Protecting Organisational Data on the Go
Introduction
User endpoint devices form a critical link in any organisation’s information security chain. Whether owned by the organisation or personally by employees (BYOD), they can access, store, and process sensitive data, making them a prime target for adversaries. By establishing robust policies and controls, organisations can significantly reduce the security risks introduced by the use of such devices.
Purpose
The primary objective of securing user endpoint devices is to protect information stored, processed, or accessed via these devices. This includes ensuring confidentiality, integrity, and availability, even when devices are used in potentially insecure environments.
Key Requirements of ISO 27001:2022 Annex A 8.1
ISO 27001:2022 Annex A 8.1 “User endpoint devices” focuses on protecting information on user endpoint devices by:
- Establishing suitable policies and controls.
- Creating policies for the secure configuration and utilisation of these devices.
- Mandating protection for information stored on, processed by, or accessible from endpoint devices.
Auditors ensure regulatory compliance with ISO 27001 and ISO IEC by examining the security of user endpoint devices. Organisations must create and maintain relevant policies, procedures, and technical measures to ensure compliance with effective information security management systems and adherence to the standard.
Developing an Endpoint Device Security Policy
A clear policy for the secure configuration management and use of endpoint devices is essential to safeguard assets. This policy should encompass all aspects of device management, from configuration to usage and disposal.
Endpoint device management tools enhance security by enabling remote actions, such as locking or wiping mobile devices and private devices. These tools protect sensitive data even if a device is lost or stolen, contributing to the broader strategy of maintaining organisational information security through the use of USB drives as removable storage media.
Asset Management for Endpoint Devices
An effective asset management process is vital for tracking and protecting endpoint devices. This involves identifying and safeguarding all devices, creating an asset register, and conducting a risk assessment for each type of asset.
Auditors often verify the existence of an asset register and the management process during evaluations. Listing all endpoint devices assigned to individuals helps maintain an accurate inventory and addresses issues of unknown devices.
Including Bring Your Own Device (BYOD) or personal devices in the asset register is critical. This ensures all user endpoint devices, whether organisational or personal, are managed and protected appropriately under the mobile device policy.
Implementing Technical Controls
Essential technical controls include:
- Encryption: transforms sensitive information into an unreadable format without a specific key, providing security against unauthorised access.
- Malware protection: enhances security on user devices.
- Device management solutions.
- Remote lock or wipe capabilities.
Measures like encryption and malware protection on user devices enhance security.
Basic security measures for endpoint devices include:
- Antivirus software
- Data encryption
- Firewalls that regulate traffic to prevent unauthorised access
- Remote wiping capabilities to ensure data protection for lost or stolen devices.
Auditors verify that technical controls, such as antivirus and encryption, are operational on endpoint devices (through reports). Additional safeguards for devices used outside the organisation mitigate data exposure risks and are integral to effective information security management.
Example Technical Controls for Endpoint Devices
| Category | Example Controls |
|---|---|
| Access Control & Authentication | Multi-factor authentication (MFA); strong password enforcement; biometric logins; auto-lock and session timeout; device-level encryption keys. |
| Device Encryption & Data Protection | Full-disk encryption (BitLocker, FileVault); encrypted removable media; secure boot; disablement of unapproved storage devices. |
| Endpoint Detection & Response (EDR) | Real-time malware detection; behavioural analytics; automated threat isolation; security telemetry reporting. |
| Patch & Configuration Management | Automated OS and software updates; standard build images; vulnerability scanning; secure configuration baselines (CIS Benchmarks). |
| Network Security | Host-based firewalls; VPN enforcement; network access control (NAC); blocking of public Wi-Fi without VPN; TLS 1.2+ encryption. |
| Application Control | Application whitelisting; blocking unapproved software; sandboxing; browser security configuration. |
| Data Loss Prevention (DLP) | Monitoring of data exfiltration attempts; blocking of copy/paste to USB or cloud storage; email attachment scanning. |
| Mobile Device Management (MDM) | Remote wipe; policy enforcement (PIN, encryption, OS version); containerisation for BYOD devices. |
| Backup & Recovery | Automated encrypted backups; version control for local files; testing of restore processes. |
| Logging & Monitoring | Endpoint log collection; integration with SIEM; anomaly and intrusion detection alerts. |
Managing Bring Your Own Device (BYOD) Risks
Organisations should include personal devices in their asset management practices for compliance. Common considerations include:
- Prevent personal devices from connecting without proper security controls.
- Enforce policies that separate personal and business use.
- Protect sensitive information when allowing Bring Your Own Device (BYOD) policies.
Multi-factor authentication (MFA) enhances security by requiring multiple forms of verification for access to sensitive systems. This added layer of protection reduces the risks associated with using personal devices in the workplace.
Physical Security Measures for Endpoint Devices
Physical security controls safeguard endpoint devices from theft and environmental threats. Measures include:
- Using screen protectors
- Ensuring devices are not left unattended
- Requiring logging out after use
- Securing devices with physical locks
These measures are part of a comprehensive approach to endpoint security, encompassing both digital and physical protection. Implementing these controls ensures device security both in and out of the office.
Employee Training and Awareness Programs
Employee training ensures users understand their responsibilities in protecting endpoint devices. Training staff to identify and respond to social engineering threats significantly enhances organisational security. Regular updates to security awareness training keep all staff informed about information security practices.
