Sample Anti-Virus Standard:

From HORSE - Holistic Operational Readiness Security Evaluation.
Revision as of 14:17, 1 May 2010 by Mdpeters (talk | contribs)
Jump to navigation Jump to search

Document History


Version Date Revised By Description
1.0 1 January 2010 <Current date> Michael D. Peters <Owners's name> This version replaces any prior version.


Document Certification


Description Date Parameters
Designated document recertification cycle in days: 30 - 90 - 180 - 365 <Select cycle>
Next document recertification date: 1 January 2011 <Date>


Sample Anti-Virus Standard


The <Your Company Name> (the "Company") Sample Asset Protection Policy defines Company objectives for establishing specific standards on the protection of the confidentiality, integrity, and availability of Company information assets.

This Anti-Virus Standard builds on the objectives established in the Sample Asset Protection Policy, and provides specific instructions and requirements for protecting information assets from viruses and malicious code.

I. Scope


All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.

Customers are defined in Sample Asset Identification and Classification Policy.

Customer Information is defined in the Sample Asset Identification and Classification Policy.

Exchangeable media refers to floppy disks, tapes, removable hard drives, flash media, compact disks, etc.

Information assets are defined in the Sample Asset Identification and Classification Policy.

Viruses refer to malicious software code such as Trojan horses, viruses, worms, and malicious mobile code (for example, Active X, Java applet, etc.) that masquerades and/or replicates with the potential to cause damage, destruction or disruption. They are primarily introduced into networks through electronic mail messages or attachments, exchangeable media, software downloads, and the Internet.

II. Requirements


A. General


1. The Company has approved and licensed the following anti-virus or virus detection software packages:


Vendor NameSoftware Package (and Version)Supported Client PlatformsSupported Server Platforms




2. Company-approved anti-virus software must be installed on all Company servers and client workstations.


3. Company-approved anti-virus software must be enabled at all times.


4. Virus detection shall not be disabled on any computer resources equipped with anti-virus protection.


5. Only Company authorized personnel can configure or approve modifications to the Company-approved anti-virus software configuration.


6. Automatic notification features, if available, should be used to ensure appropriate Company personnel are aware of the general availability of anti-virus software executable or version upgrades.


7. All licensed product executable or version upgrades to the anti-virus software shall be distributed and implemented within thirty (30) days from general availability release from the vendor. Distribution of virus detection software upgrades shall be expedited, as necessary, to effectively respond to security advisories or findings from assessment and monitoring activities.


8. Automatic signature update features, if available, should be configured to perform automatic signature updates at least weekly.


9. All new virus signatures shall be distributed and activated within ten (10) days from their release from the vendor. Distribution of virus signature updates shall be expedited, as necessary, to effectively respond to security advisories of findings from assessment and monitoring activities.


10. New emergency virus signatures shall be distributed and activated within two (2) days from their release from the vendor.


11. Viruses and malicious code shall not be intentionally installed or introduced in the Company computing environment.


12. Login and startup scripts should be modified to run Company-approved anti-virus software that checks system memory and boot sectors for viruses and malicious code upon login and startup.


13. Company-approved anti-virus software shall automatically scan files as they are accessed, executed and/or written to and from disk.


14. Company-approved anti-virus software shall automatically scan exchangeable media such as floppy disks, in real-time, when they are accessed.


15. All inbound and outbound files from non-Company networks (for example, public or shared networks) shall be scanned for viruses and malicious code using Company-approved anti-virus software.


16. All detected virus infections shall be automatically "cleaned". If this feature is not available then all virus-infected files, programs, and systems shall be isolated and quarantined until they can be restored.


17. All virus detections and infections should be reported immediately to <Insert Contact> at <Insert number> and provide relevant information including name, employee number, phone number, description of the problem (i.e. detect virus, infected file, etc.), name of virus (if known), and the infected area.


18. All virus scan logs must be maintained online for thirty (30) days and retained in accordance to the Auditing Activation Standard and applicable laws and regulations.


B. Clients


1. A full drive scan shall be performed at least weekly.


2. All electronic mail messages and attachments shall be scanned, including compressed files. If a virus has been detected in a compressed file, it may only be reported and require decompression before automated actions such as cleaning can take place.


3. If virus infection is detected then a message should be sent to the file or electronic mail message originator to warn the sender of the virus infection. Do not forward or directly reply to an infected electronic mail message.


C. Servers


1. All local drives and volumes shall be scanned daily during periods of low utilization. Virus detection scans shall not conflict or interfere with other regularly scheduled system and operational activities (for example, backups, production batch jobs, etc.).


2. Startup scripts should be modified to run Company-approved anti-virus software that performs full scans of local disks and volumes upon startup.


3. Virus scan logs shall be reviewed daily for virus detection records and automated responses.


D. Firewalls and Perimeter Network


1. Company-approved anti-virus software features and options, if available, should be implemented to stop viruses and other malicious code at the Company firewall(s) and perimeter network.


2. All electronic mail messages and attachments shall be scanned, including compressed files, before they are allowed through the Company firewalls and perimeter network.


III. Responsibilities


The Chief Information Security Officer (CISO) approves the Anti-Virus Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Anti-Virus Standard.

Company management, including senior management and department managers, is accountable for ensuring that the Anti-Virus Standard is properly communicated and understood within their respective organizational units. Company management also is responsible for defining, approving and implementing procedures in its organizational units and ensuring their consistency with the Anti-Virus Standard.

Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for defining processes and procedures that are consistent with the Anti-Virus Standard and ensuring integrity controls are reviewed annually to identify, prioritize, and mitigate process vulnerabilities and weaknesses.

Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage, process or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information assets; implementing procedural safeguards and cost-effective controls that are consistent with the Anti-Virus Standard and associated guidelines; ensuring anti-virus software and version updates are implemented; ensuring anti-virus signature updates are distributed and activated; and leading efforts to respond and recovery from virus infections.

Users are the individuals, groups, or organizations authorized by the Owner to access to information assets. Users are responsible for familiarizing and complying with the Anti-Virus Standard and associated guidelines; ensuring virus scanning is not disabled on their client workstations; and notifying <Specify Contact> immediately with relevant information when virus have been detected and/or virus infections have taken place.

IV. Enforcement and Exception Handling


Failure to comply with the Anti-Virus Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.

Requests for exceptions to the Anti-Virus Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Anti-Virus Standard.

V. Review and Revision


The Anti-Virus Standard will be reviewed and revised in accordance with the Sample Information Security Program Charter.

Approved: _______________________________________________________

Signature


<Insert Name>


Chief Information Security Officer