ISO/IEC 27001 Control 8.1: User endpoint devices
Control
Information stored on, processed by or accessible via user endpoint devices should be protected.
Necessity of MidPoint
MidPoint is optional for implementation of this control.
Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.
Implementation Overview
MidPoint provide mechanisms to manage non-human identities, which can assist in management of user endpoint devices.
Implementation Details
MidPoint can manage non-human identities, such as desktop computers, mobile devices and other user endpoint devices. Device identities can be synchronized from authoritative data sources (such as devices registered in Active Directory), or maintained manually in midPoint. Organizational structure and role-based access control (RBAC) can be used to set up policies on endpoint device use, e.g. allowing bring-your-own-device (BYOD) only for selected organizational units or roles. Information classification mechanism can be used to record classification level of the devices, which can be used in the policies. Application inventory provides information about services and applications, which can be used to obtain reports on device access to services and applications. Password management capabilities can be (indirectly) used to enforce device passwords, e.g. by using Active Directory domain. Reporting capability can be used to provide variety of reports regarding devices, applications and access control.
Rationale
This control deals with remote software maintenance, updates, malware protection, personal firewalls and similar mechanisms, which are mostly out of reach of midPoint. However, midPoint can still provide interesting advantages for management of endpoint devices.