SM-05 Incident & Security Monitoring

Endpoint Protection (EDR)

Endpoints are protected and monitored for malware.

Domain: Incident & Security Monitoring
Control type: Preventive/Detective
Automated / manual: Automated
Frequency: Continuous
Framework reference: MAS Cyber Hygiene

What good looks like

Managed endpoints run anti-malware/EDR with current signatures, centrally monitored.

Risk if it fails

Malware introduction and spread.

How Tess tests it

3 tests — each concludes only on cited evidence.

Endpoint-protection standard defined

Design

Procedure: Inspect the standard.
Expected: EDR/anti-malware required.
Sample: 1 (design inspection)
Evidence: EDR/console coverage report.

EDR coverage across endpoints

Operating

Procedure: Reconcile EDR to the asset list.
Expected: Full coverage; no gaps.
Sample: 25 (or full config inspection)
Evidence: EDR/console coverage report.

Agents/signatures current

Operating

Procedure: Inspect the EDR console.
Expected: Up to date.
Sample: 25 (or full config inspection)
Evidence: EDR/console coverage report.

Evidence Tess looks for

EDR/console coverage report.

More in Incident & Security Monitoring

SM-01 Logging Standard & Retention SM-02 Access & Privileged Activity Logging SM-03 Time Synchronisation (NTP) SM-04 Security Alerting & Anomaly Monitoring

Want Tess to test SM-05 against your evidence?