WithPCI Logo
WithPCI.com

Endpoint & Cloud Security Policy Template
Company Name [Company Name]
Effective Date [Date]
Version [Version Number, e.g., 1.0]
Policy Owner [CISO/IT Director]
Document Classification Confidential / Internal Use Only
Parent Policy Information Security Policy

Purpose

This policy establishes the requirements for securing all endpoints (desktops, laptops, mobile devices, servers) and cloud computing environments (IaaS, PaaS, SaaS) used by [Company Name]. The purpose is to ensure these assets are configured, managed, monitored, and used securely to protect the confidentiality, integrity, and availability of company data (including sensitive corporate data, PII, IP, and Cardholder Data - CHD), prevent unauthorized access, mitigate threats like malware and data loss, and ensure compliance with regulatory requirements, including PCI DSS 4.0.1.

Scope

This policy applies to all company-owned and managed endpoints, including servers, workstations, laptops, and mobile devices. It also applies to personally owned devices (BYOD) if used to access company resources, subject to specific BYOD provisions. Furthermore, it covers the configuration, management, and security monitoring of all cloud services utilized by [Company Name], including infrastructure (IaaS), platform (PaaS), and software (SaaS) services. All employees, contractors, consultants, and third parties using or managing these endpoints or cloud environments are subject to this policy. Specific attention is given to endpoints and cloud resources that store, process, transmit, or could impact the security of CHD or the Cardholder Data Environment (CDE).

Roles and Responsibilities

Role/Group Key Responsibilities
Executive Management Provide strategic direction and resources for endpoint and cloud security; Establish risk tolerance.
CISO/IT Director Own and approve this policy; Oversee endpoint and cloud security strategies and compliance.
Information Security Team Develop and maintain security standards (hardening, EPP, cloud config); Manage security tools (EDR, DLP, CASB, vulnerability scanners); Monitor for threats; Lead incident response; Approve exceptions.
IT Operations/Endpoint Team Deploy, manage, patch, and configure endpoints according to standards; Manage EPP agents; Respond to endpoint security alerts; Maintain endpoint inventory.
Cloud Engineering/Operations Team Implement and manage secure cloud configurations (Security Groups, IAM, logging); Monitor cloud environments; Apply patches/updates to cloud infrastructure (where applicable); Maintain cloud asset inventory.
Network Engineering Team Implement network controls supporting endpoint and cloud security (e.g., segmentation, VPN, firewall rules).
Application Owners/Teams Ensure applications deployed on endpoints or cloud are secure; Define necessary cloud resource configurations; Participate in cloud security group rule definition.
System/Application Owners Ensure their systems (on endpoints or cloud) comply with this policy; Participate in configuration standard definition and reviews.
Human Resources (HR) Coordinate security awareness training related to endpoint and cloud use; Manage user lifecycle impacting endpoint/cloud access.
All Users Comply with this policy and acceptable use standards; Use devices and cloud services securely; Complete required training; Report security incidents or lost/stolen devices promptly.
Compliance/Audit Team Periodically review endpoint and cloud configurations, processes, and logs for compliance and effectiveness.

