This outlines a layered approach to endpoint security, covering Zero Trust, Secure by Default, device approval, hardening, patching, malware protection, and encryption.

As we understood the foundational principles for designing and reviewing endpoint security controls in Part 1, we also covered key topics such as standardizing and enrolling approved devices and operating systems, enforcing strong authentication and centralized identity management, and validating trusted network access.

We explored endpoint configuration hardening — including secure boot, BIOS/UEFI settings, app whitelisting, and drift monitoring — as well as privilege management using RBAC and Just-in-Time access. Additionally, we discussed patch and vulnerability management, malware protection through EDR, software installation controls, restrictions on removable media, secure local data storage practices, and enforcing encryption across devices and media — all supported by strong auditing, compliance, and user awareness measures.

With that foundation in place, let’s now move into Part 2, where we’ll walk through the remaining architectural control domains along with a visual framework to tie it all together.

11. Securing Web Browsers

a. Approved Browsers and Configuration ...