How to Develop An Endpoint Monitoring & Management Policy

Image: CurrentWare company logo. Title: How to Develop an Endpoint Monitoring and Management Policy. Next to the title is a series of illustrations featuring a computer, USB flash drives, emails, a cell phone, and other decorative elements
removable media policy template mockup

Removable Media
Policy Template

  • Set data security standards for portable storage
  • Define the acceptable use of removable media
  • Inform your users about their security responsibilities

Get started today—Download the FREE template and customize it to fit the needs of your organization.

Table of Contents


Data breaches exposed 7.9 billion records in the first nine months of 2019 according to a report from Risk Based Security. What would happen to your company, your customers, and your reputation if your most trusted employees stole or compromised the data they had access to? Endpoint monitoring and management tools will be a critical technical safeguard when addressing the threat of data breaches as part of your information governance and data loss prevention (DLP) strategy.

Endpoint security software is a valuable tool for mitigating against the dangers of illicit data transfers and file mismanagement, but it can cause serious productivity blocks if not configured in a way that makes sense for your company. In this guide, we will show you how to develop an endpoint monitoring and management policy that meets your data security needs without creating productivity bottlenecks that frustrate your employees.

The Role of Endpoint Monitoring & Management in Data Security

Endpoint monitoring and restriction tools provide a critical layer of security for your data loss prevention (DLP) and data security strategy. Endpoint security software with device control features gives you the means to mitigate devastating data breaches caused by insider threats, rogue USB devices, attacks from cybercriminals, and illicit transfers from unauthorized users.

Protection Against Data Breaches

When developing your endpoint monitoring and restriction policy, you will need to carefully think about the sensitivity of the data you are responsible for protecting. By monitoring and restricting endpoints that have access to the networks where sensitive data is stored, you can prevent serious reputational, operational, and financial damages that will arise following a breach of sensitive data such as intellectual property or personally identifiable information (PII).

Data breaches of sensitive information have devastating consequences for the consumers and companies affected by the data breach. A compromised database full of personally identifiable information is incredibly valuable for cybercriminals as this information can either be used directly for identity theft or sold to others in their network for related purposes.

When sensitive information needs to be supplied to third parties by consumers or companies, they need to have the confidence that the entity they’re working with is capable of protecting their data. 

Companies that fail to adequately protect sensitive data from data breaches can face severe penalties in the form of non-compliance fines and litigation. A proposed $1.13 billion class-action lawsuit was filed against LifeLabs following the potential breach of 15 million health records caused by a ransomware attack. The lawsuit alleges that LifeLabs failed to maintain adequate safeguards to protect the data and seeks compensation for those affected by the breach as they are now vulnerable to identity theft and blackmail from the data exposed in the breach. 

How To Prevent Data Breaches With Endpoint Security Software

  • Disable the ability to copy sensitive files to USB flash drives.
  • Enforce the requirement of administrative permissions to transfer data to USB devices
  • Improve the security of data transferred through USB flash drives by forcing users to only use authorized USB devices.
  • Alert administrators to users that are attempting to perform actions that put data at risk, including suspicious file operations.
Image With Quote: "AccessPatrol has made our lives easy; we just set it, forget it, and it works!" The quote is from Nicholas Scheetz, IT Service Desk Supervisor First Choice Health

Technical Safeguards for Data Security Compliance

Data security regulations that govern the security standards for sensitive information such as personally identifiable information (PII), personal health information (PHI), or financial records require that adequate measures are taken to protect the data used by the regulated company. Endpoint security software is a critical technical safeguard for protecting sensitive data that is stored on or accessed by endpoints. 

