SC-7(2) — Public Access

Systems that the public can access must not sit on the same network segment as your internal systems. Public-facing services get their own isolated zone.

Example 1: Host your company website on a cloud platform (Azure App Service, AWS) or in a DMZ completely separated from your corporate LAN. If the website is compromised, the attacker has no direct path to your internal file servers or Active Directory.

Example 2: If you must host a customer portal on-premises, place it on a dedicated VLAN with strict firewall rules. The portal server cannot initiate connections to any internal system — it can only respond to specific API calls from an internal application server through a tightly controlled firewall rule.