Virtus Group - MDM Baseline

Executive Summary

This document describes Virtus Group’s standard for this area and how it is applied in practice. It is derived from our internal policies and standards and is intended for both reviewers and operations.

Scope & Assumptions

• In scope: systems and processes directly managed by Virtus Group per contract.
• Out of scope: client-owned or third‑party systems not onboarded to our managed service.
• Dependencies: connectivity, power, and named client contacts for decision making.

Requirements (Key Controls)

• All devices must be managed by Virtus Group (MDM/endpoint protection) (VGL.Cybersecurity.Policy.docx)
• Confidential and client data must not be stored on personal devices (VGL.Cybersecurity.Policy.docx)
• All end user devices must enforce encryption and access controls. (VGL.End.User.Device.Management.Standard.docx)
• Corporate-issued devices must follow standard baseline configurations. (VGL.End.User.Device.Management.Standard.docx)
• Personal devices (BYOD) must comply with minimum security requirements before accessing corporate systems. (VGL.End.User.Device.Management.Standard.docx)
• Devices must be protected against malware, misuse, and unauthorised access. (VGL.End.User.Device.Management.Standard.docx)
• Managers – Ensure staff follow this standard and report non-compliance. (VGL.End.User.Device.Management.Standard.docx)
• All Employees – Must comply with this standard, report lost/stolen devices, and only use approved applications. (VGL.End.User.Device.Management.Standard.docx)
• Issuance – Devices must be configured with Virtus Group’s baseline controls before allocation. (VGL.End.User.Device.Management.Standard.docx)
• Retrieval – Devices must be returned immediately upon termination, transfer, or replacement. (VGL.End.User.Device.Management.Standard.docx)
• Transfer – Transfers must be approved and logged, with device wiped and reconfigured before reissue. (VGL.End.User.Device.Management.Standard.docx)
• Replacement – All replaced devices must be securely wiped before disposal or recycling. (VGL.End.User.Device.Management.Standard.docx)
• All devices must use full-disk encryption (e.g., BitLocker or FileVault). (VGL.End.User.Device.Management.Standard.docx)
• Devices must run approved antivirus/EDR solutions with automatic updates enabled. (VGL.End.User.Device.Management.Standard.docx)
• Removable media or storage devices must not be used. (VGL.Acceptable.Usage.Policy.docx)
• Removable media and or storage devices must not be used to transfer or store any sensitive customer or Virtus Group Ltd data. (VGL.Acceptable.Usage.Policy.docx)
• No customer or Virtus Group Ltd data must be copied to personal storage accounts or devices. (VGL.Acceptable.Usage.Policy.docx)
• This includes the ability to remotely wipe customer or Virtus Group Ltd devices and enforce basic protective controls include multi factor authentication and a passcode to access devices. (VGL.Acceptable.Usage.Policy.docx)
• All software deployed and used on Virtus Group Ltd devices must be approved and authorised. (VGL.Acceptable.Usage.Policy.docx)
• Laptops and portable devices must never be left visible and unattended in vehicles or other publicly accessible locations. (VGL.Acceptable.Usage.Policy.docx)

Procedures / Playbooks

Baseline Targets

• MFA for all users; PAM for privileged with just‑in‑time elevation; monitored break‑glass
• Device posture: full‑disk encryption required; EDR 100% coverage; screen‑lock ≤ 5 minutes
• Patching: OS ≤ 14 days; browsers/critical apps ≤ 7 days
• Access reviews: privileged quarterly; standard semi‑annual
• Joiner/Mover/Leaver: immediate revocation at termination; device wipe/return documented

KPIs & Reporting

• MDM enrollment ≥ 98%
• OS patch ≤ 14d (avg)
• EDR coverage 100%

Evidence & Records

Records are maintained per the VGL Document & Record Control guidelines, including logs, approvals, test outputs, meeting minutes, and reports.