The High Cost of Non-Compliance at a Glance

Full NameDescriptionApplies ToGreatest Cost of Non-Compliance (USD)
International Traffic in Arms Regulations (ITAR)United States – Government regulation of defense-related exports and imports ITAR requires entities to implement measures to prevent the loss of ITAR-controlled dataAll manufacturers, exporters, and brokers of defense-related imports and exports for the USA – including technical dataCivil fines of up to $500,000 per violation, criminal fines up to $1,000,000, 10 years imprisonment per violation, as well as bans from providing future exports.
The Federal Information Security Modernization Act of 2014 (FISMA)United States – Cybersecurity framework for protecting sensitive information held by the federal government and related partiesExecutive agencies within the US federal governmentLoss of federal funding. A low FISMA grade indicates that you are at risk for a data breach
The Personal Data (Privacy) Ordinance (PDPO)Asia (Hong Kong) – Principle-based data protection law for the use, collection, and handling of personal data.Private and public sectors that process data in or from Hong KongA fine of up to ~$128,862 (HK$1,000,000) and imprisonment.
The General Data Protection Regulation (GDPR)Europe – Principle-based data protection law for the use, collection, and handling of personal data.Companies and other entities that process personal data of EU citizens, including website cookies and other marketing dataDiscretionary fines of the greater of ~$22,096,200 (€20 million) or 4% of annual global turnover
The Health Insurance Portability and Accountability Act (HIPAA)United States – National act for regulating the electronic transmission of health informationHealth plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information in connection with transactions for which HHS has adopted standardsFines of up to $1.5 million per violation category per year

Endpoint Restriction Use Cases

Each industry and organization will have its own unique set of data security requirements that will heavily inform their endpoint restriction policy. While the use of data security best practices will always be necessary to adequately protect data, the level of endpoint restrictions used as a safeguard will vary in intensity depending on the sensitivity of the data the organization handles and the associated level of risk.

Example 1 – John, Military Intelligence

Image: Endpoint Security Persona for John who works in Military Intelligence. The paragraph below is the same as what is on the image.

While John’s exact role is top secret, we do know that he works in the field of Military Intelligence. Because John’s information governance and cybersecurity responsibilities are a matter of national security, he takes every precaution available to him to eliminate the potential for unauthorized data transfers and to mitigate cybersecurity threats.

John’s Endpoint Security Policy

  • All USB devices have been blocked from use on the endpoints he is in charge of protecting. 
  • His policies are further enforced by physically banning USB devices from the premises – if John discovers a USB device he treats it as a highly suspicious threat. 
  • Projects that require data transfers must be approved, monitored, and managed by the security team
  • Any attempts to bypass USB permissions will send alerts to his security personnel for immediate investigation.

Example 2 – Sam, HIPAA Security Officer

Image: Endpoint Security Persona for Sam who works in healthcare. The paragraph below is the same as what is on the image.

Sam is the HIPAA Security Officer for her company. She uses endpoint monitoring and restriction to protect the sensitive personal health information (PHI) of patients as a technical safeguard for maintaining HIPAA compliance for her company.

Sam’s Endpoint Security Policy

  • Only company-provided encrypted USB devices are allowed to be used for transmitting data. Attempts to use personal USB devices are blocked by her endpoint security software and an email alert is sent to her security team for review.
  • USB devices must be signed in and out daily and only used internally. Her staff are never permitted to bring their USB devices outside of the building.
  • Reports on all file operations & devices connected to endpoints are reviewed by Sam on a daily basis. She uses endpoint activity monitoring to ensure that system activity can be traced to a specific user in the event that a data breach is discovered. 
  • Attempts to bypass software-enforced endpoint restrictions are blocked, logged, & reported to Sam’s security team for review

Example 3 – Karen, Retail Manager

Image: Endpoint Security Persona for Karen who works as a retail manager. The paragraph below is the same as what is on the image.

Karen is a manager for an independent retail company that sells through an eCommerce platform. Karen’s payment processing is handled by a third party that maintains their own data security compliance, however, she collects personally identifiable information of customers when arranging shipment of her products. She wants to use endpoint monitoring to alert her to incidents of her staff attempting to perform illicit data transfers.

Karen’s Endpoint Security Policy

  • Unknown USB devices are blocked from transmitting data by default but are later allowed once scanned for viruses
  • Data transfers from unknown USB devices are blocked
  • The USB ports on her computers are configured to still allow for the charging of phones and other USB devices. 
  • Karen reviews her endpoint activity reports weekly to check for suspicious file operations  & strange endpoint activity

Example 4 – Chris, Design Agency CEO 

Image: Endpoint Security Persona for Chris who works in a design agency. The paragraph below is the same as what is on the image.

