Workstation Security Policy Best Practices | A Practical Guide to SOC 2 Compliance

By Blog, SOC 2

Some might say that workstations are a necessary evil.  Users with varying degrees of technical and security aptitude are using them 24/7, communicating with the world and taking care of business.  With workstations being an indispensable part of business comes a substantial security burden, especially for your information technology staff.  In the workstation security policy, you will define rules intended to reduce the risk of data loss/exposure through workstations.

Often, information security best practices are used synonymously with “Oh that’s just common sense.”  But remember that in security - and perhaps life in general - there’s no such thing as common sense.  Spell out these best practices clearly with as much detail as possible. Get our SOC2 eBook for answers to all your SOC2 questions.

  • Define “workstation”

At a high level, a workstation is a device - be it personal or company-owned - that contains company data.  This includes desktops and laptops, as well as mobile devices.

  • Require centralized management

As a general rule, to secure your network, you need to know what’s on it.  A centralized management tool allows you to inventory your workstations, as well as standardize the configuration of them remotely.  This way, if you learn about a new configuration setting to further harden or secure your environment, you can quickly push it to all machines in minutes.  In Microsoft environments, Group Policy is a standard tool used to define user, security and networking policies at the machine level.

  • Require an operating system baseline

Ensure that the workstation operating systems are no more than one generation older than the current.  Otherwise, you risk systems falling out of support, or perhaps worse yet, no longer receiving critical security patches from the vendor.  Microsoft keeps an up-to-date lifecycle document to keep in your browser bookmarks, and Apple provides similar documentation.

  • Require workstation encryption

As defined in your encryption policy, data should be encrypted at rest.  A program such as BitLocker will provide full disk encryption for Windows systems, and FileVault can be used in the same way on Macs.

  • Require that workstations are locked when not in use

A strong password policy helps workstations from getting compromised, but that policy is little help if employees don’t lock their workstations when they leave their desks.  In case someone forgets to lock the workstation manually, sysadmins can enforce a technical control to do this automatically after a period of idle time.  Configuring a password-protected screen saver (or a basic screen lock) is effective access control to enforce on workstations as well as other information systems, such as network servers.

  • Define that workstations must be used for authorized business purposes only

With all the hours they clock on their workstations, it’s natural for employees to treat company devices like personal property.  They might play games, use services that stream music and movies, or start running applications used to store and share personal files.  Your workstation security policy should remind users that company property is to be used only for work-related purposes and that all activities and data stored on the device can be monitored, changed or deleted at any time.  Some organizations even choose to limit wireless network access so that workstations can only be joined to access points that use encryption.

  • Loss or destruction of devices should be reported immediately

In the event of a workstation or any other company asset being lost or stolen, users need clear instructions and a contact person/department so the incident can be reported and handled correctly.  You may wish to include verbiage that reminds users how time-sensitive the handling of such issues can be.  For instance, a statement such as “Please report missing devices as soon as possible so IT can attempt to wipe the device.  This will also help us protect the company’s data, integrity, and reputation.”

  • Require laptops and desktop devices to have the latest version of antivirus software that has been approved by IT

If you’re running a centralized antivirus solution, ensure that part of your standard operating procedures includes doing a scheduled check to make sure all endpoints have AV, and that it is adequately updated on a regular basis. Most commercial solutions also let you run a report that highlights any machines missing protection or current virus definitions.

  • Require endpoints to have their operating system patched monthly

A fundamental part of good workstation security is to keep machines patched with security updates and fixes from the manufacturer.  In a Windows environment, Microsoft provides guidance for leveraging Group Policy to configure workstations for automatic updates.  Be aware that depending on the configuration you enforce, users may have the option to defer patches for extended periods of time, which may inadvertently cause violations to the workstation security policy.

  • Require endpoints to have 3rd party applications (Adobe, Java, Flash, browsers, etc.) to be patched monthly

Keeping 3rd party applications up to date is also part of a healthy workstation configuration.  However, you cannot only follow a “patch everything” approach like you might with the operating system updates.  You need to have a solid understanding of the applications in your network and any versions that may need to stay static.  For example, certain Web-based applications may rely on a particular version of Java, and if you patch workstations to the latest version, the Web application may break for users.

  • Deploy physical safeguards

Technical safeguards are essential for workstations that reside in your office spaces, but if you have employees who work from home most of the time, controlling physical access to their workstations becomes a significant concern as well.  Consider providing employees with cable locks for workstations to deter physical theft.  You might also want to offer privacy screen filters for monitors, which are especially crucial for HIPAA security.  Finally, protect workstations from loss of data, power drops, and surges by using power strips, surge protectors and battery backup systems.

  • Reinforce workstation controls with policies

Make sure that any physical or technical controls are reinforced with the appropriate complementary policies, such as an acceptable use policy and a portable workstation encryption policy.  Without this framework in place, it’s difficult to take disciplinary action against employees who are in non-compliance with your policies.

Employees need some freedom and flexibility in the way they use workstations to get work done.  However, at the end of the day, workstations are a company asset that store and transmit incredibly valuable and sensitive information.  Create a clear and concise workstation security policy to ensure workstations are used as safely, securely and productively as possible.

Free eBook: Everything I Wish I'd Known Before Starting SOC 2

Tagged under: