CSOL 540 Assignment 4: Asset Protection Policy Marc Leeka

Purpose

This policy is designed to prevent infection of Sample Corp computers, networks, and technology systems
by computer viruses, and other malicious code, and the damage to applications, data, files, and hardware
that would be incurred by an infection.

A virus is a potentially malicious programming code that can cause an unexpected and undesirable event.
Viruses can be transmitted via downloadable Internet files, e-mail or instant messaging attachments, and
infected web sites. Viruses are usually disguised as something else, and so their presence is not always
obvious to the computer user. A virus infection can be very costly to Sample Corp in terms of lost data,
lost staff productivity, and/or lost reputation. Furthermore, Sample Corp has a legal responsibility to
protect private client information that is stored in its computer network.

As a result, one of the goals of Sample Corp is to provide a computing network that is virus-free. The
purpose of this policy is to provide instructions on measures that must be taken by Sample Corp personnel
to help achieve effective virus detection and prevention.

Because antivirus software has only a 97 to 99 percent effectiveness rate, Sample Corp requires that all
employees annually attend a security awareness presentation because they are the companys strongest
first defense against malicious software that can disrupt and harm company operations.

Statement
Sample Corp utilizes supplemental measures to look for indicators of active attacks as they occur while
monitoring all traffic on the corporate network and devices connected to the network, including activity
and traffic both on and off the physical facility, in order to maintain the integrity, reliability and
performance of Sample Corp information systems. This includes, but is not limited to, monitoring for
computer viruses and other malware, attempts to access Sample Corp systems without appropriate
authorization, systems performance, and compliance with Sample Corp policies.

Sample Corp reserves the right to intercept and/or quarantine any networking traffic or computing
resources that may pose a threat to Sample Corp infrastructure, systems or data. This includes but is not
limited to files, messages, network traffic and devices.

Scope

All employees as well as vendors, contractors, partners and any other parties doing business with Sample
Corp that have access to Sample Corp computers, networks and/or technology systems, are subject to the
provisions of this policy.

This policy applies to all computers that access and/or store corporate information. It applies to all devices
that have access to the corporate network whether the device are connected at the companys facility or
remotely, and whether the device is owned by Sample Corp or owned by a user.

General Policy

All corporate computers and devices that store corporate information and all corporate computers and
devices that at any time connect to the corporate network must run at all times approved and supported

1
CSOL 540 Assignment 4: Asset Protection Policy Marc Leeka

antivirus software that is correctly installed, configured, activated and updated with the latest malware
definitions.

Any activities with the intention to create and/or distribute malicious programs into the Sample Corp
network are strictly prohibited.

Suspected virus threats must be reported to the IT department immediately at extension 300.

Any devices infected with a virus or other malicious code must be immediately disconnected from the
corporate network until the infection has been removed.

It is a violation of Sample Corp's Appropriate Use policy to bypass, tamper with or disable the security
and antivirus systems on equipment managed by the IT department.

Incident Response Measures

Timely communication is initially the most effective incident response measure to take regarding a
perceived or actual malware threat to Sample Corp. Common examples of malware threats include error
messages, continuous pop-up advertisements, system performance degradation, actual anti-virus
warnings, alerts or other suspicious activities. Should a user suspect a malware threat, the following steps
are to be undertaken immediately:
Immediately notify authorized IT personnel at extension 300 and inform them of the situation;
Follow all instructions and guidance from the IT department personnel;
If no immediate IT department personnel are available (i.e., outside normal business hours or
communication constraints), discontinue the use of the device in question;
Provide the device in question to authorized IT personnel for inspection and review of anti-virus logs;
Assist the IT personnel to complete the Incident Response Form regarding the malware threat;
No employee should attempt to destroy or remove a virus, or any evidence of that virus, without
direction from the IT department. The IT department personnel will subsequently determine if the
device is free of all viruses.

Awareness Training

All employees must annually attend a security awareness program conducted by the IT department. The
program will include, but not be limited to, these topics:
risks that malware poses to individuals and to the organization;
techniques that criminals use to trick users into disclosing information;
generally recommended practices to reduce the frequency and severity of malware incidents;
the inability of antivirus software and technical controls to prevent all incidents;
how to identify if a system may be infected and how to report a suspected infection;
how major malware notices will be communicated and what to do in those instances.

User Responsibilities

Users must not disable or bypass antivirus software on any device or system they access.

2
CSOL 540 Assignment 4: Asset Protection Policy Marc Leeka

Suspected virus threats must be reported to the IT department immediately at extension 300.

Any devices infected with a virus or other malicious code must be immediately disconnected from the
corporate network until the infection has been removed.

