SI-3 / CM-8 / CM-7 / SI-2 / SC-28 / CM-6 NIST SP 800-53 Rev 5 NIST CSF

How are endpoints protected?

Demonstrate that endpoints across the organization are protected by layered security controls that prevent malware execution, detect anomalous behavior, enforce baseline configurations, and maintain current patch levels.

Description

What this control does

Endpoint protection encompasses the deployment and management of security controls on user workstations, laptops, mobile devices, and servers to prevent, detect, and respond to threats. This includes anti-malware software, host-based firewalls, application whitelisting, endpoint detection and response (EDR) tools, patch management, disk encryption, and device configuration hardening. Effective endpoint protection reduces the attack surface at the most vulnerable point of contact—where users interact with organizational resources—and provides visibility into endpoint behavior to detect compromise.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Malware infection via phishing, drive-by downloads, or removable media leading to data exfiltration or ransomware deployment
Exploitation of unpatched vulnerabilities in operating systems or applications resulting in remote code execution
Unauthorized software installation enabling backdoors, cryptominers, or persistence mechanisms
Credential theft through keyloggers, browser dumping, or memory scraping on unmonitored endpoints
Lateral movement from compromised endpoints lacking host-based segmentation or micro-segmentation controls
Data leakage from unencrypted endpoint storage devices that are lost, stolen, or improperly disposed
Configuration drift from security baselines exposing unnecessary services, weak protocols, or disabled protections

Testing procedure

How an auditor verifies this control

Obtain a current inventory of all endpoints including workstations, laptops, mobile devices, and servers from asset management or endpoint management platforms.
Review the organization's endpoint protection standard or policy to identify required security controls, approved software, patch timelines, and configuration baselines.
Select a representative sample of endpoints across device types, operating systems, business units, and network segments for detailed testing.
Verify endpoint protection software is installed, running, and current by examining agent status consoles, definition/signature update logs, and version reports.
Inspect endpoint configuration settings against organizational baselines including firewall status, disk encryption state, USB device policies, application control rules, and local administrator restrictions.
Review patch management reports to confirm operating system and application patches are deployed within the organization's defined timeframe for critical, high, and medium severity vulnerabilities.
Examine EDR or anti-malware alert logs for the past 90 days to assess threat detection activity, incident response actions taken, and quarantine or remediation effectiveness.
Test enforcement mechanisms by attempting to install unauthorized software, disable protection agents, or access restricted resources from a sample endpoint in a controlled manner.

Evidence required Collect endpoint inventory exports showing device counts and protection software deployment status; configuration compliance reports or screenshots from endpoint management consoles demonstrating policy enforcement rates; patch management dashboards showing patch currency by severity level; EDR or anti-malware event logs with detection counts, quarantine actions, and remediation timestamps; baseline configuration policy documents; and test results or screenshots documenting enforcement of application control or security policy violations.

Pass criteria All sampled endpoints demonstrate active and current endpoint protection software, configurations aligned to organizational baselines, critical and high-severity patches applied within policy timeframes, and effective detection or blocking of simulated threats.