End user device controls

What are end user device controls? Which are required for compliance? How do you balance systematic vs. policy-based implementation?

End user device controls is a broad topic with many different compliance activities that may or may not be performed to support compliance. 
What's required for compliance with standards?
Some standards like the CDR, are more prescriptive on the end user device controls; requiring anti-virus software, application white-listing, email monitoring and blocking, data loss prevention, and end user device hardening. CSA STAR goes a step further with device tracking and remote wipe capabilities, requiring a mobile device manager to implement, accordingly.
Other standards like SOC 2 and ISO 27001 are less prescriptive in this regard, with criteria or optional controls for these end user device security practices. 
The balance of systematic vs. culture-based implementation
End user device controls need to strike a balance that fits the culture, objectives and risk profile of the company. An insurer or bank with highly sensitive data and thousands of employees are more likely to completely lock down their users devices and minimise data access. A startup with few senior personnel that need to move at a faster pace building the business and changing systems frequently, are more likely to allow more flexibility with devices. The same control principals apply in either case, but the approach to achieving those principals can be more reliant on systematic enforcement vs. A culture-based approach. The latter communicates policies and requirements, but relies on individuals to abide by that, and in some cases exercise their own judgement. This relies more on security awareness, individual accountability, and other risk mitigation activities to achieve the security objectives, while allowing more flexibility and reducing the burden of rigid systematic controls.
The risk assessment of end user devices
The starting point for a risk assessment, is looking at what sensitive data and system access can be exploited through an end users device. The two risks to consider from a security standpoint, are the risk of exploitation, and the risk of data leakage. The former is when a device can be compromised by an unauthorised person and gain access to the systems and data through the device. The latter is more related to accidental or inappropriate deliberate transfer of data outside the boundaries of the system protections and appropriate use of that data.
If sensitive data and system access is tightly controlled, and ideally segregated from any end user devices, then those associated risks in terms of the potential impact of a compromised device, are minimal. In contrast, if sensitive data and access credentials are saved locally on devices, those risks can be quite significant. 
What end user device controls should be considered?
The following control activities should be considered, with a risk-based approach:
  • End user device security hardening: Security is a broad topic in itself, related to minimum security settings like passwords, multi-factor authentication, screen-lock, hard-disk encryption, local firewalls, restricting local administrator access, and so on, that all work to secure the devices, and systems and data on those devices.
  • Anti-virus software: Anti-virus software is used to identify, block, quarantine and remove malicious software (malware) from devices to prevent potential exploits. Anti-virus software is installed on devices with automatic updates to keep it current with scanning for the latest threats. A centralised anti-virus console can be used to monitor device compliance and threats.
  • Data sharing restrictions: Restricting data sharing from devices is a data leakage prevention practice. This may include blocking and monitoring emails with attachments, certain keywords, or meeting other conditions. It also includes prohibiting or blocking removable media, file sharing and backups to separate systems like iCloud, blocking airdrop and unsecured networks, etc. 
  • Application whitelisting: The installation of software on devices can give rise to the risk of both malware, and data loss with potential file or data sharing software. Application whitelisting is the practice of having a pre-approved list of software that can be used for the required business activities and prohibiting, or systematically blocking any other software from being used without approval. 
  • Device Management: Mobile device management (MDM) software centrally tracks end user devices and is often used to enforce or monitor the above security practices. In addition it provides functionalities to monitor the devices locations and remote wipe if required, if the device is lost or stolen. 


Which of these controls are implemented, and whether they are systematically enforced or reliant on people and culture, should be informed by the risk assessment and balance of objectives. The culture-based approach to the above, is to communicate the policies and requirements, raise awareness of security threats, monitor compliance with the policies, but otherwise not systematically enforce the above restrictions and safeguards. That allows companies and individuals to move faster in their role, reduces the administrative burden, and saves costs, but has greater security exposure.