Are employee endpoints (laptops/desktops) centrally managed with security controls? (encryption, EDR, patching, etc.)

Explanation of the Question

This question is asking whether the organization has a centralized system in place to manage and secure employee devices such as laptops and desktops. Central management means using a single platform or tool to oversee and apply security measures across all devices. The specific security controls mentioned include encryption (protecting data by converting it into a secure format), Endpoint Detection and Response (EDR, which monitors and responds to threats on devices), and patching (regularly updating software to fix vulnerabilities).

Why It Matters

Centrally managing security controls ensures that all employee devices adhere to the organization's security policies consistently. This approach helps protect sensitive data, reduces the risk of cyber attacks, and ensures that devices are up-to-date with the latest security patches. For example, if a new vulnerability is discovered in an operating system, a centrally managed system can quickly apply the necessary patch to all devices, minimizing the window of opportunity for attackers.

Example of Evidence

To demonstrate fulfillment of this question, an organization might provide documentation or configuration reports showing the use of a centralized management platform (like Microsoft Intune or Jamf) that applies encryption policies, deploys EDR solutions (like CrowdStrike or Microsoft Defender for Endpoint), and automates patch management. Additionally, audit logs showing regular updates and security scans across all employee devices would serve as strong evidence of effective central management.