Policy Requirements

1. Endpoint Protection Standard

  • Baseline Configuration: All endpoints (servers, workstations, laptops) must be configured according to documented secure baseline standards, incorporating OS hardening (based on industry practices like CIS Benchmarks), least privilege principles, and disabling unnecessary services/ports (PCI DSS Req 2.2). Vendor defaults must be changed.
  • Endpoint Protection Platform (EPP/EDR): All endpoints must have company-approved EPP/EDR software installed, active, and reporting to a central management console. This includes:
    • Anti-Malware: Next-generation anti-malware protection enabled with real-time scanning, behavior detection, and regular automatic updates of signatures/engines (PCI DSS Req 5.2, Req 5.3). Scans must be performed periodically and upon detection of new media/files (PCI DSS Req 5.3.2, Req 5.3.3). Users must not be able to disable or alter anti-malware protection (PCI DSS Req 5.3.5).
    • Host Firewall: Host-based firewall enabled and configured to allow only necessary network connections based on role/function.
    • Integrity Monitoring: File integrity monitoring (FIM) deployed on critical systems (especially within the CDE) to alert on unauthorized modifications.
  • Patch Management: Endpoints must adhere to the company's Patch Management policy, ensuring timely application of security patches for OS and applications (PCI DSS Req 6.3).
  • Encryption: Full-disk encryption (e.g., BitLocker, FileVault) must be enabled on all laptops and mobile devices storing sensitive data (PCI DSS Req 3.5.1.2, Req 3.5.1.3). Encryption must be used for sensitive data stored on servers according to the Data Protection & Encryption Policy.
  • Access Control: Strong authentication (unique IDs, complex passwords/passphrases) and role-based access control must be enforced. MFA required for administrative access. Sessions must lock after inactivity (PCI DSS Req 8).
  • Physical Security: Users are responsible for the physical security of devices assigned to them, especially mobile devices. Lost or stolen devices must be reported immediately.
  • Removable Media: Use of removable media (USB drives, external HDDs) must be restricted or controlled via technical means based on role and data sensitivity (PCI DSS Req 1.5.1 related). Data written to removable media must be encrypted if sensitive.

2. Cloud Security Configuration

  • Shared Responsibility Model: Understand and document the security responsibilities shared between [Company Name] and each Cloud Service Provider (CSP) for IaaS, PaaS, and SaaS environments.
  • Secure Configuration: Configure cloud services according to documented baseline standards, applying principles of least privilege and disabling unnecessary features/services. Change all default credentials and configurations provided by the CSP. Align configurations with industry best practices (e.g., CIS Cloud Benchmarks).
  • Identity and Access Management (IAM): Implement strong IAM controls within cloud environments. Use RBAC, enforce least privilege, require MFA for all administrative access and access involving sensitive data, and regularly review permissions. Integrate with corporate identity provider where feasible.
  • Data Protection: Apply data classification, encryption (at rest and in transit using strong cryptography - TLS 1.2+), and key management controls according to the Data Protection & Encryption Policy for data stored or processed in the cloud (PCI DSS Req 3, 4). Configure region controls to comply with data residency requirements.
  • Network Security (Cloud Security Group Policy):
    • Utilize CSP-provided network security controls (e.g., Security Groups, Network ACLs, cloud firewalls) to enforce network segmentation and control traffic flow between cloud resources and between cloud and on-premises environments.
    • Implement a default-deny policy for all inbound and outbound traffic. Security group rules must be permissive only, explicitly allowing necessary protocols, ports, and source/destination IP ranges.
    • Rules must be stateful where applicable. Restrict rules to be as specific as possible based on business need.
    • Regularly review and audit security group rules, removing unnecessary entries via the Change Management process. Document the purpose and owner for rules.
    • Security Groups supplement, but do not replace, OS-level firewalls within cloud instances.
  • Logging and Monitoring: Configure comprehensive logging for cloud services (control plane activities, network traffic, access logs, resource changes). Forward logs to a central SIEM for monitoring, alerting, and retention according to policy (PCI DSS Req 10). Implement threat detection services provided by the CSP where appropriate.
  • Compliance: Ensure cloud configurations meet all relevant compliance requirements (PCI DSS, GDPR, HIPAA, etc.). Utilize CSP tools for compliance monitoring and reporting where available.

3. Application Whitelisting Policy

  • Purpose: To prevent the execution of unauthorized or malicious software on company endpoints (primarily servers and potentially workstations in high-security areas, including the CDE) by allowing only explicitly approved applications to run.
  • Inventory and Baseline: Maintain a comprehensive inventory of all legitimate applications required for various business roles and system functions. This forms the basis of the whitelist.
  • Rule Definition: Define whitelist rules based on strong identifiers such as cryptographic file hashes or publisher digital signatures. Avoid relying solely on less secure attributes like file names or paths.
  • Policy Implementation: Implement application whitelisting using appropriate technical controls (e.g., built-in OS features like AppLocker, EDR capabilities, dedicated whitelisting tools). Configure policies in an "enforcement" mode where feasible, or "audit" mode initially or for less critical systems.
  • Management and Updates: Establish a process for requesting additions or modifications to the whitelist, requiring justification and approval through Change Management. Regularly review and update whitelist rules to accommodate necessary software updates and new application requirements.
  • Phased Rollout: Implement whitelisting policies in phases, starting with less critical systems or in audit mode, to minimize operational disruption.
  • Monitoring: Log and monitor blocked execution attempts to identify unauthorized software and refine policies. Integrate alerts into the security monitoring workflow.

