---

Technology Standard

---

IT Systems Security - Malicious Code Protection

To provide guidelines necessary to implement System Office and College malicious code protection standards and procedures.

In accordance with the COV ITRM 501-01, malicious code protection is necessary to protect System Office and College IT systems from damage caused by malicious code.

The Malicious Code Protection Standard is applicable to the System Office and all Colleges.

Malicious code refers to a broad category of software threats to your network and systems and may exploit vulnerabilities in System Office and College IT systems. Deliberate destruction, theft, or unauthorized access or modification exploits or damages IT systems.

Requirement:

System Office and College must develop standards and procedures that inform employees of their responsibility concerning malicious programs and explicitly prohibit:

• Intentional development or experimentation with malicious programs.
• Intentional propagation of malicious programs.

System Office and College standards and procedures must also address the following:

• Instructions on how users should respond to malicious attacks including reporting requirements.
• Instructions on how IT personnel will respond to malicious attacks. (Note: this information may be contained in the Incident Handling Procedures.)
• Instructions on using sanitized or new media to make software copies for appropriate distribution.
• Instructions on using common use workstations, desktop, classrooms, labs, etc. to create distribution media.

Colleges should include information for students on proper media use and the dangers of malicious programs. Colleges should also include information for instructors, lab assistants, learning resource center personnel, and similar employees on creating a safe environment for students in open areas by providing malicious program information to students. This may be distributed via syllabus, signage, VCCS email accounts, or College web sites.

• Instructions for employees when purchasing new software or installing existing software to include Information Security Officer (ISO) or designee approval and installation procedures.

The System Office and College may elect, where practicable, to enforce software installation standards and procedures by using software controls such as Active Directory.

The System Office and College Security Awareness and Training Program must include malicious code best practices for users. Email notifications and web site information may also be used to inform users of new viruses, worms, spy ware, and similar malicious programs.

Requirement:

The System Office and Colleges must take every precaution to provide protection against malicious programs by using detection, protection, elimination, logging, and reporting capabilities. The following best practices are provided to the System Office and Colleges:

• Configure malicious code protection to activate upon system boot.
• Configure networks so that malicious codes are detected and removed or quarantined before it can impede a production device.
• Configure e-mail systems to eliminate or quarantine malicious programs in e-mail messages and file attachments as they enter the system.
• Have messages scanned by multi-vendor anti-virus programs (i.e., a firewall that uses multiple virus scanning engines).
• Configure systems for automatic updates of malicious code definition files or provide a process to manually retrieve those updates as they become available.
• Propagate malicious code definition file updates to all devices appropriately.

System Office or College malicious program protection should encompass all the technologies and processes available to:

• Eradicate or quarantine malicious programs detected.
• Send alert notifications.
• Run scans on memory and storage devices.
• Scan files received via a network or other connection or from an input storage device.
• Allow only authorized employees to modify program settings.
• Maintain a log of malicious program protection activities.