Wanted to get some insights from this group on best practices to follow in medium size SaaS companies for end user laptop controls. Some of the controls such as disabling USBs/CD-DVD drives, restricting local administrator permissions and controlling web access (through whitelist) could add to better security posture for the organization. But these controls also come in the way of convenience and end user productivity - particularly for engineering. Instead of giving admin permission by default, it could be given on the need and on request. Some of the web access aspects could be built into the Acceptable Use Policy. Would appreciate if others could comment on what kind of practices work better as trade off between security and convenience in this aspect. Thanks in advance.
Ensure that Information Security policies (Acceptable use policy, Baseline policy, etc.) state the minimal requirements to be met by ALL systems & users under the scope. In these you can provide a section for exceptions, where you'll list pre-defined exceptions, & state that all other exceptions must be approved by IT Security in advance.
This ensures that your systems are adequately secured from the start. Additional privileges can then be given based on pre-defined exceptions or specific requests --- with the latter using Risk Management.
For example, a baseline may have all laptops set with no administrative privileges --- but your policy can make an exception for developers. If a non-developer requires administrative privileges he must submit a request (with justification), and if it's approved, must sign a Risk Acceptance form before the privileges are accorded. Of course, you'll want to have other controls to counter the risk.
Sorry clarification when you say medium sized SaaS Company are you talking about a medium sized company with SaaS infra?(as opposed to a medium sized SaaS providoer)
OK so, as a SaaS I guess you will want most things to be driven from the cloud? I'll add a grab back of things for vendors.
So basics wise patching is pretty much essential if you do nothing else.
Privileged user management it nice as well:
You'd want to have some endpoint security and malware:
Try to protect against email and the web:
Isolation, DLP, Encryption, jump boxeds etc all add to the possibilities - if the Priveledged Users need to be admains on the end user system then probably use MFA and jump boxes to mediate system access and record what the users do. All of these controls can help - question is how do you prioritize or design them to work together?
Write it all down for the auditor and repeat as required for SOC2 and whatever else you need to deal with...
Thank you. We have been a Soc 2 compliant org for the past 4 years. Just that in a few areas we are trying to improve which are traditionally moot - such as local admin permissions on end users' laptops, unlimited access to web, permissive controls on the use of USB/DVD drives ..etc. I was wondering what other SaaS companies have been doing with these controls balancing security and convenience/productivity and hence my question.