UEM-01: Endpoint Devices Policy and Procedures

CSF v1.1 References:

PF v1.0 References:

Control Statement

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for all endpoints. Review and update the policies and procedures at least annually.

Implementation Guidance

Policies and procedures for both managed and unmanaged endpoints (including BYOD) should include the following components:

  1. Definition of endpoints and the acceptable-use policy requirements for all endpoints (mobile devices, virtual, desktop, etc.). Note: Physical and virtual servers, containers, and similar "endpoints" are addressed in the DCS and IVS domains, while application and interface "endpoints" are discussed in the AIS domain.
  2. List the approved systems, servers, applications, application stores, application extensions, and plugins that may be allowed for managed endpoint access and usage and/or enforced through enterprise management tools.
  3. Policy and procedures related to installing non-approved applications or approved applications not obtained through a pre-identified application store.
  4. Prohibit the circumvention of vendor-supported and integrated (built-in) security controls on endpoints (i.e., jailbreaking or rooting). Enforce these restrictions through detective and preventive controls on the endpoint, managed through a centralized system (e.g., an endpoint, system configuration control, or mobile device management system).
  5. Policies regarding privacy expectations and requirements for remote location identification, litigation, e-discovery, and legal holds (especially for personally-owned devices).
  6. Policies and procedures related to non-company data loss if a full or partial wipe of a device is required.
  7. Performing policy reviews at planned intervals or upon significant organizational or environmental changes.

Policies and procedures should also integrate the following concepts (which may have applicable controls in other domains to consider):

  1. Passcodes, biometric authentication, idle/no-use screen locks, and logouts.
  2. The use of anti-malware software.
  3. The use of encryption for the entire device or data identified as non-public on all endpoints (enforced through technology controls).
  4. Each endpoint device should be assigned to a named person who is responsible for it. Such devices may be shared (e.g., in shared work areas), but a single individual should still be assigned responsibility for it.
  5. Non-device endpoints should also have "owners" responsible for assessing risks and ensuring appropriate controls.
  6. Endpoints should be vetted for policy compliance before being provisioned for organizational use.

Auditing Guidance

  1. Examine policy for adequacy, currency, communication, and effectiveness.
  2. Examine policy and procedures for evidence of review, at least annually.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.