...
Network segmentation: Resources are organized in separate virtual or physical networks. Separate access rules are defined per network. The access to the different networks is restricted according to the access control matrix.
All private networks are protected with a firewall.
Open network ports and allowed protocols are managed through firewall rules.
The access rules for allowed ports and protocols are managed by the responsible system administrator of every asset.
Only ports and protocols needed for the operation of applications and services are allowed. All other traffic is denied by default.
The network and firewall configurations are checked on a regular basis.
Remote Access through public networks is done only through encrypted channel (TLS or SSH) 2 for which two options for are allowed:
Setup a VPN connection to the private network. Only selected trusted users can do make VPN connections.
Configure remote access through Remote Desktop Protocol (RDP) or SSH. In this case the connection should be is allowed only from whitelisted IP addresses. All connection attempts should be are logged in the system event log. The logs should be are checked on a regular basis.
...