What should happen to users and devices that fail NAC policies?

Expert Peter Wood reviews how to deal with employees and devices that don't pass NAC policies.

What should be done with users and any malware-infected devices that violate NAC policies
This has to be partly an HR question! From the user perspective, if your network access control (NAC) policies are mentioned in your acceptable use policy, and your users have been made aware of this policy and the consequences of non-compliance, then the user's manager and your HR people would have to decide on appropriate action. Organizations may choose to immediately lock out or quarantine a non-compliant device, or they may offer a grace period for remediation in order to keep resources up and running, for example.

From the device perspective, it is always best to erase the device and rebuild it from scratch, unless you are certain that your disinfection tools have completely removed the malware.

Read more on Endpoint security