1. Purpose
This standard establishes requirements for the provisioning and ongoing management of contractor endpoints.
2. Overview
In today’s technology environment, Exabeam will be required to engage with external parties and allow access to its information processing facilities for various business reasons. To maintain adequate security controls on all endpoints that handle Exabeam Data, Exabeam IT has established the following requirements for its contracting agencies.
3. Scope
All agencies that contract with Exabeam must adhere to this standard.
This standard applies to any data category (referred to as “Data” in this document) that is created, collected, processed, used, shared, or destroyed for, or by, Exabeam.
4. Statement of Requirements
All endpoints used by Exabeam contractors will be fully managed by Exabeam IT via Jamf for MacBooks or Microsoft Endpoint Manager (“Intune”) for Windows laptops. Contractors will be provisioned an Exabeam user account, email address, and provided access to information systems within the scope of the Statement of Work. All laptops that handle Exabeam Data must be used for Exabeam work only and are subject to the requirements referenced in the Exabeam Acceptable Use Policy.
4.1 ENDPOINT PROCUREMENT
All Exabeam contractors must utilize dedicated laptops. These laptops can either be purchased new or formatted and restored to factory settings by the contracting agency. Laptops must not be older than five [5] years. Contractors should reference the following Exabeam IT requirements when purchasing laptops:
MacBook Requirements
- Core i7 or later Processor
- M1 or later Processor
- 16GB RAM
- 512GB Storage
- macOS Ventura or later Operating System
Windows Requirements
- Dell Latitude series
- Core i7 or later Processor • 16GB RAM
- 512GB Storage
- Windows 10 Pro or later Operating System
4.2 ENDPOINT OWNERSHIP AND SUPPORT
Endpoints will be owned by the contracting agency and fully managed by Exabeam IT. Any endpoint hardware issues should be directed to the contracting agency for resolution.
4.3 MACBOOK ENDPOINT PROVISIONING
4.3.1 All contracting agencies are required to utilize the Apple Device Enrollment Program (DEP) for all procured MacBooks.
4.3.2 Exabeam IT will email the contractor a Welcome Letter prior to their start date. The contracting agency POC will be copied on this email. The Welcome Letter will contain information that will be needed to complete the DEP provisioning process and provides steps to set up accounts (e.g., Single Sign-On, password changes, Multi-Factor Authentication, remote access, etc.). The contractor must follow these instructions the first time they turn on their endpoint. This email should not be printed or shipped with the endpoint.
4.4 PC ENDPOINT PROVISIONING (SELF-ENROLLMENT)
4.4.1 The contracting agency must provide the serial number and contractor name to Exabeam IT no later than three [3] business days before the contractor start date. This will allow Exabeam IT to validate that the endpoint has been properly enrolled within Intune during the Self-Enrollment Process.
4.4.2 Exabeam IT will email the contractor a Welcome Letter prior to their start date. The contracting agency POC will be copied on this email. The Welcome Letter will contain information that will be needed to complete the Self-Enrollment Process and provides steps to set up accounts (e.g., Single Sign-On, password changes, Multi-Factor Authentication, remote access, etc.). The contractor must follow these instructions the first time they turn on their endpoint. This email should not be printed or shipped with the endpoint.
4.5 ENDPOINT DEPROVISIONING AND DISPOSAL
4.5.1 Contracting agencies are responsible when a contractor is offboarded or a reassigned, replaced, or deprecated.
4.5.2 Exabeam IT has implemented a process accounts after thirty [30] days for informing Exabeam laptop is added, to auto-lock stale
4.5.3 All laptops must be wiped by contracting agency via factory reset or other similar method. Endpoints may be reused or disposed of by the contracting agency at their discretion once a successful wipe has been completed.
4.5.4 Contracting agencies must ensure security risks have been mitigated and Exabeam policies and processes are met prior to the disposal of equipment.
5. COMPIANCE
Standard compliance requirements are as follows:
5.1 Compliance Measurement Compliance with Exabeam standards is required. Compliance with standards is verified through various methods, including but not limited to, reports from available business tools, internal and external audits, self-assessments, and/or feedback to the standard owner.
5.2 Compliance Exceptions Exabeam IT must approve exceptions to information technology standards in advance.
6. RELATED POLICIES AND STANDARDS
- Exabeam Code of Conduct
- Acceptable Use Policy
- Access Control Policy
- Trusted Device Standard
- System and Services Acquisition Policy
- Supply Chain Risk Management Policy
7. DEFINITIONS
The following terms and definitions are used in this document:
| Term | Definition |
|---|---|
| Contracting Agency | An agency staffing contractor positions for Exabeam. |
| Contractor | An individual hired through a contracting agency to perform contract work for Exabeam. |
| Stale Account | Account that has not authenticated to Exabeam Active Directory services in thirty [30] days or longer. |
8. APPROVALS
| Area of Responsibility | Name |
|---|---|
| Senior Director, IT Applications | Mark Alexander |
| Chief Information Security Officer | Tyler Farrar |
| Chief Information Officer | Grant McCormick |
9. REVISION HISTORY
| Version | Date | Changes |
|---|---|---|
| 1.0 | Oct 27, 2021 | Initial version |
| 2.0 | Oct 31, 2022 | Annual review. Changed PC Configuration Management tool to Intune in Section 4. Updated macOS requirements and added device age requirements to Section 4.1. Updated Section 4.4 to “PC Endpoint Provisioning (Self-Enrollment)” and removed Mac Self-Enrollment option. Added contracting agency responsibility for notifying Exabeam of device changes in Section 4.5.1. |
| 3.0 | Nov 3, 2023 | Annual review. Updated macOS requirements to Section 4.1. Added contracting agency responsibility to provide PC serial number and contractor name to Exabeam IT no later than three [3] business days before the contactor start date in Section 4.4.1. Changed responsibility for wiping contractor laptops of Exabeam data from Exabeam IT to the contracting agency in Section 4.5.3. |