Wanted to get some insights from this group on best practices to follow in medium size SaaS companies for end user laptop controls. Some of the controls such as disabling USBs/CD-DVD drives, restricting local administrator permissions and controlling web access (through whitelist) could add to better security posture for the organization. But these controls also come in the way of convenience and end user productivity - particularly for engineering. Instead of giving admin permission by default, it could be given on the need and on request. Some of the web access aspects could be built into the Acceptable Use Policy. Would appreciate if others could comment on what kind of practices work better as trade off between security and convenience in this aspect. Thanks in advance.
Ensure that Information Security policies (Acceptable use policy, Baseline policy, etc.) state the minimal requirements to be met by ALL systems & users under the scope. In these you can provide a section for exceptions, where you'll list pre-defined exceptions, & state that all other exceptions must be approved by IT Security in advance.
This ensures that your systems are adequately secured from the start. Additional privileges can then be given based on pre-defined exceptions or specific requests --- with the latter using Risk Management.
For example, a baseline may have all laptops set with no administrative privileges --- but your policy can make an exception for developers. If a non-developer requires administrative privileges he must submit a request (with justification), and if it's approved, must sign a Risk Acceptance form before the privileges are accorded. Of course, you'll want to have other controls to counter the risk.
Sorry clarification when you say medium sized SaaS Company are you talking about a medium sized company with SaaS infra?(as opposed to a medium sized SaaS providoer)
OK so, as a SaaS I guess you will want most things to be driven from the cloud? I'll add a grab back of things for vendors.
So basics wise patching is pretty much essential if you do nothing else.
Privileged user management it nice as well:
You'd want to have some endpoint security and malware:
Try to protect against email and the web:
Isolation, DLP, Encryption, jump boxeds etc all add to the possibilities - if the Priveledged Users need to be admains on the end user system then probably use MFA and jump boxes to mediate system access and record what the users do. All of these controls can help - question is how do you prioritize or design them to work together?
Write it all down for the auditor and repeat as required for SOC2 and whatever else you need to deal with...
Thank you. We have been a Soc 2 compliant org for the past 4 years. Just that in a few areas we are trying to improve which are traditionally moot - such as local admin permissions on end users' laptops, unlimited access to web, permissive controls on the use of USB/DVD drives ..etc. I was wondering what other SaaS companies have been doing with these controls balancing security and convenience/productivity and hence my question.
I was actually going through end user security requirement ISC and found this thread. Well, I have few thoughts in my mind, and looking for more;
1) While we talk about end user security, both windows and MAC based machines should be factored. Any organization having a mix of such end user machines and covering only half of it defeats purpose.
2) While restrictions on local admin, usb is common these days, i was of the view that file transfer via bluetooth also should be blocked. i have seen few smart users stealing data via bluetooth
3) Regular patch / and antivirus update is no brainer this has to be done
4) I have a strong feeling that logs of end user should be reviewed on periodic basis to see some suspicious activity
5) End user security also consist of user data, how and where they are being backed up