Endpoint Protection and Malware Policy - SME

This Endpoint Protection – Malware Policy (P20S) is specifically designed for small and medium enterprises (SMEs) seeking robust, practical, and standards-aligned protection against malware threats targeting endpoint devices. Marked by the 'S' in its document number and the delegation of primary responsibility to the General Manager, this policy reflects a streamlined approach suitable for organizations without dedicated CISO, SOC, or full-time IT teams, yet remains fully compliant with leading frameworks, including ISO/IEC 27001:2022. The purpose of this policy is to establish clear, enforceable minimum standards for securing all endpoint devices, including laptops, desktops, tablets, smartphones, and removable media. By addressing the technical, procedural, and behavioral elements of endpoint security, it aims to mitigate common risks such as ransomware, spyware, keyloggers, and USB-based malware. The policy is written to support the organization’s cyber resilience goals and facilitate regulatory compliance, notably with GDPR, NIS2, DORA, and COBIT 2019. Scope is comprehensive: it covers organizational and BYOD devices, regardless of whether they are onsite, remote, cloud-connected, or offline. All staff, managed service providers, contractors, and interns fall under its requirements. The policy details governance for both company-owned and personally owned devices, with particular emphasis on BYOD controls, such as mandatory antivirus or MDM agents, up-to-date patching, encrypted storage, and screen-lock enforcement. Key operational requirements include running approved antivirus or EDR solutions on all endpoints, weekly full system scans, automatic signature updates, blocking suspicious file types, disabling unused services, and real-time USB scanning. If malware is detected, immediate disconnection, IT notification, containment, remediation, and reporting procedures are clearly outlined. Additional controls mandate regular staff awareness training and ongoing simulated phishing exercises to minimize user-related infection risks. The policy further stipulates that critical events (like disabled protections or repeated infection attempts) are logged and alerted, that compliance evidence is retained for audit for at least 12 months, and that exceptions are strictly documented and time-limited. Annual review and trigger-based updates ensure the policy remains effective in response to evolving threats and regulatory changes. All these controls are appropriate for SMEs, providing General Managers and IT support providers with actionable, manageable security steps that fulfill the expectations of major regulatory frameworks.