Chris started his design career as a freelancer. Over time his independent operation grew into a modest design agency with his own employees and contractors. To help make IT security easier to manage, he ensures that his creative staff members do not need or have access to any sensitive data for the work that they do. Chris primarily uses file operations monitoring reports to protect his company’s intellectual property (IP) by ensuring that only pre-approved renders for portfolios leave the office.

Chris’ Endpoint Security Policy

  • All USB devices are allowed by default
  • Chris is immediately alerted with an email when attempts to transfer specific IP-related file extensions are detected
  • To protect company and customer financial data, if anyone in his Finance department tries to transfer files to a USB device they are blocked and Chris is alerted

4 Critical Considerations for Your Endpoint Security Policy

When developing your endpoint security policy, these are key considerations that will influence the level of device control measures that you implement, the users and/or devices that you restrict, and how you will best use monitoring data to inform your data loss prevention and data breach mitigation strategy.

1) Define the Endpoints & Peripherals That You Need to Restrict

The policies you develop will be heavily influenced by the devices you intend to manage. Each endpoint device has a unique risk level and accompanying management needs. It is critical that you understand the unique needs of each of these devices as they will influence the level of monitoring and restrictions implemented.

USB Device Security

Users with access to sensitive data need to be closely monitored, particularly when their endpoints have integrated data transfer hardware such as USB ports, SD/MM card slots, CD drives, or Bluetooth. Endpoint security software allows you to implement software-enforced policies that prevent illicit data transfers by blocking users from copying files to USB devices such as flash drives and external hard drives, providing an added layer of security against data theft and accidental breaches caused by mismanaged USB devices.

Unmanaged USB devices including personal flash drives, mobile phones, and miscellaneous devices such as USB-powered fans are a potential vector for data breaches caused by malware should the devices be unknowingly compromised. If your company has stringent data security standards, it is strongly advised that you limit the number of permitted USB devices by implementing software-enforced USB access policies. 

Internet-Connected Hardware, Networking Devices, & Applications

Internet connectivity serves as a vital resource for managing distributed teams, sharing information, and connecting with customers. The internet also poses a remarkable cybersecurity vulnerability that needs to be managed appropriately. 

The internet provides malware with a gateway to systems by transmitting it through compromised files sent in phishing emails as well as through “drive-by” downloads where a malicious website installs the malware on the user’s computer without their knowledge. These common internet-based attacks are best mitigated through the use of content filtering tools that allow for the blocking of dangerous websites, prevent the opening of suspicious files, and disable unauthorized computer programs.

It’s important to note that computers that are not connected to the internet via an ethernet cable may still be connected to a Wi-Fi network if it has Wi-Fi hardware installed. You can further prevent the potential for accidental internet access as part of your endpoint management policy by implementing a software-enforced policy that disables Wi-Fi hardware or by using internet blocking software.

Internet-of-Things (IoT) Devices

IoT devices provide a unique level of risk thanks to a combination of their access to the network and a lack of robust security standards for IoT device manufacturers. A seemingly innocuous IoT sensor that helped a casino manage its aquarium became an entry point for a data breach that resulted in an information leak about the casino’s high-rollers. IoT vulnerabilities are largely caused by surprisingly widespread practices such as hardcoded passwords, web interfaces without sufficient authentication measures such as multi-factor authentication (MFA), and an inability or lack of support to securely patch known security vulnerabilities.

Due to their unique risk, these devices need to be treated with an added layer of caution, particularly if the device or the manufacturer does not natively support adequate cybersecurity measures. Unless you can confidently confirm otherwise, it is best to assume IoT devices are high-risk and treat them appropriately, including placing them on an entirely separate network that does not have access to sensitive data (“air gapping” or network segmentation).

Mobile Device Management

Mobile devices are popular among professionals that want to continue working while traveling. Unfortunately, the portability of mobile devices comes at the cost of reduced physical security and added network vulnerabilities. If your employees are potentially working from outside a secured building in favor of a local coffee shop, airport, or co-working space, they will require greater monitoring and restriction to address the added risk. 

To mitigate the risks associated with mobile devices, you can make use of an enterprise-class Mobile Device Management (MDM) system. An MDM allows you to delete sensitive data remotely, track lost or stolen devices, and enforce MFA on mobile devices, among a suite of other important features for securing mobile endpoints.

