This post will be the start of the journey through Section A.8 - Technological controls of Annex A of the ISO 27001:2022 standard. The controls in A.8 will cover all technology based controls within your ISMS, from user access and authentication, antivirus, network security, software, logging and monitoring among others. We begin with what is one of the largest risks and broadest categories…. User devices.
A.8.1 User endpoint devices
Before we get into this control, the standard defines a user endpoint device as a device used by users to access information processing services. These are mostly laptops, PCs, mobile devices, tablets, but can be any device that a user uses to access company information.
This control is wide ranging as it aims to protect information against risks of user endpoint devices, including both the data stored on them, and also the systems to which they have access to which is becoming more important as devices are authorised as part of MFA implementations.
General
A policy on handling and secure configuration of user devices should be established. This should be communicated to all relevant staff and contractors. The policy should consider:
- The type of information and classification level that the device can handle and support. For example, the requirements for a software developer’s machine will differ from an HR, or customer support staff member.
- All devices should be included on the Asset Register developed in control A.5.9.
- Do you need any physical protection for the device, for example, is it being taken out into the field, where it may be dropped, or more likely to need a hardened case to protect it.
- Restrictions on software installation and software patching and updates. These can be usually managed by system administration and group policies, however if you allow BYOD, there are both more risks to be considered and potentially less control you have over the devices.
- Restrictions on removable devices such as removable hard-drives and USB ports to prevent the introduction of any malware or other vulnerabilities which may be associated with them.
- Storage encryption, malware protection, remote disabling and deletion, backups. These can usually be managed by system administration, however, again, BYOD can increase risks and as user’s are responsible for their own devices.
- Usage of the web. This can be managed within internal networks by restricting access to certain sites, however, if working remotely, users can access whatever parts of the internet they desire, which may introduce viruses and other malware.
- Partitioning capabilities. If supported, consider requiring a separate partition for company related information, software and other utilities. This helps with BYOD, or users’ mobile devices which may have access to company emails.
User Responsibility
Ensure that your users are aware of security requirements and procedures for computer and internet use. Things users can do to help keep data secure include:
- Logging off or terminating services when they are no longer needed.
- Ensuring that devices are stored securely, such as locking laptops or other devices in key lockable drawers when they leave the office for the day.
- Taking extra care when using work devices in public places especially on public transport or elsewhere where members of the public may be able to see the information over their shoulder. This also includes accessing confidential information within areas of the office where unauthorised staff may inadvertently see it.
- Protecting the work devices against theft or loss, especially when transporting them, or when the devices are in public areas such as hotel rooms, conference centres, public meeting rooms.
Users should be reminded of their responsibilities regularly, such as in meetings, or other training sessions you run, or through intranet posts etc. to keep these responsibilities front of mind.
Mobile Devices
The increasing use of mobile devices in business can be a reasonably significant risk to business. As more and more applications are moving to mobile, keeping the information secure is an on-going problem. A few things you can do are:
- Increase the strength of passwords or promote the use of longer passphrases.
- Move to multi-factor authentication.
- Regularly update apps which are downloaded for work use.
- Check app privacy settings and what information they have access to.
Personal Devices (BYOD)
There can be business benefits to allowing your staff and contractors to use their own devices for their work. This, however, can bring increased risks to your data security. Things which will help mitigate this include:
- Establishing policies and procedures to clearly outline duties and responsibilities of both your business and the user. These should clearly outline the following:
- Rights to intellectual property developed on privately owned equipment (such as software),
- Access to privately owned equipment, eg to verify security of the machine which can be prevented by legislation.
- Software licensing agreements where your business can become liable for software licenses on devices owned privately.
- Separating business and personal use of a device, including software to support such separation and protect your data on the device. Things such as separate partitions if supported are an example of this.
Conclusion
Securing of user devices, from laptops, mobiles and tablets includes securing both the information which is stored on them, as well as the information on systems to which they have access.
This includes having policies and procedures around what work devices can be used for, securing their access to business systems. Specific controls may need to be considered for any mobile phones or staff owned devices they use as part of a BYOD policy.
Most importantly, is to teach your staff of their responsibility to protect their devices and keep reminding them to keep it at the front of their mind.
Other Posts
- Other posts in the series can be found at: A Strategic Approach to ISO 27001 Implementation
- View the previous post in the series: Securing the Backbone: Tips for Protecting Media, Cabling, and Equipment in Controls A.7.10 – A.7.14
- View the next post in the series: Access Management Simplified: Privileged Rights and Authentication Controls A.8.02 – A.8.05
DQS Newsletter
Brad Fabiny
DQS Product Manager - Cyber Security and auditor for the ISO 9001, ISO 27001 standards and information security management systems (ISMS) with extensive experience in software development.