Secure networks do not appear by accident. It starts with thoughtful planning and sound engineering principles. Seek out flaws in the current network design as an attacker would and correct all of the faults found in its design. By being intentional and meticulous, a true design can emerge and more importantly it will persist.
A key step to this is creating a document that explicitly lists all approved connections by traffic initiator. This is an excellent source document to audit the firewall rules against each and every quarter. Diligently look for the use of insecure protocols, such as FTP and Telnet in each network segment. When they are found, strongly consider using protocols that do not send their information in clear text format.
Segment networks according to security zones as well as logical departments and divisions. This will allow for more granular firewall rules and a better understanding of the communication paths that are required. Using both color-coded network diagrams and network cables is an excellent visual indicator to the types of traffic and zones being used throughout the environment.
In all monitoring systems that allow it, labeling critical systems within your existing monitoring tools will help reinforce these systems in the monitoring tools. When all else fails, this can help to guide the impact assessment. It is important to include junior team members in these exercises and discussions. Both teaching and learning will happen for everyone involved and will lead to a more informed and engaged team environment.