Protecting Device Boot Order - to ensure devices can only be booted from SecureDoc-protected Disk

While SecureDoc performs an invaluable service ensuring that data is protected by encryption, and that user access to SecureDoc-protected devices is locked down and governed by permitting only specific users to authenticate at Pre-Boot, there are other risks that any security-conscious organization should be aware of and include in its overall security design.

Device Integrity Protection - Protecting Boot Order to ensure device can only boot from encrypted disk

To ensure that SecureDoc can most successfully ensure the protection of a device's data-at-rest, it is essential to ensure that the computer cannot be booted except from the SecureDoc protected bootable disk.
To this end, the device should be configured at the BIOS, EFI or UEFI level to ensure that it is only possible to boot from the SecureDoc-rotected disk.

Customers are asked to determine for each device type to be protected a) how to alter the Boot Order of such devices to ensure that only the SecureDoc-protected disk drive is in the Boot Order; b) all other boot device types have been disabled, and c) that the BIOS, EFI, or UEFI itself can be protected to guard against the possibility of having this boot order security setting altered without correct authority.

Immediately following the implementation of SecureDoc on endpoint devices, customers are asked to implement this level of protection, and to lock down access to the Boot Order to guard against changes to the boot order without authorization.