Any portable storage device that is used to store corporate information may become infected. If the
portable storage device is removed from the corporate facility, it must be scanned using the most current
antivirus software upon its return to the corporate facility. Directions for scanning a portable device are
posted on the corporate intranet.

In the event of an enterprise-wide malware attack notification, notifications are confidential to only users
within Sample Corp and are not to be forwarded or shared outside the organization except by officials
approved to do so.

IT Department Responsibilities

Prepare and conduct an annual Awareness Training Program for all employees.

Install an antivirus software program on all computers, servers, network equipment and devices owned by
Sample Corp. Antivirus software must be configured to automatically clean and remove an infected file or
to quarantine the infected file if automatic cleaning is not possible. The antivirus software must be
configured to automatically update itself regularly. Scans for viruses on the device must occur without
user intervention on a regular basis.

For employees who have prior approval to connect their personally-owned computers to the Sample Corp
network, the IT department will provide and assist in the correct installation of approved antivirus
software.

IT department personnel will manage the antivirus server console.

IT department personnel will complete an Incident Response Form when malware threats are reported.

In the event a device is infected, IT department personnel with verify the infection has been removed.

IT department personnel under the direction of the IT department manager will conduct an annual review
of antivirus software effectiveness and make recommendations. The IT department manager will also
evaluate and make recommendations for alternative antivirus strategies that are predictive indicators of
active attacks.

The IT department manager or acting manager will provide to the CISO a quarterly report of virus activity
and resolution, summarized from the antivirus server console and Incident Response Measures.

In the event of an enterprise-wide malware attack, the IT department manager will recommend a
procedure to mitigate the intrusion.

CISO Responsibilities

3
CSOL 540 Assignment 4: Asset Protection Policy Marc Leeka

The CISO is responsible for granting a device exemption from this policy, such as if a computer device
cannot have anti-virus software installed (i.e., vendor-controlled systems or devices where anti-virus
software has not yet been developed). In these cases, the CISO must develop a plan to protect the device
from infection. If a computing platform does not have antivirus prevention software available, its use
must be approved by the CISO who shall determine the operating procedures necessary to minimize the
possibility of malware infecting the corporate network.

The CISO will review the IT department annual evaluation of antivirus software effectiveness and
approve the selection of antivirus software. The CISO will inform the CIO of the selection(s) of antivirus
software.

The CISO will review the IT department annual evaluation of predictive antivirus software strategies and
approve the selection of a predictive antivirus software. The CISO will inform the CIO of the selection(s)
of alternative antivirus strategies.

In the event of an enterprise-wide malware attack, the CISO will approve a procedure to mitigate the
intrusion.

If a device that performs a critical function is infected and may not be immediately taken off-line without
seriously impairing a critical business function, the CISO will develop a plan to allow the computer
device to be taken off-line and the infection purged while protecting the function of the device. The CISO
will inform the CIO.

CIO Responsibilities

The CIO may grant an exception if an infected computer device is discovered that performs a critical
function and may not be immediately taken off-line without seriously impairing some critical business
function.

Revision History
None

Reviewed by: IT department manager

Approved by: CISO
Approved by: CIO

References:

Simonite, T. (2012, June 11). The Antivirus Era Is Over. Retrieved September 25, 2016, from
https://www.technologyreview.com/s/428166/the-antivirus-era-is-over/

Western Michigan University Anti-virus Policy (2013, February). Retrieved September 25, 2016, from
https://wmich.edu/it/policies/antivirus

Wallace, M., & Webber, L. (2016). IT governance policies & procedures (2016 ed.). Austin: Wolters
Kluwer Law & Business/Aspen.

4
CSOL 540 Assignment 4: Asset Protection Policy Marc Leeka

Seton Hall University Computer Viruses and Malware Policy (2013, August). Retrieved September 25,
2016, from https://www13.shu.edu/offices/policies-procedures/computer-viruses-malware.cfm

Mello, J. P., Jr. (2014, December 15). Death of antivirus software greatly exaggerated. Retrieved
September 25, 2016, from http://www.csoonline.com/article/2859123/data-protection/death-of-antivirus-
software-greatly-exaggerated.html

The Three Essential Elements of Next Generation Endpoint. Retrieved September 25, 2016, from
http://go.crowdstrike.com/rs/281-OBQ-266/images/WhitepaperNextGenEndpointProtection.pdf

The best antivirus software for Windows Client Business User. (2016, February). Retrieved September
25, 2016, from https://www.av-test.org/en/antivirus/business-windows-client/windows-7/february-2016/

Souppaya, M. and Scarfone, K. (2013, July). Guide to Malware Incident Prevention and Handling for
Desktops and Laptops. Retrieved September 25, 2016, from
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-83r1.pdf