| Device security policy written, approved, distributed, and reviewed on regular basis. |
| Facilities (room, building, area) housing the devices secured—physical security. |
| Password policies to ensure that good passwords are created that cannot be easily guessed or hacked. |
| Password encryption used so that passwords are not visible when device configuration is viewed. |
| Access methods such as Console, VTY, AUX using ACLs, and authentication mechanisms secured. |
| Access methods such as SSH with AAA authentication chosen wisely. |
| Unneeded services and protocols to be disabled. |
| Unused interfaces shut down or disabled. |
| Configuration hardened for network services and protocols in use (for example, HTTP and SNMP). |
| Port and protocol needs of the network and use access lists to limit traffic flow identified. |
| Access list for anti-spoofing and infrastructure protection and for blocking reserved and private addresses considered. |
| Routing protocols established that use authentication mechanisms for integrity. |
| Appropriate logging enabled with proper time information. |
| Device's time of day set accurately, maintained with NTP. |