change, link down, CPU high) | [ ] | |
| 7.5 | On-call rota defined with escalation path | [ ] | |
| 7.6 | NetFlow / IPFIX flow data collected from core/edge | [ ] | |
| 7.7 | SNMP traps forwarded to NMS | [ ] | |
| 7.8 | SIEM correlation rules for brute force, impossible travel, data exfil | [ ] | |
| 7.9 | Monthly log review documented with findings | [ ] | |
| 7.10 | Security event runbook exists and tested (SOC playbook) | [ ] | |
| 7.11 | Audit trail integrity protected (append-only / WORM) | [ ] | |

## 8. Backup and Recovery

| # | Item | Status | Notes |
|---|---|---|---|
| 8.1 | Automated configuration backups run daily | [ ] | |
| 8.2 | Backups stored in at least 3 locations (3-2-1 rule) | [ ] | |
| 8.3 | One backup copy is immutable / air-gapped | [ ] | |
| 8.4 | Backup encryption at rest and in transit (AES-256) | [ ] | |
| 8.5 | Restore tested quarterly with sample devices | [ ] | |
| 8.6 | Full DR failover tested annually | [ ] | |
| 8.7 | RTO and RPO documented per system | [ ] | |
| 8.8 | Off-site backup SLA and retention documented | [ ] | |
| 8.9 | Backup credentials rotated and unique to backup system | [ ] | |
| 8.10 | Backup storage monitored (capacity, health, replication lag) | [ ] | |

## 9. Patch and Vulnerability Management

| # | Item | Status | Notes |
|---|---|---|---|
| 9.1 | Asset inventory complete with firmware versions | [ ] | |
| 9.2 | Vulnerability scan (external) every 30 days minimum | [ ] | |
| 9.3 | Vulnerability scan (internal) every 30 days minimum | [ ] | |
| 9.4 | Vendor advisory subscriptions active (PSIRT feeds) | [ ] | |
| 9.5 | Patch schedule documented: critical 7 days, high 30 days, medium 90 days | [ ] | |
| 9.6 | Emergency patching procedure in place for zero-days | [ ] | |
| 9.7 | Test lab / staging environment for patch validation | [ ] | |
| 9.8 | Rollback procedure for failed patches | [ ] | |
| 9.9 | CVE remediation SLA tracked and reported | [ ] | |

## 10. Documentation

| # | Item | Status | Notes |
|---|---|---|---|
| 10.1 | Physical topology diagram current (< 6 months) | [ ] | |
| 10.2 | Logical topology diagram current (VLANs, IPs, routing) | [ ] | |
| 10.3 | Rack elevation diagrams current | [ ] | |
| 10.4 | IP address documentation / IPAM current | [ ] | |
| 10.5 | VLAN documentation current | [ ] | |
| 10.6 | Change log / CMDB current | [ ] | |
| 10.7 | Contact / vendor escalation list current | [ ] | |
| 10.8 | Incident response runbook exists and reviewed in last 12 months | [ ] | |
| 10.9 | Disaster recovery plan exists and reviewed in last 12 months | [ ] | |
| 10.10 | DR plan tested in last 12 months | [ ] | |
| 10.11 | Network security policy exists, approved, and current | [ ] | |
| 10.12 | Acceptable use policy signed by all users | [ ] | |

## 11. Compliance and Governance

| # | Item | Status | Notes |
|---|---|---|---|
| 11.1 | CIS benchmark assessment run in last 6 months (score captured) | [ ] | |
| 11.2 | PCI-DSS requirements met (if in scope): segmentation, logging, quarterly scan | [ ] | |
| 11.3 | GDPR / data protection controls applied to personal data flows | [ ] | |
| 11.4 | ISO 27001 or SOC 2 Type II evidence maintained (if certified) | [ ] | |
| 11.5 | Regulatory reporting lines (breach notification) documented | [ ] | |
| 11.6 | Third-party / vendor risk assessments on file | [ ] | |
| 11.7 | Data classification scheme applied (public / internal / confidential / restricted) | [ ] | |
| 11.8 | Records retention policy applied to network logs | [ ] | |

## 12. Findings Summary

| # | Finding | Category | Severity | Status | Owner | Due Date |
|---|---|---|---|---|---|---|
| 1 | `<DESCRIPTION>` | `<SECTION>` | Critical | Open | `<NAME>` | `<DATE>` |
| 2 | `<DESCRIPTION>` | `<SECTION>` | High | Open | `<NAME>` | `<DATE>` |
| 3 | `<DESCRIPTION>` | `<SECTION>` | Medium | Open | `<NAME>` | `<DATE>` |
| 4 | `<DESCRIPTION>` | `<SECTION>` | Low | Open | `<NAME>` | `<DATE>` |

### Summary Statistics
- Total controls assessed: `<N>`
- Pass: `<N>`
- Fail: `<N>`
- In progress: `<N>`
- Not applicable: `<N>`
- Exceptions approved: `<N>`
- Overall compliance: `<%>`

### Executive Summary
`<ONE-PAGE NARRATIVE for leadership: top 3 risks, recommended budget/actions, strengths to preserve.>`

---

## Sign-off

| Role | Name | Signature | Date |
|---|---|---|---|
| Auditor | `<NAME>` | | |
| IT Director | `<NAME>` | | |
| CISO / Security Lead | `<NAME>` | | |
| Executive Sponsor | `<NAME>` | | |

---

**VantagePoint Networks** - vantagepointnetworks.com

End of document