Example for User Endpoint Device Policy

1. Purpose

The use of desktops, laptops, mobile, and other Endpoint Devices (hereafter referred to as Endpoint Devices) are integral to a modern working environment. Many Endpoint Devices are increasingly mobile, which significantly increases the risk to the security of data both contained on and accessed by these devices. This policy addresses that risk by establishing the responsibilities of both Users and the Office of Information Technology (OIT) to maintain the security of data that is stored, accessed, or transmitted via Endpoint Devices.

2. Scope

This policy applies to any mobile device, or endpoint computer issued by XXX or used for XXX business which contains stored data owned by XXX.

3. Policy

All employees shall assist in protecting devices issued by XXX or storing XXX data. Users are expressly forbidden from storing XXX data on devices that are not issued by XXX, such as storing XXX email on a personal cell phone or PDA.

3.1 Information Security

  • All care is taken to prevent unintended exposure, modification, or removal of private, copyright, or confidential information as a result of leaving this information on the screen or desk, or exposed in such a way that it can be viewed or accessed by an unauthorised individual. This includes information stored on portable storage media or hard copy.
  • Any private, sensitive, or confidential information that is stored on such an Endpoint device has the appropriate security controls to restrict and prevent retrieval or intercept by an unauthorised third-party.
  • Business information and work is stored in such a way as to enable an authorised back-up service to store and protect the information.

3.2 Workstation Security

  1. Workforce members using workstations shall consider the sensitivity of the information, that may be accessed and minimize the possibility of unauthorized access.
  2. XXX will implement physical and technical safeguards for all workstations that access electronic protected information to restrict access to authorized users.
  3. Appropriate measures includes:
    • Restricting physical access to workstations to only authorized personnel.
    • Securing workstations (screen lock or logout) prior to leaving area to prevent unauthorized access.
    • Enabling a password-protected screen saver with a short timeout period to ensure that workstations that were left unsecured will be protected.  The password must comply with XXX‘s Password Policy.
    • Complying with all applicable password policies and procedures. See XXX‘sPassword Policy.
    • Ensuring workstations are used for authorized business purposes only.
    • Never installing unauthorized software on workstations.
    • Storing all sensitive information, on network servers 
    • Keeping food and drink away from workstations in order to avoid accidental spills.
    • Securing laptops that contain sensitive information by using cable locks or locking laptops up in drawers or cabinets.
    • Installing privacy screen filters or using other physical barriers to alleviate exposing data.
    • Ensuring workstations are left on but logged off in order to facilitate after-hours updates.
    • Exit running applications and close open documents
    • Ensuring that all workstations use a surge protector (not just a power strip) or a UPS (battery backup).
    • If wireless network access is used, ensure access is secure by following the Wireless Communication policy

3.3 Endpoint Software
All software contains security vulnerabilities, and software vendors are constantly supplying updates (patches) to address these vulnerabilities when they are identified.

  • Endpoint software Operating Systems (OS) and application software are to be kept up to date with the latest security related patches, as soon as it is practical to do so, i.e.:
    • Critical security patches are applied within 1 week of them being released by vendors.
    • Important security patches are applied within 8 weeks of them being release by vendors.
    • Endpoint systems must be restarted following installation, to ensure security patches have been fully installed.
    • Where possible, it is recommended that Endpoint devices are set to auto-update their security patch levels, and restart if necessary to complete the installation.
  • OSs that reach end of support life are by default not permitted to connect to the University network. This is because security patches are no longer provided by vendors and this poses a growing security threat to the environment over time. If a special exemption is required, this must be requested formally via the IT Service Desk and approved by the CIO.
  • IT will install Endpoint device management software, as required, on any Endpoint connected to the XXX network in order to manage XXX policy, legal, and commercial compliance requirements.
  • The removing or disabling of Endpoint device management software without prior approval of IT is considered a breach of this policy.
  • IT will audit XXX owned Endpoint devices as required, and has the ability to install updates to software on these devices to address software vulnerabilities or licensing issues with IT’s managed software.
  • Departments who choose to operate and manage their own specific software on Endpoint devices accept responsibility for the associated licensing, installation, updates, and security as it relates this software, in accordance with this policy.

