Skip to content

Endpoint Security Policy

Classification: Internal
Document status: Effective
Version: 1.0
Owner: Management / Security Owner
Effective date: 2026-05-13
Review cycle: Annual; interim revision upon material change to endpoint platforms, EDR, or customer mandates

Purpose

This policy defines security requirements for endpoints used to access company systems, customer systems, customer repositories, or customer data.

Scope

This policy applies to laptops, desktops, virtual machines, and comparable devices used by employees, contractors, and subcontractors for company or customer work.

Standard configuration

Endpoints used for customer work meet the following requirements:

  • Full disk encryption enabled.
  • Anti-malware installed and configured for automatic updates where the platform supports it.
  • Host-based firewall enabled and configured for the engagement context.
  • Operating system patching in line with the Patch Management Policy.
  • Interactive session lock and strong authentication.
  • Administrative privilege limited to those with a documented business need.
  • Customer credentials and secrets stored only in approved secure mechanisms.

Platforms

Engineering staff use Linux for professional development work. Linux endpoints used for customer work use LUKS full-disk encryption.

QA staff may use Windows where required for test coverage. Windows endpoints used for customer work use BitLocker (or equivalent full-disk encryption approved by management) before customer repository, system, or data access is granted.

Anti-malware

ESET is the standard endpoint protection suite where supported on the endpoint platform. Signature and protection module updates are applied automatically where the product allows.

Host firewall

Host firewalls are mandatory on customer-work endpoints. Linux systems use the distribution-supported mechanism (for example ufw, firewalld, or nftables). Windows systems use Windows Defender Firewall or an equivalent approved configuration.

Non-compliance

Endpoints that do not meet this policy are not used for customer work until remediated or covered by a documented, time-bound exception approved by management.

Records

Typical evidence includes configuration attestation, encryption status, ESET health, firewall status, and patch compliance records as collected for audits or customer assurance.