Brother has adopted the CIS20 framework to work with, but still must create business reasoning and an assessment on each control to determine if safeguards are appropriate, including what level of investment in safeguards is reasonable. The goal of this project is to articulate an endpoint device management policy for Brother Europe, based on the risk assessment and proper safeguard analysis. Additionally, the organization is looking to adopt device management using the Microsoft Azure based Enterprise Mobile Security (EMS) E3 level toolset. At the start of the project, management of some device types (e.g.: mobile phones, tablets) has already been configured for Europe with some basic management and security controls. Since EMS E3 licenses are quite expensive, Brother wants to ensure that the purchase of around 1'500 licenses makes sense, which is why a proof of concept shall be conducted.

The solution was delivered in an iterative, agile approach to optimize the achievable outcomes and to handle impediments early. The first part of the project consisted of assessing the risks incurred by Brother and was therefore of managerial and theoretical nature. The CIS 20 security framework, which the company already defined as its preferred methodology, has been taken as basis for any further work, including an IT security policy and standard. The second part of the project included a proof of concept (PoC) with Microsoft EMS E3 and particularly Microsoft Intune. The project team's task was to incorporate the current software deployment solution, introduce basic compliance checks, maintain system updates, force certain configurations as well as enforce conditional access policies across some services.

The CIS 20 aligned endpoint device management policy, standard and risk assessment can be used to revise the currently used policy and standard within Brother Europe, which will improve security and help to educate the end-users. During the PoC phase, Intune was tested in different functional areas, namely automated software deployment including self-service marketplace, conditional access, device compliance, configuration and management. The configuration and policies that were created during the PoC phase set the cornerstone for rolling out Intune across Brother Europe and saved its client engineering team a considerable amount of time. Brother can now move from an on-premise to a hybrid-cloud environment and thus extend its endpoint management perimeter to anywhere in the world. Policies, software and general changes can be pushed out any time and will be applied by managed clients no matter where they are currently located. Compliance is constantly evaluated and reported back to the portal.