graphgrc

END-02: Endpoint Protection

Objective

Protect endpoints from malware and data loss.

Description

All endpoints run antivirus/anti-malware software. Full disk encryption is enabled. Endpoint detection and response (EDR) capabilities are deployed.

Implementation Details

Antivirus: macOS built-in XProtect supplemented with CrowdStrike or SentinelOne for enhanced threat detection.

Full Disk Encryption: FileVault required on all Mac devices. Verified via MDM. Recovery keys escrowed to MDM.

EDR: CrowdStrike Falcon or SentinelOne for behavioral detection, threat hunting, and response.

USB Restrictions: USB storage blocked via MDM policy. Approved devices (Yubikey) allow-listed.

Examples

• CrowdStrike deployed on all employee Macs with real-time protection
• FileVault enabled on 100% of devices, verified weekly via MDM report
• USB storage devices blocked - attempted use generates security alert
• CrowdStrike detected and quarantined malware from phishing email attachment

Audit Evidence

• Antivirus deployment status
• FileVault encryption status from MDM
• EDR agent deployment report
• Malware detection and remediation logs

---

Framework Mapping

SOC 2

• CC6.8 ^[EDR and antivirus protect endpoints from malicious software and unauthorized modifications]
• CC7.2 ^[EDR continuously monitors endpoints for anomalies indicative of malicious acts]

GDPR

• Article 32 ^[Endpoint protection (EDR, antivirus, encryption, USB restrictions) are technical measures ensuring security of processing]

---

Referenced By

This section is automatically generated by make generate-backlinks. Do not edit manually.

Standards:

• Endpoint Security Standard ^[EDR agent installed (CrowdStrike, SentinelOne) with real-time malware scanning]

Policies:

• Baseline Security Policy ^[Requires FileVault encryption, screen lock after 5 min, EDR agent installation]

This site is open source. Improve this page.