3.4 Administrative Access
In accordance with the principle of least privilege, unnecessary administrative access on XXX owned Endpoint devices will be restricted.

3.5 Authentication
Endpoint devices containing XXX information assets that are not publicly available, or devices which attach to XXX’s network, must be secured as appropriate by a network or locally based user code and password or a PIN.

3.6 Antivirus Software & Firewalls

  • All Endpoint devices capable of running an antivirus software program are required to do so before being connecting to the Massey internal network. Additionally, any such antivirus software must be running the latest virus definitions to accurately detect the latest viruses and malware, and be set to automatically update when newer definitions become available.
  • Disabling or removing of Antivirus software, or disabling of Antivirus software definition updates on endpoints is prohibited.
  • All Endpoint devices capable of running local Firewall software are required to do so to protect the device from external threats such as hacking by unauthorised parties.

3.7 Servers & Web Applications

  • All Servers (or devices exposed to the internet, in the DMZ, or running web services), will be ‘hardened’, meaning they will have all the necessary security updates applied to their Operating System’s, hardware patches (firmware updates), and installed software; to reduce the chances of vulnerabilities being exploited. All such updates must be reviewed and maintained regularly to ensure they remain up to date. It is the Server Administrator’s responsibility to manage this.
  • New Services that are externally (internet) facing will require independent security vulnerability and penetration testing to be performed by a security specialist prior to implementation, and subsequently added to the IT Security Review Schedule, to provide assurance that data or services won’t be exposed to medium or high risk security threats.

3.8 Network Segmentation
Endpoint devices will be attached to XXX’s network within the appropriate network segment as determined by applicable Endpoint security controls.

3.9 Personal devices
Personal devices (i.e. those not purchased or owned by XXX) that are authorised to connect to the XXX’s network remain the responsibility of the owner, and must comply with this policy.

3.10 Information Technology (IT) Security Services
IT Security Services will:

  • Provide support and advice on this policy via the IT Service Desk,
  • Maintain and manage the XXX’s security infrastructure, such as firewalls, and implement intrusion detection and prevention practices in order to limit threats and provide early detection of security breaches where possible.
  • Provide anti-spam and anti-virus protection on endpoints they are directly responsible for, and ensure these are kept up to date.
  • Work with departments on the security principle of “least privilege” in order to manage the security model for both user and endpoint devices.
  • Manage the accounts and user code policies and technology necessary to manage device and user authentication, as well as install any necessary controls required to manage Endpoint devices that connect to the network.
  • Monitor endpoint device connectivity and activity as it relates to managing and protecting the XXX’s network.
  • Disconnect, isolate, or restrict, any endpoint device without notice that is identified to pose a threat or is impacting the confidentiality, integrity, or availability of the XXX’s network.
  • Manage the IT infrastructure network Internet Protocol (IP) numbering and network segmentation scheme to administer and isolate the environment, and apply necessary protective controls to manage endpoints as securely as possible.
  • Apply any required security or encryption standards necessary to protect endpoints that are identified as storing sensitive or confidential data.
  • Apply security updates as per this policy for Endpoint devices, on-behalf of the XXX.

3.11 Browser Add-ons
In general, XXX does not recommend using Browser Add-ons, however we do not forbid the use of these tools if they enhance productivity. After installing a Browser Add-on, employees shall run a browser testing tool. See MS Endpoint Privacy & Security Guidelines for recommended testing tools.

4. Policy Compliance

4.1 Compliance Measurement

The IT team will verify compliance to this policy through various methods, including but not limited to, periodic walk-through, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.

4.2 Exceptions

Any exception to the policy must be approved by the IT team in advance.

4.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Leave a Reply