Entity Risk Analysis: Endpoint Protection Requirements

Version: 1.0

Approved By: Richard D’Lonesteen

Created at: 12/08/2023

1. Purpose

The purpose of this policy is to manage and mitigate risks associated with endpoint vulnerabilities on all company-operated devices, specifically Windows and Mac machines. This document outlines required security measures, including the adoption of specific security tools and mandatory update processes, to safeguard organizational data and assets from potential security threats.

2. Scope

This policy applies to all employees, contractors, and third-party vendors who use Windows and Mac devices to access the company's network and data.

3. Policy Statement

Windows Devices:
- Microsoft 365 Defender Installation: All Windows devices, whether owned or managed by the company, must have Microsoft 365 Defender installed to provide comprehensive protection against malware, viruses, spyware, and other malicious software and activities.
- Automatic Updates: Microsoft 365 Defender on all Windows devices must be configured to receive automatic updates ensuring that all security signatures and software components are up-to-date. Updates will include, without limitation, security signature files, scanning engines, and software patches.
- Daily Scanning: The Microsoft 365 Defender must be set to conduct automatic scans daily. These scans must execute at times that minimize impact on user productivity, preferably during off-peak hours.
Mac Devices:
- Built-In Protections: All Mac devices must utilize built-in security features provided by macOS including, but not limited to, XProtect, Gatekeeper, and Malware Removal Tool.
- Signature Updates: Security-signature updates for the macOS built-in protections must occur daily. Device settings must ensure automatic downloads and installs of these updates to maintain defenses against the latest known threats.

4. Enforcement

Compliance with this policy is mandatory. The IT department must ensure the installation of required software during the setup of devices and thereafter maintain configurations as prescribed herein, including timely updates and scans.

Violations of this policy may result in disciplinary action, up to and including termination of employment or contracts. Continuous non-compliance may also result in restricted access to the company's networks and devices until corrective measures are implemented.

5. Maintenance and Review

IT Security Reviews: The IT department is tasked with anual reviews of endpoint security compliance to ensure:
- Proper function and operation of Microsoft 365 Defender and macOS built-in protections.
- Adherence to the update and scanning schedules. Additionally, IT should test the efficacy of all endpoint security measures semi-annually and suggest enhancements during review meetings.
Policy Updates: This policy will be reviewed and updated annually to adapt to new security challenges and technological advancements. Urgent updates may occur when significant flaws or vulnerabilities are identified.

6. Exceptions

Any exceptions to this policy must be approved by the CISO and documented with specific reasons and expected duration of the exception. All exceptions will be periodically reviewed to assess the continuing need against potential risks.