Organizations should enact a policy for the secure configuration and use of endpoint devices, taking into account factors such as information type and classification level, physical protection, software restrictions, access controls, storage device encryption, protection against malware, backups, and usage of devices. The policy should be communicated to relevant personnel and consider other restrictions for sensitive information, such as disabling downloading information for offline use and local storage. The policy should also involve configuration management or automation. Device users should know the security guidelines and their responsibilities, such as ending active sessions, protecting devices with physical and logical controls, using devices carefully in public places, and physically protecting devices from theft. A particular policy should be established for device theft or loss that considers legal, contractual, regulatory, and other security needs.