Device posture check before access
Demonstrate that the organization enforces automated device posture checks that verify endpoint security hygiene against defined standards prior to granting access to corporate networks and applications.
Description
What this control does
Device posture check before access ensures that endpoints attempting to connect to enterprise resources meet predefined security criteria before network or application access is granted. The control typically evaluates device characteristics such as operating system patch level, presence and currency of antivirus signatures, disk encryption status, firewall enablement, and compliance with corporate baseline configurations. This control is typically enforced through Network Access Control (NAC) systems, Endpoint Detection and Response (EDR) agents, or Zero Trust Network Access (ZTNA) solutions that continuously assess device health and enforce conditional access policies.
Control objective
What auditing this proves
Demonstrate that the organization enforces automated device posture checks that verify endpoint security hygiene against defined standards prior to granting access to corporate networks and applications.
Associated risks
Risks this control addresses
- Compromised or infected devices connect to the network and propagate malware laterally across trusted systems
- Unpatched endpoints with known vulnerabilities gain access and are exploited by attackers to establish persistence
- Non-compliant devices lacking encryption expose sensitive data if lost or stolen after being granted network access
- Personal or unmanaged devices bypass security controls and introduce shadow IT risks into the corporate environment
- Devices with disabled security agents or tampered configurations evade monitoring and detection capabilities
- Attackers exploit weak or absent posture validation to move laterally from lower-security zones into sensitive network segments
- Regulatory non-compliance occurs when non-conformant devices access systems containing regulated data without proper safeguards
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's device posture policy documentation that defines required security attributes (OS version, patch level, encryption status, antivirus state, firewall status, agent presence).
- Identify all technical systems implementing posture checks, including NAC solutions, EDR platforms, mobile device management (MDM) systems, VPN concentrators with posture assessment modules, or ZTNA gateways.
- Export and examine configuration files or policy settings from posture enforcement systems to verify that documented requirements are technically implemented and enforced.
- Review access decision logs from a recent 30-day period to confirm that posture checks are actively occurring and that non-compliant devices are being denied or quarantined.
- Select a sample of at least 10 recent connection attempts and trace each through posture assessment logs to verify evaluation of all defined security attributes before access grant or denial.
- Conduct a live demonstration by attempting to connect a test device that fails one or more posture criteria (e.g., outdated antivirus, disabled firewall) and observe automated denial or remediation workflow.
- Interview network and security administrators to confirm frequency of posture reassessment for already-connected devices and verify that continuous monitoring or periodic re-validation is enforced.
- Review exception processes and approval records for any devices granted access despite failing posture checks to ensure compensating controls and time-bound approvals are documented.
Where this control is tested