Policy Reference
Category |
Technical Security |
Approval Date |
|
Scope |
All Personnel |
Purpose
Malicious software includes computer viruses, malware, trojans and other software/code which represents a threat to our computing environment. Preventative measures are provided in an effort to eliminate or minimize the risks of malicious software and those related policies and procedures must be adhered to by City computer users.
Policy
- Develop, disseminate, and review: 1) a formal process to prevent malicious code attacks that address purpose, scope, and compliance; and 2) formal procedures to facilitate implementing the process.
- Deploy automatically scanning antivirus, anti-spam, and anti-spyware s mechanisms on all system entry points and IT assets commonly affected by malicious code.
- Ensure that all antivirus and malicious code mechanisms are current, actively running, and correctly generating audit logs.
- Have a process for the reporting and handling of all suspected or actual malicious mobile code.
Compliance
- Procedures should be in place to prevent infection of the system by malicious code or viruses. ¶ .17 § 3.4, ¶ .20 § 3.7, ¶ .24 § 3.8, ¶ .29 § 3.7, AICPA Suitable Trust Services Principles and Criteria
- E-mail users should be trained to not open any attachments from unknown sources and to not open unexpected attachments from known sources. Pg 12-II-35, Protection of Assets Manual, ASIS International
- The organization should ensure that preventive, detective and corrective measures are in place (especially up-to-date security patches and virus control) across the organization to protect information systems and technology from malware (viruses, worms, spyware, spam, internally developed fraudulent software, etc.). DS5.9, CobiT 4.1
- Software products should be installed to continuously check for malicious code on every computer in the organization. § 10.4.1, ISO 17799:2005 Code of Practice for Information Security Management