GRCWatch
Sign inStart free trial

CIS Control 4.2: Establish and Maintain a Secure Configuration Process for Network Infrastructure

Network misconfigurations are a leading cause of security breaches in SMBs. CIS Control 4.2 requires you to document, implement, and regularly review secure configurations across all network devices. This foundational control prevents unauthorized access, reduces attack surface, and demonstrates due diligence to auditors and customers.

What this means

CIS 4.2 mandates that your organization develop and maintain a formal process for configuring network infrastructure securely. This includes routers, switches, firewalls, and other network devices. You must document the secure baseline configuration for each device type, enforce those standards during deployment, and review your documentation at least annually—or immediately when significant infrastructure changes occur. The goal is consistency, traceability, and resilience against both accidental misconfigurations and intentional attacks.

How to comply

  1. 1.Document secure baseline configurations for each network device type (routers, switches, firewalls, VPNs, load balancers)
  2. 2.Create and maintain a configuration management process that enforces baselines before devices go into production
  3. 3.Implement change control procedures so all configuration modifications are reviewed and approved before deployment
  4. 4.Conduct annual reviews of network device documentation and update baselines when technology, threats, or business needs change
  5. 5.Track all configuration changes in a centralized log with timestamps, who made the change, and approval records
  6. 6.Test baseline configurations in a lab environment before applying to production systems
  7. 7.Assign clear ownership and accountability for network device security configuration

Evidence auditors look for

  • Documented baseline configurations for each network device class stored in a version-controlled repository
  • Change control tickets showing approval workflow for configuration updates from the past 12 months
  • Annual configuration review meeting notes with stakeholder sign-off and any remediation actions
  • Comparison reports showing deviations from baseline and corrective actions taken
  • Configuration backup files with dates and verification that they match approved standards
  • Network device inventory with assigned baseline version and last review date
  • Change logs from network infrastructure management tools showing who, what, when, and why for each modification

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates network configuration baseline tracking, logs all changes with approval workflows, and alerts you when annual reviews are due—so your team spends less time hunting for configuration docs and more time responding to actual security risks.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS 4.1 — Establish and Maintain a Software InventoryCIS 2.4 — Configure and Manage Wireless Access PointsCIS 3.3 — Configure Data Access Control ListsNIST 800-53 CM-2 (Baseline Configuration)