Defence in Depth for Endpoints and Network

Endpoint devices include mobile devices, workstations, and servers. Endpoint devices should connect to the network through a secure channel (such as a Virtual Private Network or VPN), this is to ensure data is not intercepted when retrieved by a client. Also, endpoint devices must have adequate security, such as encryption, antivirus, and firewalls, to keep both data in transit and data at rest protected (especially in a situation when the device is stolen). Additionally, all corporate networks should be encrypted with industry best standards.

Control Objective

  • Endpoints include servers, desktops, laptops, tablets, and mobile devices
  • Networks include wired and wireless, and require secure perimeter, network segmentation, and known ingress/egress points
  • Controls must exist to prevent, detect, and respond to security incidents
  • Technologies must include firewall, intrusion prevention, web content filtering, email content filtering, and anti-virus at a minimum
  • Systems must be hardened (e.g. default passwords and shared accounts must not be used, unnecessary services are disabled, and insecure protocols are disabled)
  • Additional controls may be required to mitigate risk to your organization