4. Mobile Device Security Policy

  • Scope: This applies to both company-owned mobile devices (smartphones, tablets) and personally owned devices (BYOD) used to access company data (email, applications, storage). Specific rules may differ between company-owned and BYOD.
  • Device Management: Company-owned devices must be enrolled in a Mobile Device Management (MDM) or Unified Endpoint Management (UEM) solution. BYOD devices accessing more than basic resources (e.g., email) may also require enrollment or management via Mobile Application Management (MAM).
  • Security Configuration: All managed devices must enforce minimum security configurations:
    • Strong device passcode/biometric authentication.
    • Data encryption enabled on the device storage.
    • Remote wipe capability enabled.
    • Automatic locking after inactivity.
    • Timely installation of OS and application updates/patches.
  • Application Management: Only applications from approved sources (e.g., official app stores, company app portal) may be installed. Prohibit installation of apps from unknown sources. Sideloading requires explicit approval. Rooted or jailbroken devices are prohibited from accessing company resources.
  • Network Security: Use secure Wi-Fi networks (WPA2/WPA3). Use of public/untrusted Wi-Fi should be minimized for sensitive tasks; use of VPN is required for accessing internal resources.
  • Data Protection: Implement controls (via MDM/MAM) to prevent unauthorized copying/sharing of company data (containerization, DLP policies). Do not store sensitive data (CHD, PII) locally on the device unless explicitly permitted and protected by application controls.
  • User Training: Users must receive training on secure mobile device use, including phishing awareness and risks of public Wi-Fi.
  • Lost/Stolen Devices: Users must report lost or stolen devices immediately to IT/Security for remote locking or wiping.

5. Lifecycle Management (Commissioning & Decommissioning)

  • Commissioning: All new endpoints (including wireless devices) and cloud resources must follow a formal commissioning process before being used in production. This includes:
    • Registration in Asset Inventory.
    • Application of approved secure baseline configuration/build standard.
    • Installation and verification of security agents (EPP/EDR, monitoring).
    • Patching to current levels.
    • Vulnerability scanning and remediation.
    • Configuration backup setup.
    • Formal approval via Change Management.
    • Wireless Device Commissioning Checklist: (See Appendix Appendix D) Specific checks for APs including physical placement validation, secure configuration (SSID hidden?, unique strong passphrase/802.1x, WPA2/WPA3, admin creds changed, logging enabled), firmware update, inventory update, and integration with monitoring/NAC.
  • Decommissioning: Follow the secure Decommissioning Process defined in the System & Configuration Management Policy for all endpoints and cloud resources being retired, ensuring secure data removal, access revocation, and inventory updates.

6. Monitoring, Logging, and Auditing

  • Enable comprehensive logging on endpoints (OS, EPP/EDR, application) and cloud environments (control plane, data plane, network flow). Forward logs to a central SIEM.
  • Actively monitor endpoints and cloud resources for security alerts, anomalies, misconfigurations, and compliance deviations.
  • Conduct regular audits of endpoint and cloud configurations against baseline standards and policy requirements.

Enforcement

  • Failure to comply with this Endpoint & Cloud Security Policy may result in disciplinary action, up to and including termination of employment or contract, in accordance with established HR policies and contractual agreements.
  • Non-compliant devices or cloud configurations may be denied access to company resources or quarantined until remediated.
  • Exceptions to this policy require a documented business justification, formal risk assessment identifying potential impacts and compensating controls, and written approval from the CISO/IT Director. Approved exceptions must be time-bound and reviewed regularly (e.g., quarterly or annually).

