About this program
Are your laptops actually hardened — disk encryption, local admin, screen lock, USB control?
Risks addressed
- High Lost / stolen laptop exposes unencrypted data
- High User running with local admin all day
- Medium USB-based malware on workstations
Controls (7)
-
Full-disk encryption on every workstation
CriticalFull-disk encryption on every workstation
How to test + evidence
Testing procedure: BitLocker / FileVault / LUKS — 100% coverage tracked in MDM / RMM.
Evidence to collect: Encryption status report.
-
No standing local administrator rights
HighNo standing local administrator rights
How to test + evidence
Testing procedure: Users are non-admin by default; elevation via LAPS / Privilege Manager / sudo.
Evidence to collect: Group membership audit.
-
Screen lock + idle timeout
MediumScreen lock + idle timeout
How to test + evidence
Testing procedure: 15-min idle lock enforced via GPO / MDM.
Evidence to collect: Policy export.
-
Application allowlisting where feasible
HighApplication allowlisting where feasible
How to test + evidence
Testing procedure: AppLocker / WDAC / Gatekeeper for high-risk roles.
Evidence to collect: Policy export.
-
USB / removable media policy
MediumUSB / removable media policy
How to test + evidence
Testing procedure: USB mass storage blocked by default or routed through DLP scanning.
Evidence to collect: Endpoint policy.
-
Personal firewall on by default
MediumPersonal firewall on by default
How to test + evidence
Testing procedure: Host firewall enforced via policy.
Evidence to collect: Policy export.
-
Local browser config managed (cookies, downloads)
LowLocal browser config managed (cookies, downloads)
How to test + evidence
Testing procedure: Browser policy template applied via GPO / MDM.
Evidence to collect: Policy export.