DS5.9:
DS 5.9 Malicious Software Prevention, Detection and Correction
Control Objective:
Ensure that preventive, detective and corrective measures are in place (especially up-to-date security patches and virus control) across the organization to protect information systems and technology from malware (viruses, worms, spy-ware, spam, internally developed fraudulent software, etc.).
Applicability:
- Sarbanes-Oxley
- HIPAA
- GLBA
- PCI
- FISMA
- NIST SP 800-66
- Ditscap
- Control Exception
- User Defined
Risk Association Control Activities:
- 1. Risk: Incidents or problems affecting financial processes are not identified resulting in incorrect or incomplete financial reporting.
- a. SOX.2.0.8 IT management has established procedures across the organization to protect information systems and technology from computer viruses.
- 1. Risk: Incidents or problems affecting financial processes are not identified resulting in incorrect or incomplete financial reporting.
- 2. Risk: Data destruction or business process disruptions occur as a result of inadequately maintained anti-virus systems.
- a. SOX.2.0.9: Anti-virus software vendor's website is queried nightly for updates.
- 2. Risk: Data destruction or business process disruptions occur as a result of inadequately maintained anti-virus systems.
- 3. Risk: Security incidents and incompliance with information security procedures may go overlooked and not addressed.
- a. SOX.3.1.1: Management should monitor security incidents and the extent of compliance with information security procedures.
- 3. Risk: Security incidents and incompliance with information security procedures may go overlooked and not addressed.
- 4. Risk: Increased vulnerability may be exploited adversely impacting system availability, confidentiality and integrity of programs, processing and data.
- a. SOX.4.0.2: Anti-virus software vendor's website is queried frequently for updates to virus signature files.
- 4. Risk: Increased vulnerability may be exploited adversely impacting system availability, confidentiality and integrity of programs, processing and data.
- 5. Risk: Corrective action needed to contain damage or reduce the risk of further problems is not taken following an incident.
- a. SOX.4.0.3: Log files are reviewed at least daily or more frequently if increased virus activity is identified.
- 5. Risk: Corrective action needed to contain damage or reduce the risk of further problems is not taken following an incident.
- 6. PCI.5.1: Deploy anti-virus mechanisms on all systems commonly affected by viruses (e.g. PC’s and servers).
- 7. PCI.5.2: Deploy anti-virus mechanisms on all systems commonly affected by viruses (e.g. PC’s and servers).
- 8. PCI-6.1.1 Install relevant security patches within one month of release.
Implementation Guide:
Process Narrative
Insert a description of the process narration that is applicable to the existing control statement this narrative refers to.
Process Illustration
Insert a process diagram, flowchart or other visual representation here to illustrate the process narrative.
File:Someimage.jpg
Control Commentary
Insert a description of the control that is applicable to the existing control statement this commentary refers to.
Control Exception Commentary
Insert a description of the control exception that is applicable to the existing control statement this commentary refers to.
Evidence Archive Location
Insert Evidence Description Here.
Control Status and Auditors Commentary
Describe the condition of the applicable control and its effectiveness. Set the color icon to a redlock.jpg, yellowlock.jpg or greenlock.jpg.
File:Redlock.jpg
Remediation Plan
Insert remediation plan, applicability, or any information that indicates what needs to be done.
Supplemental Information:
ISO 17799 10.4.1: Detection, prevention, and recovery controls to protect against malicious code and appropriate user awareness procedures should be implemented.
ITIL Security Management
ITIL Security Management Measures
ITIL Implementation
ISO 6.3 Responding to security incidents and malfunctions
ISO 8.3 Protection against malicious software
Protection against malicious code should be based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls.
The following guidance should be considered:
- a) establishing a formal policy prohibiting the use of unauthorized software (see 15.1.2)
- b) establishing a formal policy to protect against risks associated with obtaining files and software either from or via external networks, or on any other medium, indicating what protective measures should be taken
- c) conducting regular reviews of the software and data content of systems supporting critical business processes; the presence of any unapproved files or unauthorized amendments should be formally investigated
- d) installation and regular update of malicious code detection and repair software to scan computers and media as a precautionary control, or on a routine basis; the checks carried out should include:
- 1) checking any files on electronic or optical media, and files received over networks, for malicious code before use
- 2) checking electronic mail attachments and downloads for malicious code before use; this check should be carried out at different places, e.g. at electronic mail servers, desk top computers and when entering the network of the organization
- 3) checking web pages for malicious code;
- e) defining management procedures and responsibilities to deal with malicious code protection on systems, training in their use, reporting and recovering from malicious code attacks (see 13.1 and 13.2)
- f) preparing appropriate business continuity plans for recovering from malicious code attacks, including all necessary data and software back-up and recovery arrangements (see clause 14)
- g) implementing procedures to regularly collect information, such as subscribing to mailing lists and/or checking web sites giving information about new malicious code;
- h) implementing procedures to verify information relating to malicious code, and ensure that warning bulletins are accurate and informative; managers should ensure that qualified sources, e.g. reputable journals, reliable Internet sites or suppliers producing software protecting against malicious code, are used to differentiate between hoaxes and real malicious code; all users should be made aware of the problem of hoaxes and what to do on receipt of them.
Other information
The use of two or more software products protecting against malicious code across the information processing environment from different vendors can improve the effectiveness of malicious code protection.
Software to protect against malicious code can be installed to provide automatic updates of definition files and scanning engines to ensure the protection is up to date. In addition, this software can be installed on every desktop to carry out automatic checks.
Care should be taken to protect against the introduction of malicious code during maintenance and emergency procedures, which may bypass normal malicious code protection controls.
10.4.2 Controls against mobile code
Control
Where the use of mobile code is authorized, the configuration should ensure that the authorized mobile code operates according to a clearly defined security policy, and unauthorized mobile code should be prevented from executing.
Implementation guidance
The following actions should be considered to protect against mobile code performing unauthorized actions:
- a) executing mobile code in a logically isolated environment;
- b) blocking any use of mobile code;
- c) blocking receipt of mobile code;
- d) activating technical measures as available on a specific system to ensure mobile code is managed;
- e) control the resources available to mobile code access;
- f) cryptographic controls to uniquely authenticate mobile code.
Other information
Mobile code is software code which transfers from one computer to another computer and then executes automatically and performs a specific function with little or no user interaction. Mobile code is associated with a number of middleware services.
In addition to ensuring that mobile code does not contain malicious code, control of mobile code is essential to avoid unauthorized use or disruption of system, network, or application resources and other breaches of information security.