Risk Factors for Mobile Devices:

  • Insecure Wi-Fi networks (Public Wi-Fi, fake Wi-Fi hotspots set by attackers)
  • Data security vulnerabilities caused by attacks that use Bluetooth
  • Reduced physical security: Increased opportunities for theft or loss
  • Visual eavesdropping when working in public spaces
  • Juice Jacking: Compromised public USB charging ports that install malware onto mobile devices

2) Determine the Level of Restrictions Required

While implementing the highest level of endpoint restriction possible will provide greater threat mitigation, a policy that is far more restrictive than necessary for the endpoint’s corresponding risk level will create unnecessary productivity and usability bottlenecks. The bottlenecks caused by an overzealous endpoint security policy will needlessly frustrate users, leading to a greater risk of non-compliance with your organization’s endpoint and data security requirements.

When determining the level of restrictions required for your endpoint monitoring and management policy, it is important to tailor the degree of restriction based on the risk level associated with the device. Endpoint devices can be placed into three risk categories: Low Risk, Moderate Risk, and High Risk. 

Evaluating Levels of Risk for Endpoints

The risk category for a given endpoint is classified based on the severity of the impact should the device be compromised as well as the likelihood that such an event will occur. It is important to note that while moderate and high-risk assets should be prioritized, even low-risk endpoints must meet minimum security standards to prevent them from becoming a vulnerability due to mismanagement. 

An endpoint device that is seemingly low in risk can actually belong to the high-risk category if it has access to a shared network that could be used as an entry point for a hacker performing a cyberattack. 

Image: A Risk Matrix demonstrating how varying degrees of the likelihood of a data breach occurring and the impact it would have will change the level of risk involved. The more likely and higher the impact, the greater the risk.
The risk category for a given endpoint is classified based on the severity of the impact from a data breach as well as the likelihood that the device will be compromised. The higher the impact and the more likely, the greater the risk.

The below risk factors will serve as a baseline for evaluating the risk level of your endpoints. These risk factors can be more or less risky than outlined below depending on how they interact with other risk factors. A publicly accessible endpoint has lower physical security and is thus potentially a high-risk device, however, if it has no access to sensitive data (ex. a public-facing digital map kiosk that is unable to connect to higher-risk systems) it could be considered low-risk. 

Lower Risk Moderate Risk High Risk
Device Accessibility Trusted, Monitored & Managed EmployeesTrusted, Monitored & Managed Guests General Public
Hardware & Software Whitelisted/authorized devices Wireless internet (Wi-Fi)

Shadow IT1

Internet-of-Things (IoT) devices 

Unpatched and legacy systems2

Unmanaged USB devices and ports
Data Sensitivity Publicly available data or data that is intended to be openly available without restrictionUnpublished, unclassified, and otherwise non-sensitive internal documents such as meeting minutesDevices that are connected to a network with access to data that is expected to be compliant with data security requirements such as HIPAA, GDPR, FERPA, FISMA, ITAR, PCI-DSS, etc
Level of Importance Devices that are connected to systems that provide non-critical services, such as a digital map kiosk for patrons in a mallDevices that are connected to systems that provide an important service, such as employee workstations that are used to perform day-to-day dutiesDevices that are connected to systems that provide a critical service such as IoT-connected power systems

Devices that are connected to systems that would
Difficulty of Recovery The connected system is easily recovered with minimal to no disruption to operationsThe connected system is able to be recovered with moderate disruption to operations The endpoint is connected to systems that are difficult to recover or recovery will cause a major disruption to operations

1 Shadow IT: Unapproved software/hardware that is not managed by the corporate IT security team. 
2 Legacy systems: Systems that rely on outdated hardware and software that is no longer receiving critical security updates from their manufacturer(s) or the organization.

3) Supporting Elements for Endpoint Security Policies

Supporting elements of endpoint security policies such as defining the acceptable use of devices (AUDs/AUPs) are critical for further enforcing endpoint monitoring and restriction as they provide the baseline for what will be considered suspicious activity in the context of your organization. With a well-established set of expectations, you can properly address behaviors that put the integrity of data security at risk. 