The training program should include mechanisms for staff to report suspected security incidents and enhance incident response promptly. Documenting security responsibilities in employment contracts establishes a culture of accountability from the start. This comprehensive system approach ensures employees can implement awareness of and effectively mitigate risks.
Backup and Data Recovery
ISO 27001 Annex A 8.13 addresses the necessity of information backup to ensure data preservation in case of loss. Key points include:
- Assessing the location and security of personal backups is crucial to mitigating risks.
- Challenges include a lack of a structured approach.
- Concerns over the security of personal backups.
The backup policy should specify the frequency of backups, varying from daily to weekly, based on business needs to maintain data integrity. Regular policy reviews, including topic-specific policies and procedures, are necessary to adapt to changes in business operations or technology, ensuring ongoing effectiveness.
Encryption is crucial for protecting backup data stored, especially when stored offsite or in cloud apps environments, to prevent unauthorised access. Data loss prevention is essential in these scenarios.
Documentation and Audit Preparation
Organisations often overlook documenting all endpoint devices, complicating security management. Maintaining proper document version control is crucial, as discrepancies can lead to compliance issues. Audit documentation must cover change management, access management, and generating evidence of control effectiveness.
Keeping an asset register is necessary for auditors to verify the management of endpoint devices. Auditors check if the organisation has a defined management process for endpoint assets.
Regular internal audits should include testing security controls to confirm their effectiveness. Thorough documentation ensures organisations are prepared for audits and can demonstrate compliance.
Common Mistakes to Avoid
A common mistake in managing endpoint devices is not knowing which devices are present and allowing any device to be accessed. This oversight can lead to significant risks being introduced, as unprotected devices may become entry points for cyber threats.
Another common mistake in backup strategies is relying on single-location backups and neglecting regular recovery tests. These errors can compromise data security and recovery processes, underscoring the importance of consistent practices.
To avoid these pitfalls, organisations should maintain an accurate inventory of devices and conduct regular recovery tests. Learning from these common mistakes enhances endpoint security and ensures compliance with ISO 27001, following best practices in information systems.
Policy and Configuration
Topic-Specific Policy
- Develop a clear, topic-specific policy covering configuration and handling of user endpoint devices.
- Communicate this policy to all relevant personnel, ensuring that they understand both the requirements and their responsibilities.
Core Considerations
- Information Classification: Define what types of information (and classification levels) can be stored on or processed by each class of endpoint device.
- Device Registration: Register endpoint devices to maintain an inventory, track ownership, and manage lifecycle events.
- Physical Protection: Enforce measures to secure devices against theft or damage (e.g., locks, alarms, monitored lockers).
- Software Installation Restrictions: Implement controlled installation of applications, potentially using remote administrative capabilities.
- Software Updates: Configure automatic updates for operating systems and applications to address vulnerabilities promptly.
- Network Connections: Establish rules for connecting to internal systems, public networks, or any off-premises networks. Personal firewalls and VPN usage may be mandatory.
- Access Controls: Enforce strong authentication methods such as biometrics or multi-factor authentication.
- Encryption: Protect data at rest on user endpoint devices through encryption.
- Malware Protection: Ensure anti-malware solutions are in place and kept up to date.
- Remote Disabling: Enable the ability to remotely lock or wipe devices to protect sensitive data if a device is lost or stolen.
- Backups: Implement backup mechanisms for crucial data to prevent data loss.
- Web Services and Applications: Define acceptable usage policies for web-based services and applications.
- User Behaviour Analytics: Monitor user endpoints for suspicious or anomalous behaviour (see Section 8.16).
- Removable Storage: Control the use of removable media and consider disabling ports (e.g., USB) if not essential.
- Partitioning: Where feasible, separate organisational data from personal data through containerisation or partitioning.
Sensitive Information Considerations
In cases where highly sensitive information is handled, consider preventing data from being stored locally on the device. Technical safeguards may include:
- Disabling local file downloads.
- Blocking the use of removable storage.
- Using virtual desktop or sandboxed environments.
User Responsibilities
All end users should understand and follow best practices for device security. This includes:
- Session Management: Log off or lock the device when not in use.
- Physical Security: Avoid leaving devices unattended or in unsecured public areas.
- Public Use Caution: Prevent shoulder surfing in crowded settings and use privacy screens if necessary.
- Incident Reporting: Follow organisational procedures if a device is lost, stolen, or compromised.
Personal Devices (BYOD)
Where personal devices are allowed:
- Separation of Personal and Work Data: Use software tools to compartmentalise corporate data.
- Acknowledgement of Organisational Rights: Mandate policies that enable remote wiping of corporate data if a device is lost, stolen, or an employee leaves the organisation.
- Legal and Ownership: Provide clear guidelines on intellectual property rights and potential conflicts.
- Software Licensing: Clarify licensing obligations for organisation-provided software installed on personal devices.
Wireless Connections
Organisations should establish procedures for:
- Configuring wireless connectivity with secure protocols.
- Limiting usage of risky public Wi-Fi and ensuring secure VPN tunnels when remote.
- Allocating sufficient bandwidth for critical operations like backups and updates.
Key Concepts and Domains
- Control Type: Preventive
- Security Properties: Confidentiality, Integrity, Availability
- Cybersecurity Concepts: Protection
- Operational Capabilities: Asset Management, Information Protection
Conclusion
User endpoint devices are indispensable for modern workflows but also pose significant security challenges. By defining clear policies, implementing strong technical controls, and fostering user awareness, organisations can reduce risks and ensure that sensitive data remains protected—wherever it is accessed, stored, or processed.