Review existing security infrastructure before deploying a new IT service into the production environment. The following table provides specific questions to ask about your existing and potential security infrastructure to better understand how deploying Endpoint Encryption may affect the organization.
Category
Questions
End users
  1. Does the end-user training include the new functionality that Endpoint Encryption provides?
  2. Is the Acceptable Use Policy (AUP) updated to include encryption services, especially any penalties for not using or bypassing encryption?
  3. Are users notified when they log on to the endpoint that aligns with the AUP?
  4. Are all users fully trained on how to report a lost or stolen device?
  5. Have users been trained on procedures regarding failed login attempts and password recovery?
  6. Is there a policy regarding encryption of confidential documents that are sent outside of the organization?
  7. Have any new password policies been added to the AUP?
Incident response
  1. Has the Incident Response (IR) policy been updated to include actions taken when a device is lost or stolen?
  2. Has an audit log review schedule been established for the PolicyServer logs?
  3. Have the email alerts been added to the IR policy, including the recipients and the expected response when an alert is received?
  4. Have specific criteria been developed to allow a device to be killed or wiped, including any audit trail documentation after the action is completed?
Risk assessment
  1. Has a new risk assessment been conducted to show the change in risk profile Endpoint Encryption has provided?
  2. Have Risk Assessment procedures been updated to include the audit data that the PolicyServer provides?
Disaster recovery
  1. Has PolicyServer been added to the Critical Services list?
  2. Is the DR/BC plan updated to include the restoration of the PolicyServer service?
  3. Is a process developed to allow user data to be recovered from a device?
Human resources
  1. Is the New Employee checklist updated to include any new process for Endpoint Encryption?
  2. Is the termination process updated to include Endpoint Encryption? Consider the following:
    • Backing up, formatting, or restoring devices
    • Locking or killing devices
    • Disabling accounts in PolicyServer
Removeable media
  1. What USB and other removeable media devices are allowed in your network?
  2. Will removeable media devices be accessible at all hours of the day, or will you have set times where removeable device authentication is not allowed?
  3. Where can users access removeable media devices: on-network, off-network, over VPN, at home?
Compliance
  1. Is the compliance profile updated to include the benefits that Endpoint Encryption provides?
  2. Has a compliance review been conducted on all aspects on the Endpoint Encryption implementation and deployment?