Well-defined and communicated written policies and guidelines provide a necessary structure for communicating your expectations of how endpoint device management and information governance is to be carried out by employees and other users in your company. While templates can serve as a structure for understanding the core principles, you cannot afford to forgo mindfully considering the elements that are important for your company’s data security needs.

What To Include In Your Policy

  1. What is the goal of your endpoint security policy/AUD?
    • Maintaining internal or regulatory data security compliance
    • Protecting intellectual property (IP) such as trade secrets
    • Increasing your company’s competitive advantage by demonstrating proactive cybersecurity to potential business partners and customers
    • To mitigate the potential for damage to operations caused by cybersecurity threats
    • To protect the safety and security of data in your role as a data processor
  2. What security measures are you taking to ensure data security?
    • Enforced multi-factor authentication (MFA)
    • Security software for endpoint device control, antivirus, and content filtering
    • Security personnel responsible for policy enforcement and data security management
    • Restricting and carefully managing the number of users with administrative access or elevated permissions
    • Patch management procedures
    • Network segmentation
    • Automated “health checks” of devices to verify they meet the minimum cybersecurity standards to access your network
    • Cybersecurity training for users that use technology in the workplace
    • The development of policies intended to address data security priorities and practices
  3. What are the security responsibilities of your users and personnel?
    • Who is primarily responsible for ensuring information security and compliance in your organization?
    • What is considered “mishandling” of data?
      • What are the approved procedures for accessing, storing, and transmitting data? Do these measures change based on the data classification?
      • Are USB devices and files required to be encrypted?
      • Where is data permitted to be stored, transmitted, and accessed?
      • Who is allowed to access confidential or sensitive data?
    • Who is responsible for maintaining critical security updates (patches)?
    • What are the minimum security standards for devices that require connection to your network? 
  4. What applications/devices/peripherals are allowed to be used and what is not permitted?
    • Can employees use their own peripherals (USB devices, keyboards, etc), or will that pose an undue security risk?
    • Are employees permitted to use their own devices to perform work tasks? If so, what security measures are they expected to take?
    • If guests bring USB devices for a presentation or for sharing files, how will your security team manage that? Will they be required to check in with your IT department or will department managers be permitted to manage guest device permissions?
    • Who is permitted to install software onto endpoints?
    • What operating systems (OSs) are permitted? How will you manage the risks of legacy OSs?
  5. Other considerations
    • Who can employees contact with security concerns and questions?
    • How often will your policies be reviewed and updated? Who is responsible for ensuring this is done?

4) Plan For How You Will Use Endpoint Monitoring Data

Auditing the monitoring data and alerts provided by your chosen endpoint detection and response software is an integral component of maintaining endpoint security as it provides you and your security team with valuable insights into the activities carried out on endpoints within your network. The insights from these reports can be used to identify non-compliant users using endpoint devices in an insecure manner, collect evidence of illicit file transfer attempts, and monitor the peripheral devices used within your company.

AccessPatrol’s Endpoint Monitoring Reports & Alerts

  • Devices Accessed (All): Receive email alerts or scheduled summary reports when your users (employees, patrons, etc) connect any peripheral devices on your endpoints. These reports are best used for maintaining a log of all endpoint activity for use in the event of an investigation.
  • Devices Accessed (Allowed): An overview of the endpoint activity history of allowed devices. Best used to study the usage patterns of approved peripherals within your company to confirm they are being used as expected.
  • Devices Accessed (Blocked): These reports are best used to alert security personnel to attempts to use prohibited devices on company endpoints. The devices will be blocked from use and the user/device that was used inappropriately will be logged for further investigation.
  • File Operations: These endpoint reports provide an overview of files that are created, renamed, transferred, or deleted from external storage devices. These reports are critical for monitoring the flow of data to and from USB storage devices as well as identifying the user responsible for initiating the transfer.

Evaluating Endpoint Monitoring Reports

  • How will endpoint monitoring data be used?
    • Will a member of staff be actively monitoring reports for suspicious or unsafe activity, or will monitoring data be used as a passive method of evidence collection for an audit following the discovery of a data breach?
    • Who will be responsible for auditing security logs?
  • What details are relevant to your endpoint security goals?
    • Will you need to know about every peripheral device being used in your organization, or only when unknown/blocked devices are used on endpoints?
  • What is suspicious in the context of your organization?
    • Review what is covered by your AUD. How severe is non-compliance with what is outlined?
    • A Database Administrator with file operations related to the database may not be suspicious, but what about when frontline workers attempt to modify or transfer these files?

