Connor Group Information Security
Endpoint Management
November 2023
v.1.2
Introduction
Despite the broad adoption of mobile devices in work environments, computer workstations and laptops (computer endpoints) are still the primary tool for work productivity and connectivity business environments. As such, computer endpoints must be appropriately managed and protected to ensure compliance with legal and business requirements for Connor Group assets. This standard codifies expectations for proper management of computer endpoints. This is one of a set of documents that together, form Connor Group's Information Security Management System (ISMS).
Purpose
The purpose of this Standard is to provide expectations and requirements of Computer Endpoints utilized by Connor Group.
Scope
This Standard applies to computer endpoint systems, defined as desktop, laptop, and VDI systems used by CG employees to access Connor Group networks, data, or systems. This includes endpoint access to Third Party systems used by Connor Group for business purposes.
This Standard defines the term “IT Systems” in-scope to include:
- Applications (e.g., Outlook, Slack, Adobe, Java)
- Operating Systems (e.g., Linux/Solaris/Windows)
- Network Devices (e.g., Switches/Routers/Firewalls)
- Servers, both physical and virtual
- Desktop Systems, both physical and virtual
- Storage Solutions (e.g. File servers, NAS)
- Removable Media (e.g. MicroSD cards, USB drives)
This Standard defines the term “IT Systems” out-of-scope to exclude:
- Smartphones (e.g., iPhones, Androids, etc.)
- Tablets (e.g., iPads)
All staff and Third Parties responsible for the management of IT Systems must understand and follow the requirements herein.
In the event of uncertainty regarding the applicability of this Standard, contact Information Security for clarification and/or guidance at [email protected].
Definitions
References for terminologies or acronyms used within Information Security Standards can be accessed within the Glossary of Definitions (https://helpdesk.connorgp.com/a/solutions/articles/11000112202)
Standard
Adherence to requirements in this standard is mandatory.
1. Endpoint Configuration
Ref |
Requirement |
1.1 |
Connor Group shall regularly maintain standard configurations for endpoint computer systems accessing Company networks, with configurations updated at least annually, or when significant changes occur in the environment. |
1.2 |
Standard endpoint configuration shall be reviewed and approved by Information Security in accordance with endpoint hardening best practices. |
1.3 |
User access on endpoints shall be configured utilizing the Principles of Least Privilege by default. |
1.4 |
Endpoints shall utilize full disk encryption to protect data at rest and require authentication prior to data decryption on the endpoint. |
1.5 |
An inventory of company assets shall be regularly maintained and validated against endpoints accessing network resources. |
1.6 |
Endpoints shall be configured with security agents and configurations as requested and documented by Information Security for protection and monitoring. |
1.7 |
Modification, removal, or configuration of Information Security software on endpoints shall only be performed with explicit approval from the CIO or their designator representing Information Security. a) Such changes require an approved timeline for returning the endpoint back to baseline as part of the justification and request. |
1.8 |
Endpoint systems shall be configured to have a screen lock after 15 minutes of inactivity with authentication required to unlock. |
2. Endpoint Management
Ref |
Requirement |
2.1 |
Centralized management of endpoints shall be coordinated between Information Security and Information Technology, with visibility and reporting of the following, at a minimum:
|
2.2 |
Logging and alerting of endpoints shall be configured in in compliance with Connor Group’s Auditing and Logging Standard. |
2.3 |
When an endpoint asset changes ownership, it shall be reloaded and configured with the most recent IT configuration baseline. |
2.4 |
Connor Group shall have a process approved by Information Security in place for monitoring and remediating configuration drift to comply with the current configuration standard. |
Compliance
Information Security team shall verify compliance to this policy through various methods, including but not limited to, walk-throughs, environment sampling, process review, monitoring, business tool reports, internal and external audits, and through feedback to the policy owner.
Any exceptions to this Standard require a formally approved exemption documenting justification and approval against compliance to this Standard. Exemption approvals are required prior to the System entering live operation.
The following are required to adhere to this Standard, except where a formal exception has been granted as above:
- All Connor Group Systems and employees, independent contractors, and subcontractors. Any individual found to have violated this Standard may be subject to disciplinary actions including termination and legal recourse.
- Any Third-Party System that is used to support Connor Group data and/or Services. Any Third Party that violates this Standard will be considered to have breached their contract with the Connor Group.
Revision History
Revisions require approval by the Director of Information Security and dissemination to applicable business units prior to release.
Version |
Detail |
Author |
Date |
1.1 |
Formatting revised with requirements under Standards enumerated for easier reference. |
Connor Group Information Security |
May 2021 |
1.2 |
|
Connor Group Information Security |
November 2023 |