A poorly configured network device is like leaving your office door unlocked—attackers can walk straight in and steal customer data, financial records, or disable your operations entirely. A small manufacturing business in Bangalore lost ₹8 lakh when a hacker accessed their accounting system through a default-password router and diverted invoices to a fake bank account. Banks and larger customers conducting audits will refuse to work with you if your network security is this weak, and you may face regulatory action under data protection laws if customer data is breached through a preventable misconfiguration.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You're not sure what your routers and firewalls are set to, and no one has ever changed the default password from 'admin/admin'. When you ask IT staff about network security, they say it's handled but can't show you any documentation.
Initial
You know where your network devices are and that they exist, but passwords haven't been changed from factory defaults or have been written down on a sticky note next to the device. There's no record of what settings are in place or when they were last checked.
Developing
Default passwords have been changed to something stronger, but changes aren't documented and there's no consistent process for managing or updating settings. One person in your office knows the passwords but hasn't written them down securely anywhere.
Defined
All network devices have strong, unique passwords stored in a password manager or secure location, and basic security settings (like disabling unnecessary features) have been applied and documented. You've done this once but don't have a schedule for reviewing or updating these settings.
Managed
Network devices are configured according to a documented security baseline, passwords are managed securely, and you review and test these settings at least twice a year. Changes are logged and there's a clear process for updating firmware when patches are released.
Optimised
You have a complete inventory of all network devices with their configurations, security settings are reviewed and tested quarterly with external validation, firmware updates are applied automatically or within a defined schedule, and any configuration changes are logged and auditable. Compliance with this control is monitored continuously.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Locate all routers, firewalls, and network switches; write down their make and model; create a simple list with IP addresses where they can be accessed | IT staff or designated person | 1-2 days |
| 1 → 2 | Change default passwords on all devices to strong unique passwords (minimum 12 characters, mix of uppercase, lowercase, numbers, symbols); store passwords in a locked file or basic password manager like Bitwarden | IT staff or network administrator | 1 week |
| 2 → 3 | Document the security settings applied to each device (disabled services, enabled logging, firewall rules), create a configuration backup file, disable remote management access where not needed, implement basic access controls (e.g., only allow admin access from specific office IP addresses) | IT staff with oversight from management | 2-3 weeks |
| 3 → 4 | Set up a quarterly review schedule with a checklist, test that all documented configurations are actually in place, check for available firmware updates and apply them in a controlled manner, create an audit log template to record all changes | IT staff or outsourced managed services provider | 1-2 months |
| 4 → 5 | Implement centralized device management (e.g., SNMP monitoring), set up automated compliance scanning, arrange annual third-party security assessment of network configurations, integrate findings into a continuous improvement cycle | IT staff, external security consultant, or managed security services provider | Ongoing (2-4 hours per quarter plus annual assessment) |
Documents and records that prove your maturity level.
- Inventory list of all routers, firewalls, switches, and network devices with make, model, and serial numbers
- Documented security configuration baseline showing what settings should be applied to each device type
- Password management record (encrypted file or password manager export) showing that default passwords have been changed and strong passwords are in use
- Configuration backup files or screenshots showing applied security settings (disabled default services, changed default ports, enabled logging)
- Change log or audit trail showing when configurations were last reviewed, tested, and updated (with dates and person responsible)
Prepare for these questions from customers or third-party reviewers.
- "Can you show me that the default passwords on your routers and firewalls have been changed? How are these new passwords stored and who has access to them?"
- "Do you have a documented baseline for how network devices should be configured? Can you show me evidence that current devices match this baseline?"
- "When was the last time someone verified that the security settings on these devices are actually in place and working as intended?"
- "If we need to replace or update a network device, do you have a process to ensure the new device is configured securely before being put into use?"
- "Are there any network devices in your office that are still using default or unchanged manufacturer settings? How do you know?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Store and manage network device passwords securely | Bitwarden (open-source password manager, self-hosted or cloud); KeePass (offline password manager) | Dashlane Teams (₹3,000–5,000/user/year); 1Password Business (₹4,000–6,000/user/year) |
| Scan network devices for common configuration weaknesses and default credentials | Nessus Community Edition (free version with limitations); OpenVAS (open-source vulnerability scanner) | Tenable Nessus Professional (₹1.5–2 lakh/year); Rapid7 InsightVM (₹3–5 lakh/year for SMBs) |
| Monitor and manage network device configurations, firmware versions, and changes | PRTG Network Monitor (free version up to 100 sensors); Zabbix (open-source monitoring) | Cisco Meraki Dashboard (included with devices, varies); SolarWinds Network Configuration Manager (₹2–4 lakh/year) |
- Assuming that because you're a small business, hackers won't target you—they use automated scanning tools that don't care about company size and will exploit any default credentials they find
- Changing one password and thinking the job is done, then never reviewing or updating configurations; network security requires ongoing attention, not a one-time fix
- Keeping network device passwords written down in notebooks, spreadsheets, or email instead of using a proper password manager, making passwords vulnerable to theft or loss if someone leaves the company
- Not documenting what settings were applied or why, making it impossible to audit later or train new staff on how to maintain security
- Delaying firmware and security updates because 'the network is working fine'—updates patch known vulnerabilities that attackers actively exploit
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 6 (Obligations of Data Fiduciary) and Schedule 2 (Security and Integrity of Personal Data); organizations must ensure personal data is protected through reasonable security measures |
| CERT-In 2022 | Guideline 1 (Securing IT Infrastructure); organizations must ensure network devices are configured securely and default credentials are changed |
| ISO 27001:2022 | Annex A: A.8.2 (Privileged Access Rights), A.8.3 (Information Access Restriction), A.8.6 (Access Control for Network and Computing Resources) |
| NIST CSF 2.0 | Govern function (GV.RO Roles, Responsibilities, and Authorities); Protect function (PR.AC Access Control, PR.DS Data Security) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →