In Raiders of the Lost Ark, Indiana Jones doesn't wander into the Well of Souls hoping to stumble across the Ark of the Covenant. He has a map. More specifically, he has the headpiece of the Staff of Ra, the one piece of information that tells him exactly where to dig. Without it, Belloq and the Nazis spent weeks excavating the wrong location. They had resources, manpower, and determination. What they didn't have was accurate intelligence about the terrain.
Your network is the Well of Souls. The question is: who has the better map, you, or the attacker who's been quietly moving through your environment for the past three weeks?
What Is CIS Safeguard 12.4?
Safeguard 12.4 is part of CIS Control 12: Network Infrastructure Management, and its security function is Identify. It applies to IG2 and IG3 organizations. The requirement: Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
This isn't about producing a pretty diagram for an audit. It's about maintaining accurate operational intelligence of your own environment.
Why It Matters
You cannot defend a network you haven't mapped. That sounds obvious, but the number of organizations operating without current, accurate network documentation is striking. Networks grow organically, a new VLAN here, a cloud workload there, a legacy segment that nobody touched in four years and everyone is afraid to ask about. Over time, the map in people's heads diverges further and further from what's actually deployed.
When an incident happens, that gap becomes a crisis. Responders are trying to understand blast radius, identify affected systems, and trace lateral movement, without a reliable picture of how the environment is structured. Every minute spent reverse-engineering the network topology is a minute the attacker is still active.
Attackers, by contrast, do their reconnaissance. Before a sophisticated threat actor makes a significant move, they've already mapped your network more thoroughly than you have. If that thought is uncomfortable, it should be. It's meant to be.
Architecture diagrams also serve as the foundation for everything else you're trying to do in security, network segmentation, access control decisions, firewall rule reviews, zero trust planning. Without an accurate map of trust zones, data flows, and connectivity, all of those efforts are guesswork.
What To Do: Implementation Steps
- Create a current-state network architecture diagram. If you don't have one, start now. Document network segments, trust zones, key assets, data flows, external connections, and ingress/egress points. This doesn't need to be a Visio masterpiece, accurate beats beautiful every time.
- Include the elements that actually matter for security. Your diagram should show segmentation boundaries, firewall placement, DMZ structure, cloud connectivity, remote access paths, and where critical systems (AD, DNS, authentication infrastructure) live. Segment-level trust relationships are especially important.
- Store it securely and version-control it. Your network architecture diagram is sensitive, it's a roadmap for attackers if it falls into the wrong hands. Store it in a secure, access-controlled location. Version-control it so you can track what changed and when.
- Tie updates to your change management process. The diagram goes stale the moment you stop updating it. Build diagram reviews into your change management workflow, any significant network change should trigger a documentation update before or immediately after implementation.
- Review formally at least once a year. Schedule an annual documentation review even if you think nothing major has changed. Walk through the diagram with your network and security teams. You'll find drift. You always find drift.
- Use the diagram actively, not just as an artifact. Pull it out during firewall rule reviews, segmentation discussions, incident response tabletops, and zero trust planning sessions. A diagram that lives in a folder and never gets used isn't doing its job.
Final Thoughts
Belloq and the Nazis had an army, unlimited resources, and weeks of time. What they didn't have was the right map. Indiana Jones walked in with accurate intelligence and walked out with the prize, mostly.
The organizations that respond to incidents fastest, contain breaches most effectively, and make the best segmentation decisions are the ones with accurate, current network documentation. The ones who are still trying to figure out what's on their network after the attacker is already inside are working with Belloq's map.
Build the diagram. Keep it current. Review it regularly. Don't let the attacker have better intelligence about your own network than you do.
Free Resource: The CIS Controls are available for free at cisecurity.org. The full implementation guidance for Control 12 includes additional context on documentation requirements across implementation groups.
Have questions about where to start with network documentation? DM me, it's a common challenge and there are practical ways to approach it.
Official CIS Control and Safeguard Text
CIS Control 12: Network Infrastructure Management
CIS Safeguard 12.4: Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Shameless Marketing Information
Gotham Technology Group can help organizations build and maintain accurate network architecture documentation as part of our network security assessments, reach out if you need a hand getting started.