Skip to main content

Endpoint security

Moodi Mahmoudi avatar
Written by Moodi Mahmoudi
Updated over 3 weeks ago

At a glance

NEXT AI enforces full-disk encryption, screen lock, current security updates, anti-malware/antivirus, personal firewall, encrypted SSH keys, and approved password managers across corporate endpoints. Removable media and offline backups are prohibited. Devices are monitored centrally (Drata).

Fleet management (continuous checks)

  • Full-disk encryption

  • Screen lock enabled

  • Latest security updates installed

  • Malware detection / antivirus

  • Personal firewall

  • Encrypted SSH keys

  • Password management software (approved)

Device hardening & patching

  • Systems follow secure configuration baselines (CIS Benchmarks) and vendor hardening guidance; defaults are changed, unnecessary services are disabled, logging is enabled, and patches are applied based on criticality.

Access & authentication (workstations/laptops)

  • MFA required for remote access; unique IDs, strong passwords, and automatic logoff/screen lock enforced; least-privilege applies to software installation.

Malware protection

  • Anti-malware is installed and enabled on endpoints; definitions update automatically; email/web/downloads are scanned; security tooling must not be disabled.

Removable media & offline backups

  • Use is prohibited to reduce data-loss and malware risk; removable media is restricted to authorized personnel only.

Lost or stolen devices

  • Report immediately; encryption reduces exposure; remote wipe is enabled where possible for mobile devices.

Asset inventory

  • Company-owned devices are inventoried in Drata; devices can be secure-wiped when repurposed or compromised.

Related topics

FAQ

Q: Do you allow BYOD?

Where business needs require it, BYOD must meet the same controls (e.g., device encryption, screen lock, anti-malware, remote-wipe if possible) before accessing company data.

Q: How is encryption enforced on laptops?

Endpoints are continuously monitored for full-disk encryption as part of fleet checks; unencrypted devices are out of policy.

Q: Which hardening standard do you follow?

CIS Benchmarks provide the baseline for secure configuration; vendor hardening guidance is applied as appropriate.

Q: What happens if a device is lost or stolen?

Report it immediately; encryption limits exposure and remote wipe is initiated where supported.

Q: Can users install their own software?

Only approved software is permitted; installation follows least-privilege rules.

Q: Are USB drives allowed?

No. Removable media and offline backups are prohibited to mitigate data-loss and malware risk.

Did this answer your question?