Revision History

Version Date Author Change Details
1.0 [Date] [Author Name] Initial policy release
[Ver #] [Date] [Author Name] [Summary of changes]

Approval

Name Title Signature Date
[Exec Name] [Executive Title, e.g., CTO] [Date]
[CISO Name] [CISO/IT Director Title] [Date]

Appendix A: Endpoint Protection Standard - Checklist Summary

  • OS Hardening: Baseline applied (e.g., CIS Benchmark Level 1); Unnecessary services/ports disabled.
  • Anti-Malware (EPP/EDR): Solution installed, active, updating automatically; Real-time protection enabled; Periodic scans scheduled.
  • Host Firewall: Enabled; Configured with approved ruleset (least privilege).
  • Patch Management: OS and critical applications patched per policy timelines.
  • Encryption: Full Disk Encryption enabled and active (laptops, mobiles).
  • Access Control: Strong password/passphrase enforced; Inactivity lock enabled; Admin access restricted/MFA required.
  • Logging/Monitoring: EPP/EDR agent reporting to console; OS security logs forwarded to SIEM.
  • Removable Media: Controls enforced (disabled, read-only, or encrypted write).
  • Inventory: Asset correctly registered in inventory system.

Appendix B: Cloud Security Group Best Practices

  • Default Deny: Start with no rules (blocks all traffic) and explicitly permit required traffic.
  • Least Privilege: Allow only specific protocols, ports, and source/destination IP ranges necessary for the function of the instance/service. Avoid overly broad ranges (e.g., 0.0.0.0/0) unless absolutely necessary for public-facing services on specific ports.
  • Separate Inbound/Outbound: Define distinct rules for incoming and outgoing traffic.
  • Use Multiple Groups: Apply multiple security groups to an instance for granular control based on role (e.g., base OS rules, application rules, management rules).
  • Stateful Rules: Leverage stateful filtering where available to simplify rules for established connections.
  • Describe Rules: Use meaningful names or descriptions for rules and groups to indicate their purpose.
  • Regular Review: Audit rules frequently (at least quarterly) to remove unused or obsolete rules.
  • Infrastructure as Code (IaC): Manage security group rules using IaC tools (e.g., Terraform, CloudFormation) for consistency, version control, and easier auditing.
  • Consider NACLs: Use Network ACLs at the subnet level for stateless, broader filtering as an additional layer of defense (especially in AWS).

Appendix C: Application Whitelisting Strategy - Considerations

  1. Scope Definition: Determine target systems (e.g., critical servers, CDE systems, specific user groups, kiosks).
  2. Inventory Phase: Use discovery tools or manual processes to create a comprehensive list of currently used, legitimate applications.
  3. Policy Mode Selection: Decide between Enforcement (block non-whitelisted) or Audit (log non-whitelisted) mode, potentially starting with Audit.
  4. Rule Type Selection: Prioritize Publisher Certificates and File Hashes for rule creation. Use Path rules cautiously and only in controlled environments.
  5. Baseline Policy Creation: Create initial rules based on the inventory for standard OS components and required business applications.
  6. Pilot Deployment: Roll out the policy to a small group of representative systems/users.
  7. Monitoring & Tuning: In Audit or Enforcement mode, monitor logs for blocked legitimate applications or necessary updates. Refine rules accordingly.
  8. Update Process: Define a clear process for requesting and approving updates or additions to the whitelist, integrating with Change Management.
  9. Phased Rollout: Gradually expand deployment across the target scope.
  10. Regular Review: Periodically review the effectiveness of the policy, the necessity of whitelisted applications, and update rules/baselines.

