Sample Anti-Virus Standard:: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
No edit summary
 
No edit summary
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
=='''Sample Anti-Virus Standard'''==
==Sample Anti-Virus Standard==
The Anti-Virus Standard builds on the objectives established in the [[Sample Asset Protection Policy:|'''Sample Asset Protection Standard''']], and provides specific instructions and requirements for protecting information assets from viruses and malicious code.
 
==Objectives==
# '''General'''
## The Company has approved and licensed anti-virus or virus detection software packages. The software packages are listed in the system of record.
## Company-approved anti-virus software must be installed on all Company servers and client workstations.
## Company-approved anti-virus software must be enabled at all times.
## Virus detection shall not be disabled on any computer resources equipped with anti-virus protection.
## Only Company authorized personnel can configure or approve modifications to the Company-approved anti-virus software configuration.
## Automatic notification features, if available, will be used to ensure appropriate Company personnel are aware of the general availability of anti-virus software executable or version upgrades.
## All licensed product executable or version upgrades to the anti-virus software shall be distributed and implemented within thirty (30) days from the contract implementation period accepted by the Company and the vendor. Distribution of virus detection software upgrades shall be expedited, as necessary, to effectively respond to security advisories or findings from assessment and monitoring activities.
## Automatic signature update features, if available, should be configured to perform automatic signature updates at least weekly.
## All new virus signatures shall be distributed and activated within ten (10) days from their release from the vendor. Distribution of virus signature updates shall be expedited, as necessary, to effectively respond to security advisories of findings from assessment and monitoring activities.
## New emergency virus signatures shall be distributed and activated within two (2) days from their release from the vendor.
## Viruses and malicious code shall not be intentionally installed or introduced in the Company computing environment.
## Log-in and start-up scripts should be modified to run Company-approved anti-virus software that checks system memory and boot sectors for viruses and malicious code upon login and start-up.
## Company-approved anti-virus software shall automatically scan files as they are accessed, executed and/or written to and from disk.
## Company-approved anti-virus software shall automatically scan exchangeable media such as floppy disks, in real-time, when they are accessed.
## All inbound and outbound files from non-Company networks (for example, public or shared networks) shall be scanned for viruses and malicious code using Company-approved anti-virus software.
## All detected virus infections shall be automatically "cleaned". If this feature is not available then all virus-infected files, programs, and systems shall be isolated and quarantined until they can be restored.
## All virus detection and infections should be reported immediately to Infrastructure Services and Information Security at 1-888-896-7580 and provide relevant information including name, employee number, phone number, description of the problem (i.e. detect virus, infected file, etc.), name of virus (if known), and the infected area.
## All virus scan logs must be maintained online for thirty (30) days and retained in accordance to the Auditing Activation Standard and applicable laws and regulations.
# '''Clients'''
## A full drive scan shall be performed at least weekly.
## All electronic mail messages and attachments shall be scanned, including compressed files. If a virus has been detected in a compressed file, it may only be reported and require decompression before automated actions such as cleaning can take place.
# '''Servers'''
## All local drives and volumes shall be scanned daily during periods of low utilization. Virus detection scans shall not conflict or interfere with other regularly scheduled system and operational activities (for example, backups, production batch jobs, etc.).
## Start-up scripts should be modified to run Company-approved anti-virus software that performs full scans of local disks and volumes upon start-up.
## Virus scan logs shall be reviewed daily for virus detection records and automated responses.
# '''Firewalls and Perimeter Network'''
## Company-approved anti-virus software features and options, if available, should be implemented to stop viruses and other malicious code at the Company firewall(s) and perimeter network.
## All electronic mail messages and attachments shall be scanned, including compressed files, before they are allowed through the Company firewalls and perimeter network.
<br>
<br>
The '''<Your Company Name>''' (the "Company") [[Sample Asset Protection Policy:|'''Sample Asset Protection Policy''']] defines Company objectives for establishing specific standards on the protection of the confidentiality, integrity, and availability of Company information assets.<br>
 
<br>
==Document Examples==
This Anti-Virus Standard builds on the objectives established in the [[Sample Asset Protection Policy:|'''Sample Asset Protection Policy''']], and provides specific instructions and requirements for protecting information assets from viruses and malicious code.<br>
Use these samples as a guide for your policy development. Fully customizable versions are available from [http://policy-machine.com The Policy Machine].<br>
<br>
=='''I. Scope'''==
<br>
All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.<br>
<br>
'''Customers''' are defined in [[Sample Asset Identification and Classification Policy:|'''Sample Asset Identification and Classification Policy''']].<br>
<br>
'''Customer Information''' is defined in the [[Sample Asset Identification and Classification Policy:|'''Sample Asset Identification and Classification Policy''']].<br>
<br>
'''Exchangeable media''' refers to floppy disks, tapes, removable hard drives, compact disks, etc.<br>
<br>
'''Information assets''' are defined in the A[[Sample Asset Identification and Classification Policy:|'''Sample Asset Identification and Classification Policy''']].<br>
<br>
'''Viruses''' refer to malicious software code such as Trojan horses, viruses, worms, and malicious mobile code (for example, Active X, Java applet, etc.) that masquerades and/or replicates with the potential to cause damage, destruction or disruption. They are primarily introduced into networks through electronic mail messages or attachments, exchangeable media, software downloads, and the Internet.<br>
<br>
=='''II. Requirements'''==
<br>
:'''A. General'''<br>
<br>
::1. The Company has approved and licensed the following anti-virus or virus detection software packages:<br>
<br>
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><table border="1">
<tr><td>'''Vendor Name'''</td><td>'''Software Package (and Version)'''</td><td>'''Supported Client Platforms'''</td><td>'''Supported Server Platforms'''</td></tr>
<tr><td><br></td><td></td><td></td><td></td></tr>
<tr><td><br></td><td></td><td></td><td></td></tr>
<tr><td><br></td><td></td><td></td><td></td></tr>
</table>
</blockquote>
<br>
::2. Company-approved anti-virus software must be installed on all Company servers and client workstations.<br>
<br>
::3. Company-approved anti-virus software must be enabled at all times.<br>
<br>
::4. Virus detection shall not be disabled on any computer resources equipped with anti-virus protection.<br>
<br>
::5. Only Company authorized personnel can configure or approve modifications to the Company-approved anti-virus software configuration.<br>
<br>
::6. Automatic notification features, if available, should be used to ensure appropriate Company personnel are aware of the general availability of anti-virus software executable or version upgrades.<br>
<br>
::7. All licensed product executable or version upgrades to the anti-virus software shall be distributed and implemented within thirty (30) days from general availability release from the vendor. Distribution of virus detection software upgrades shall be expedited, as necessary, to effectively respond to security advisories or findings from assessment and monitoring activities.<br>
<br>
::8. Automatic signature update features, if available, should be configured to perform automatic signature updates at least weekly.<br>
<br>
::9. All new virus signatures shall be distributed and activated within ten (10) days from their release from the vendor. Distribution of virus signature updates shall be expedited, as necessary, to effectively respond to security advisories of findings from assessment and monitoring activities.<br>
<br>
::10. New emergency virus signatures shall be distributed and activated within two (2) days from their release from the vendor.<br>
<br>
::11. Viruses and malicious code shall not be intentionally installed or introduced in the Company computing environment.<br>
<br>
::12. Login and startup scripts should be modified to run Company-approved anti-virus software that checks system memory and boot sectors for viruses and malicious code upon login and startup.<br>
<br>
::13. Company-approved anti-virus software shall automatically scan files as they are accessed, executed and/or written to and from disk.<br>
<br>
::14. Company-approved anti-virus software shall automatically scan exchangeable media such as floppy disks, in real-time, when they are accessed.<br>
<br>
::15. All inbound and outbound files from non-Company networks (for example, public or shared networks) shall be scanned for viruses and malicious code using Company-approved anti-virus software.<br>
<br>
::16. All detected virus infections shall be automatically "cleaned". If this feature is not available then all virus-infected files, programs, and systems shall be isolated and quarantined until they can be restored.<br>
<br>
::17. All virus detections and infections should be reported immediately to <Insert Contact> at <Insert number> and provide relevant information including name, employee number, phone number, description of the problem (i.e. detect virus, infected file, etc.), name of virus (if known), and the infected area.<br>
<br>
::18. All virus scan logs must be maintained online for thirty (30) days and retained in accordance to the Auditing Activation Standard and applicable laws and regulations.<br>
<br>
:'''B.Clients'''<br>
<br>
::1. A full drive scan shall be performed at least weekly.<br>
<br>
::2. All electronic mail messages and attachments shall be scanned, including compressed files. If a virus has been detected in a compressed file, it may only be reported and require decompression before automated actions such as cleaning can take place.<br>
<br>
::3. If virus infection is detected then a message should be sent to the file or electronic mail message originator to warn the sender of the virus infection. Do not forward or directly reply to an infected electronic mail message.<br>
<br>
:'''C. Servers'''<br>
<br>
::1. All local drives and volumes shall be scanned daily during periods of low utilization. Virus detection scans shall not conflict or interfere with other regularly scheduled system and operational activities (for example, backups, production batch jobs, etc.).<br>
<br>
::2. Startup scripts should be modified to run Company-approved anti-virus software that performs full scans of local disks and volumes upon startup.<br>
<br>
::3. Virus scan logs shall be reviewed daily for virus detection records and automated responses.<br>
<br>
:'''D. Firewalls and Perimeter Network'''<br>
<br>
::1. Company-approved anti-virus software features and options, if available, should be implemented to stop viruses and other malicious code at the Company firewall(s) and perimeter network.<br>
<br>
::2. All electronic mail messages and attachments shall be scanned, including compressed files, before they are allowed through the Company firewalls and perimeter network.<br>
<br>
=='''III. Responsibilities'''==
<br>
The Chief Information Security Officer (CISO) approves the Anti-Virus Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Anti-Virus Standard.<br>
<br>
Company management, including senior management and department managers, is accountable for ensuring that the Anti-Virus Standard is properly communicated and understood within their respective organizational units. Company management also is responsible for defining, approving and implementing procedures in its organizational units and ensuring their consistency with the Anti-Virus Standard.<br>
<br>
Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for defining processes and procedures that are consistent with the Anti-Virus Standard and ensuring integrity controls are reviewed annually to identify, prioritize, and mitigate process vulnerabilities and weaknesses.<br>
<br>
Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage, process or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information assets; implementing procedural safeguards and cost-effective controls that are consistent with the Anti-Virus Standard and associated guidelines; ensuring anti-virus software and version updates are implemented; ensuring anti-virus signature updates are distributed and activated; and leading efforts to respond and recovery from virus infections.<br>
<br>
Users are the individuals, groups, or organizations authorized by the Owner to access to information assets. Users are responsible for familiarizing and complying with the Anti-Virus Standard and associated guidelines; ensuring virus scanning is not disabled on their client workstations; and notifying <Specify Contact> immediately with relevant information when virus have been detected and/or virus infections have taken place.<br>
<br>
=='''IV. Enforcement and Exception Handling'''==
<br>
Failure to comply with the Anti-Virus Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.<br>
<br>
Requests for exceptions to the Anti-Virus Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Anti-Virus Standard.<br>
<br>
=='''V. Review and Revision'''==
<br>
The Anti-Virus Standard will be reviewed and revised in accordance with the [[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']].<br>
<br>
Approved: _______________________________________________________<br>
<br>
::Signature<br>
<br>
::<Insert Name><br>
<br>
::Chief Information Security Officer<br>
<br>
<br>
<gallery>
Image:Anti-Virus Standard.png|Anti-Virus Standard page one of eight.
Image:Anti-Virus Standard(1).png|Anti-Virus Standard page two of eight.
Image:Anti-Virus Standard(2).png|Anti-Virus Standard page three of eight.
Image:Anti-Virus Standard(3).png|Anti-Virus Standard page four of eight.
Image:Anti-Virus Standard(4).png|Anti-Virus Standard page five of eight.
Image:Anti-Virus Standard(5).png|Anti-Virus Standard page six of eight.
Image:Anti-Virus Standard(6).png|Anti-Virus Standard page seven of eight.
Image:Anti-Virus Standard(7).png|Anti-Virus Standard page eight of eight.
</gallery>

