GRCWatch
Sign inStart free trial

DE.AE-1: Network Operations Baseline

DE.AE-1 requires you to document what normal looks like for your network—every user, every system, every expected data flow. This baseline becomes your detection foundation: without it, you can't spot anomalies. For SMBs managing limited IT resources, establishing this baseline early prevents costly breach investigations and compliance failures.

What this means

Network Operations Baseline means creating a documented map of your entire network infrastructure, including authorized users, systems, applications, and the data flows between them. This baseline serves as your reference point for identifying unauthorized activity, unusual access patterns, or unexpected system behavior. It encompasses both the technical architecture (devices, networks, connections) and operational patterns (typical user behavior, peak usage times, normal data movements). This control is foundational—you cannot effectively detect anomalies without first defining what normal operations should look like.

How to comply

  1. 1.Conduct a complete network inventory: document all systems, servers, workstations, IoT devices, and network infrastructure components with their functions and criticality levels
  2. 2.Map authorized users and roles: identify all personnel, contractors, and service accounts with their assigned access levels and responsibilities
  3. 3.Document expected data flows: create diagrams showing how data moves between systems, applications, and external connections (APIs, integrations, cloud services)
  4. 4.Establish operational baselines: record typical network behavior patterns including peak usage times, bandwidth consumption, normal login patterns, and routine administrative activities
  5. 5.Define configuration standards: document approved system configurations, software versions, security controls, and patch levels for each asset class
  6. 6.Create baseline documentation: compile all findings into a living baseline document that includes assets, users, data flows, and operational patterns
  7. 7.Review and validate baseline: ensure accuracy through network scanning tools and cross-functional validation with IT and business stakeholders
  8. 8.Establish update procedures: define how and when the baseline is reviewed and updated as systems and operations change

Evidence auditors look for

  • Network diagram showing all systems, connections, and data flows with annotations
  • Asset inventory spreadsheet listing systems, OS versions, owners, and criticality classifications
  • User access matrix mapping personnel to systems and their assigned privileges
  • Network flow documentation describing data movement between applications and systems
  • System configuration baselines for each asset class (servers, workstations, network devices)
  • Operational metrics baseline showing normal traffic volumes, user counts, and activity patterns
  • Change log showing baseline updates and reviews with approval signatures
  • Network monitoring baseline reports from tools like Nessus, Zeek, or NetFlow collectors

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates network inventory collection and baseline documentation, mapping your assets, users, and data flows into a compliance-ready baseline that updates as your infrastructure changes—eliminating manual spreadsheets and keeping DE.AE-1 evidence current.

See how GRCWatch handles this control automatically

Start free trial

Related controls

DE.AE-2 — Anomalies and EventsID.AM-1 — Physical Devices and SystemsID.AM-2 — Software Platforms and ApplicationsPR.AC-1 — Identities and Credentials