cdpse-d2-infrastructure-endpoints

Endpoints

isaca-cdpse · framework · Gold standard

Drawn fromCDPSE Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Endpoints

In privacy architecture, an endpoint is any device or system at the edge of an organization's network that accesses, processes, stores, or transmits personal data. This includes desktops, laptops, mobile phones, tablets, IoT sensors, printers, point-of-sale terminals, and specialized hardware such as medical devices or industrial controllers. From a CDPSE perspective, endpoints are not merely attack surfaces to defend — they are the physical locations where personal data actually resides, making them foundational control points for privacy compliance. Endpoint privacy architecture means ensuring that personal data on these devices is classified, encrypted, access-controlled, monitored, and disposable in ways that satisfy regulatory obligations and honor data subject rights.

Where it stops · what it isn't

—IS: Physical and virtual devices that directly store, process, or transmit personal data at the network edge — laptops, phones, IoT devices, virtual desktops (VDIs), and edge servers.
—IS: Endpoint controls applied in a privacy context — encryption at rest and in transit, MDM policies, DLP rules, EDR/XDR monitoring, device inventory, and secure disposal.
—IS NOT: Network perimeter controls (firewalls, IDS/IPS) or server-side application security — these interact with endpoint security but occupy distinct architectural layers.
—IS NOT: Cloud infrastructure security (serverless, containers, Kubernetes), which falls under cloud privacy architecture, a separate CDPSE knowledge area.
—IS NOT: Policy and consent management systems — those are data governance controls, not endpoint infrastructure controls.
—BOUNDARY CONDITION: A cloud virtual desktop (VDI) session running on a user's device blurs the line — the device itself is an endpoint even if compute is cloud-hosted; the device's local storage and peripheral access must still be governed as endpoint controls.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

Privacy Architecture — Infrastructure

REQUIRES

Data ClassificationIdentity and Access Management (IAM)

ENABLES

Data Loss Prevention (DLP)Breach Detection and Incident Response

RELATED TO

Network Security ControlsCloud Infrastructure Privacy

CONSTRAINS

BYOD and Remote Work Policies

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.