Latest revision as of 20:00, 15 January 2014

Sample Anti-Virus Standard

The Anti-Virus Standard builds on the objectives established in the Sample Asset Protection Standard, and provides specific instructions and requirements for protecting information assets from viruses and malicious code.

Objectives

  1. General
    1. The Company has approved and licensed anti-virus or virus detection software packages. The software packages are listed in the system of record.
    2. Company-approved anti-virus software must be installed on all Company servers and client workstations.
    3. Company-approved anti-virus software must be enabled at all times.
    4. Virus detection shall not be disabled on any computer resources equipped with anti-virus protection.
    5. Only Company authorized personnel can configure or approve modifications to the Company-approved anti-virus software configuration.
    6. Automatic notification features, if available, will be used to ensure appropriate Company personnel are aware of the general availability of anti-virus software executable or version upgrades.
    7. All licensed product executable or version upgrades to the anti-virus software shall be distributed and implemented within thirty (30) days from the contract implementation period accepted by the Company and the vendor. Distribution of virus detection software upgrades shall be expedited, as necessary, to effectively respond to security advisories or findings from assessment and monitoring activities.
    8. Automatic signature update features, if available, should be configured to perform automatic signature updates at least weekly.
    9. All new virus signatures shall be distributed and activated within ten (10) days from their release from the vendor. Distribution of virus signature updates shall be expedited, as necessary, to effectively respond to security advisories of findings from assessment and monitoring activities.
    10. New emergency virus signatures shall be distributed and activated within two (2) days from their release from the vendor.
    11. Viruses and malicious code shall not be intentionally installed or introduced in the Company computing environment.
    12. Log-in and start-up scripts should be modified to run Company-approved anti-virus software that checks system memory and boot sectors for viruses and malicious code upon login and start-up.
    13. Company-approved anti-virus software shall automatically scan files as they are accessed, executed and/or written to and from disk.
    14. Company-approved anti-virus software shall automatically scan exchangeable media such as floppy disks, in real-time, when they are accessed.
    15. All inbound and outbound files from non-Company networks (for example, public or shared networks) shall be scanned for viruses and malicious code using Company-approved anti-virus software.
    16. All detected virus infections shall be automatically "cleaned". If this feature is not available then all virus-infected files, programs, and systems shall be isolated and quarantined until they can be restored.
    17. All virus detection and infections should be reported immediately to Infrastructure Services and Information Security at 1-888-896-7580 and provide relevant information including name, employee number, phone number, description of the problem (i.e. detect virus, infected file, etc.), name of virus (if known), and the infected area.
    18. All virus scan logs must be maintained online for thirty (30) days and retained in accordance to the Auditing Activation Standard and applicable laws and regulations.
  2. Clients
    1. A full drive scan shall be performed at least weekly.
    2. All electronic mail messages and attachments shall be scanned, including compressed files. If a virus has been detected in a compressed file, it may only be reported and require decompression before automated actions such as cleaning can take place.
  3. Servers
    1. All local drives and volumes shall be scanned daily during periods of low utilization. Virus detection scans shall not conflict or interfere with other regularly scheduled system and operational activities (for example, backups, production batch jobs, etc.).
    2. Start-up scripts should be modified to run Company-approved anti-virus software that performs full scans of local disks and volumes upon start-up.
    3. Virus scan logs shall be reviewed daily for virus detection records and automated responses.
  4. Firewalls and Perimeter Network
    1. Company-approved anti-virus software features and options, if available, should be implemented to stop viruses and other malicious code at the Company firewall(s) and perimeter network.
    2. All electronic mail messages and attachments shall be scanned, including compressed files, before they are allowed through the Company firewalls and perimeter network.


Document Examples

Use these samples as a guide for your policy development. Fully customizable versions are available from The Policy Machine.