6.1 KiB
8.1 User endpoint devices
| Control type | Information security properties | Cybersecurity concepts | Operational capabilities | Security domains |
|---|---|---|---|---|
| #Preventive | #Confidentiality #Integrity #Availability | #Protect | #Asset_management #Information_protection |
#Protection |
Control Information stored on, processed by or accessible via user endpoint devices should be protected.
Purpose To protect information against the risks introduced by using user endpoint devices.
Guidance
General
The organization should establish a topic-specific policy on secure configuration and handling of user endpoint devices. The topic-specific policy should be communicated to all relevant personnel and consider the following:
a) the type of information and the classification level that the user endpoint devices can handle, process, store or support; b) registration of user endpoint devices; c) requirements for physical protection; d) restriction of software installation (e.g. remotely controlled by system administrators); e) requirements for user endpoint device software (including software versions) and for applying updates (e.g. active automatic updating); f) rules for connection to information services, public networks or any other network off premises (e.g. requiring the use of personal firewall); g) access controls; h) storage device encryption; i) protection against malware; j) remote disabling, deletion or lockout; k) backups; l) usage of web services and web applications; m) end user behaviour analytics (see 8.16); n) the use of removable devices, including removable memory devices, and the possibility of disabling physical ports (e.g. USB ports); o) the use of partitioning capabilities, if supported by the user endpoint device, which can securely separate the organization's information and other associated assets (e.g. software) from other information and other associated assets on the device.
Consideration should be given as to whether certain information is so sensitive that it can only be accessed via user endpoint devices, but not stored on such devices. In such cases, additional technical safeguards can be required on the device. For example, ensuring that downloading files for offline working is disabled and that local storage such as SD card is disabled.
As far as possible, the recommendations on this control should be enforced through configuration management (see 8.9) or automated tools.
User responsibility
All users should be made aware of the security requirements and procedures for protecting user endpoint devices, as well as of their responsibilities for implementing such security measures. Users should be advised to:
a) log-off active sessions and terminate services when no longer needed; b) protect user endpoint devices from unauthorized use with a physical control (e.g. key lock or special locks) and logical control (e.g. password access) when not in use; not leave devices carrying important, sensitive or critical business information unattended; c) use devices with special care in public places, open offices, meeting places and other unprotected areas (e.g. avoid reading confidential information if people can read from the back, use privacy screen filters); d) physically protect user endpoint devices against theft (e.g. in cars and other forms of transport, hotel rooms, conference centres and meeting places).
A specific procedure taking into account legal, statutory, regulatory, contractual (including insurance) and other security requirements of the organization should be established for cases of theft or loss of user endpoint devices.
Use of personal devices
Where the organization allows the use of personal devices (sometimes known as BYOD), in addition to the guidance given in this control, the following should be considered:
a) separation of personal and business use of the devices, including using software to support such separation and protect business data on a private device; b) providing access to business information only after users have acknowledged their duties (physical protection, software updating, etc.), waiving ownership of business data, allowing remote wiping of data by the organization in case of theft or loss of the device or when no longer authorized to use the service. In such cases, PII protection legislation should be considered; c) topic-specific policies and procedures to prevent disputes concerning rights to intellectual property developed on privately owned equipment; e) software licensing agreements that are such that organizations can become liable for licensing for client software on user endpoint devices owned privately by personnel or external party users.
Wireless connections
The organization should establish procedures for:
a) the configuration of wireless connections on devices (e.g. disabling vulnerable protocols); b) using wireless or wired connections with appropriate bandwidth in accordance with relevant topic-specific policies (e.g. because backups or software updates are needed).
Other information Controls to protect information on user endpoint devices depend on whether the user endpoint device is used only inside of the organization's secured premises and network connections, or whether it is exposed to increased physical and network related threats outside of the organization.
The wireless connections for user endpoint devices are similar to other types of network connections but have important differences that should be considered when identifying controls. In particular, back-up of information stored on user endpoint devices can sometimes fail because of limited network bandwidth or because user endpoint devices are not connected at the times when backups are scheduled.
For some USB ports, such as USB-C, disabling the USB port is not possible because it is used for other purposes (e.g. power delivery and display output).