Control 8.1 : User Endpoint Devices

Summary

Information stored on, processed by, or accessible via user endpoint devices should be protected. This ensures that laptops, smartphones, and tablets are secured against unauthorized access, loss, or theft, maintaining the integrity of the data they handle.

Applicability

In-Scope: Mandatory for all organizations with a mobile or remote workforce. It is a critical control for managing the security of physical hardware that leaves the corporate perimeter and connects to various networks.

Out-of-Scope: Never out-of-scope for any organization providing hardware to its personnel.

Implementation Guidance

Microsoft 365 / Entra ID

Device Enrollment: Use Microsoft Intune to enroll all company-owned and BYOD devices, ensuring they are under formal management before accessing corporate data.
Compliance Policies: Enforce strict compliance rules via Intune, such as requiring active antivirus, specific OS versions, and a healthy device state.
Protection: Implement Microsoft Defender for Endpoint on all registered devices to provide real-time threat detection and automated remediation.

Evidence Checklist

Endpoint Security Policy: A documented policy defining the security requirements for all user devices.
Inventory Records: A real-time list of managed devices from the Microsoft Intune portal.
Compliance Reports: Logs proving that the majority of devices meet the organization's security baseline.

Practical Audit Advice

Here are some questions the auditor might ask:

How do you ensure that a device is automatically blocked from accessing Entra ID resources if it falls out of security compliance?
What is the process for ensuring that third-party applications installed on endpoint devices are kept up to date and patched?
Can you demonstrate the technical controls used to prevent users from disabling local security features like firewalls or disk encryption?
How are unmanaged or personal devices restricted from syncing company email or downloading sensitive files?