General
The organization should establish a topic-specific policy on secure configuration and handling of user endpoint devices. The topic-specific policy should be communicated to all relevant personnel and consider the following:
- a) the type of information and the classification level that the user endpoint devices can handle, process, store or support;
- b) registration of user endpoint devices;
- c) requirements for physical protection;
- d) restriction of software installation (e.g. remotely controlled by system administrators);
- e) requirements for user endpoint device software (including software versions) and for applying updates (e.g. active automatic updating);
- f) rules for connection to information services, public networks or any other network off premises (e.g. requiring the use of personal firewall);
- g) access controls;
- h) storage device encryption;
- i) protection against malware;
- j) remote disabling, deletion or lockout;
- k) backups;
- l) usage of web services and web applications;
- m) end user behaviour analytics (see 8.16);
- n) the use of removable devices, including removable memory devices, and the possibility of disabling physical ports (e.g. USB ports);
- o) the use of partitioning capabilities, if supported by the user endpoint device, which can securely separate the organization's information and other associated assets (e.g. software) from other information and other associated assets on the device.
Consideration should be given as to whether certain information is so sensitive that it can only be accessed via user endpoint devices, but not stored on such devices. In such cases, additional technical safeguards can be required on the device. For example, ensuring that downloading files for offline working is disabled and that local storage such as SD card is disabled. As far as possible, the recommendations on this control should be enforced through configuration management (see 8.9) or automated tools.