Appendix D: Wireless Device Commissioning Checklist (Access Point)

  • Physical Placement: Location verified against floor plans; Checked for optimal coverage and minimal interference; Confirmed no unauthorized overlap with other SSIDs (especially guest/corp).
  • Network Connection: Connected to correct, designated switch port/VLAN. PoE confirmed (if applicable).
  • Inventory: AP registered in Asset Inventory (MAC address, serial #, location, model).
  • Firmware Update: Firmware updated to latest approved version.
  • Secure Configuration:
    • Default admin credentials changed to strong, unique values.
    • SNMP disabled or configured with secure, non-default community strings (v3 preferred).
    • Management interface secured (HTTPS, SSHv2 enabled; HTTP, Telnet disabled); Access restricted by IP/VLAN.
    • Unnecessary protocols/services disabled (e.g., UPnP, legacy management).
  • Wireless Network (SSID) Configuration:
    • SSID configured according to standard (e.g., Corp SSID, Guest SSID).
    • SSID broadcast enabled/disabled per standard (hiding offers minimal security).
    • Encryption: WPA2/WPA3 configured using AES (CCMP). WEP/WPA(TKIP) disabled.
    • Authentication: Strong, unique Pre-Shared Key (PSK) configured OR 802.1x/EAP implemented using RADIUS/Certificates.
    • Client isolation enabled (for guest networks).
  • Logging: Syslog/SNMP traps configured to send logs to central SIEM/management console.
  • Monitoring: AP added to wireless controller/management platform; Status reporting correctly. AP added to network monitoring system (NMS).
  • Rogue AP Detection: WIDS/WIPS system (if used) acknowledges the new AP as authorized.
  • Security Scan: Network scan performed to verify open ports/services match expected configuration.
  • Change Management: Associated Change Request completed and approved (CR#).
  • Documentation: Network diagrams and configuration database updated.

Appendix E: PCI DSS 4.0.1 Endpoint & Cloud Security Requirements Mapping

PCI DSS Requirement Relevant Policy Section(s) Key Controls Covered
Req 1 (Network) Policy Req 2 (Cloud Security Group Policy) Cloud network segmentation, Firewall rules in the cloud.
Req 2 (Defaults) Policy Req 1 (Baseline Config), Policy Req 2 (Secure Config) Hardening endpoints & cloud resources, Changing defaults, Disabling unnecessary services.
Req 3 (Data Protect) Policy Req 1 (Encryption), Policy Req 2 (Data Protection), Policy Req 4 (Data) Full disk encryption, Data encryption in cloud (at rest/transit).
Req 4 (Transmission) Policy Req 1 (VPN ref), Policy Req 2 (Data Protection) Secure protocols for data transmission from endpoints/cloud.
Req 5 (Malware) Policy Req 1 (EPP/EDR), Policy Req 3 (App Whitelisting) Anti-malware deployment, configuration, updates, scans, user restrictions; Whitelisting as a preventative measure.
Req 6 (Secure Systems) Policy Req 1 (Patch Mgmt), Policy Req 5 (Lifecycle Mgmt) Patch management for endpoints/cloud OS; Secure commissioning.
Req 7 (Access) Policy Req 1 (Access Control), Policy Req 2 (IAM), Policy Req 4 (Auth) Least privilege, RBAC, Unique IDs on endpoints/cloud.
Req 8 (Auth) Policy Req 1 (Access Control), Policy Req 2 (IAM), Policy Req 4 (Auth) Strong authentication, MFA for admin/cloud access, Password complexity, Session locks.
Req 10 (Logging) Policy Req 6 (Monitoring/Logging), Policy Req 2 (Logging) Logging endpoint and cloud activities, Forwarding to SIEM.
Req 11 (Testing) Policy Req 1 (Patch/Vuln Mgmt ref), Policy Req 5 (Wireless Comm Checklist ref) Vulnerability scanning of endpoints/cloud resources; Wireless scanning (covered via commissioning/IRP rogue detection).
Req 12 (Policies) Entire Policy Maintain policies for information security, acceptable use (endpoints/cloud), incident response (endpoint/cloud aspects), risk assessment.
1.5.1 (New) Policy Req 1 (Removable Media), Policy Req 4 (Mobile Device - General) Controls for removable media and devices connecting to CDE and untrusted networks (e.g., laptops used remotely).

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy