Define, implement and evaluate processes, procedures and technical measures to enforce policies and controls for all endpoints permitted to access systems and/or store, transmit, or process organizational data.
For managed endpoints, universal policy enforcement through one or more centralized configuration management tools is essential. Note: "Universal" enforcement is not necessarily "unified." Some vendors claim to offer "unified endpoint management" systems, but none are truly capable of managing all security features of all endpoint types. For unmanaged endpoints, guidance should be provided but will not be enforced (by definition). Based on risk assessment, different configurations may be acceptable for systems access and/or information storage—resulting in various degrees of end-points management with different access requirements. These may include using container technology for sensitive data isolation. For example, an organization that prohibits using electronic mail for sensitive information may determine that access to company electronic mail using a personally-owned device requires only limited controls (such as an acceptable passcode, a lock screen, reasonably up-to-date software, and no circumvention of vendor security controls [such as jailbreaking or rooting]).
- Examine procedures for adequacy, currency, communication, and effectiveness.
- Determine the extent and applicability of the processes, procedures, and technical measures over applicable endpoints, as identified.
- Examine policy and procedures for evidence of review, with respect to effectiveness.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.