Implementing Your Endpoint Monitoring and Management Policy

Now that you have outlined the core principles and tools for your endpoint monitoring and management strategy, it is time to implement it. To make the transition as seamless as possible, your policy implementation strategy needs to be mindfully planned and designed to best guide your users through the process of acclimating to their new workflows and expectations.

Collect Employee Feedback

While the security of your data is paramount, that does not mean you should forgo consulting your employees – after all, they are the ones that are the most intimately familiar with what is needed for them to work effectively. 

Collecting end-user feedback on your endpoint security and management framework provides you with the perfect opportunity to identify elements of your policy that may cause an unexpected productivity bottleneck. While not every piece of feedback can be acted on, you are likely to find opportunities where your proposed policy can be reasonably adjusted to better fit the workflow of your constituents.

Educate Your Users

A policy that is written but not adequately communicated is not likely to effectively fulfill its purpose. Policy education is essential for anyone who is expected to use technology in your workplace as it ensures that your baseline of expectations is fully understood and that a precedent for enforcement is established.

  • Use multiple communication channels to disseminate your policy (email, bulletin boards, direct coaching, team meetings, etc).
  • Ensure that your policy is readily accessible for anyone that needs to refer to it. The policy can be provided on your company’s intranet or within an employee manual.
  • Regularly review your policy with your users to mitigate against non-compliance caused by forgetting the policy’s mandates.
  • Periodically test the policy awareness and knowledge of your employees to ensure they understand their endpoint security responsibilities.

Consistently Enforce Your Policy

The effectiveness of your policy will rely heavily on your willingness to consistently enforce the standards you have for your users in the event that they fail to comply with their data security responsibilities. Software-based enforcement measures are an excellent protective tool, however, they should not be the sole source of your policy enforcement; you need complementary measures.

Options for Policy Enforcement

  • Assign a designated member of staff that is responsible for policy enforcement. When they are alerted to suspicious endpoint activity they must investigate it in a timely manner.
  • Ensure that all supervisors, managers, and other influencers in your company are leading by example. Your employees cannot be expected to take data security seriously if those above them are not held to the same standard.
  • Pre-determine the enforcement procedures that you will perform based on the severity of the actions taken and any other factors that are relevant to your company. Depending on the severity of the non-compliance this could take the form of re-educating users on their expectations and responsibilities or a critical warning that sets a precedent for dismissal. 

Review Your Policy Regularly

The frequency with which you review your policy will depend on your security needs and the regulatory compliance frameworks you are subject to. For example, entities covered under HIPAA are expected to “review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.” 

When to Review Your Policy

  • At a predetermined frequency (at least 1-2x annually)
  • After amendments to expectations are made by external regulatory bodies
  • When unique threats to data security are identified
  • Following a data breach within your company
  • After the introduction of a new law that may affect your company (GDPR, CCPA, etc)
  • When new technology is introduced to your company

How to Review Your Policy

  • Determine the members that will take on the role of Information Security Officer or a similar position. Your designated security personnel will be responsible for ensuring that policies are reviewed appropriately, along with the other key responsibilities as outlined by your organization’s unique regulatory standards.
  • Perform a risk analysis to identify areas of your policy that may no longer be relevant or that otherwise need updating to best reflect your current security needs.
  • Collect and review policy feedback from key stakeholders to better identify areas of the policy that need to be amended to improve clarity, relevance, or effectiveness.


With an endpoint monitoring and management strategy backed by robust tailored policies and endpoint protection software, you will be better prepared to mitigate against devastating data breaches. By taking a proactive approach to data security your company will be better positioned to use data safely, make advantageous partnerships, and protect the integrity of your operations.

Dale Strickland
Dale Strickland
Dale Strickland is a Marketing Coordinator for CurrentWare, a global provider of endpoint security and employee monitoring software. Dale’s diverse multimedia background allows him the opportunity to produce a variety of content for CurrentWare including blogs, infographics, videos, eBooks, and social media shareables.