Download this free Anti Virus Policy template and use it for your organization. Scroll down to the bottom of the page for the download link.
1 GENERAL GUIDELINES AGAINTS MALICIOUS CODE
1.1 Virus protection controls can be applied through various measures: –
a) Installation of Anti-virus software
b) Controlling of share across network
c) Segmentising of network with access control through firewalls, routers, or switches
d) Installation of Content Filtering software
e) Installation of Intrusion Detection System
f) Any other proven measures1.2 Where virus control is not through use of anti-virus software, other means of measures as above should be in place.
1.3 At the minimum, anti-virus software should be installed for all desktop-based computer systems such as workstation-desktops, notebooks, network file and print servers, and email gateways.
1.4 Installed anti-virus software should be configured to run in full-time at the background, and with auto-protect or similar mode. The anti-virus-related activities should be system logged.
1.5 Anti-virus software should be maintained up to date with the latest virus signatures or patterns.
1.6 Updating of latest virus signatures or patterns to the computer systems should be automated where possible. If automatic-process is not possible, a manual process should be in place to enable end-users’ action in the updating.
1.7 A re-scan of the computer systems should be executed immediately after the signature/pattern update.
1.8 All above virus protection controls should only be administrated and maintained by authorized personnel.
1.9 Virus incident should be investigated by authorized personnel. A documentation of the investigation should follow after its completion.
1.10 A documented virus incident response process should be in place. The process can either exist as a stand-alone process or be subsumed under a larger Incident Response Process.
2 POLICY AGAINTS MALICIOUS CODE FOR ALL
2.1 Staffs are not allowed to intentionally write, generate, compile, copy, propagate, execute, or attempt to introduce any computer code designed to self-replicate, damage, or otherwise hinder the performance of any computer’s memory, file system, or software.
2.2 All new software, files or mails must be scanned with the anti-virus software before use.
2.3 All desktop-based removable storage media such as floppy disks, tape-cartridges, zip or other drives should be scanned with the installed anti-virus before installing into any desktop, notebook or LAN server.
2.4 If a suspected virus that can not be repaired is detected by the installed anti-virus software, the computer system user must: –
a) Cease all operations
b) Disconnect the infected computer system from the network
c) Immediately notify the authorized personnel2
d) Document conditions and status of the environment2.5 Users must ensure the installed anti-virus software is not disabled.
2.6 Users must not change the anti-virus software’s configuration, which was installed by authorized personnel.
2.7 Staff should validate any virus alert received from an entrusted source with IS Security at Head Office or with the trusted anti-virus site before taking action. Until verified, such information should not be disseminated indiscriminately. This is to avoid unnecessary reaction to virus hoax at the expense of resources.
3 POLICY AGAINTS MALICIOUS CODE FOR ADMINISTRATORS
3.1 Ensure compliance to the GENERAL GUIDELINES AGAINTS MALICIOUS CODE above.
3.2 Be constantly informed of latest virus threats, whether directly through virus alert-service OR secondarily through the advisory alerting from Head Office support (as in the case for Local IS Administrators).
3.3 Perform immediate virus signature/patterns update when available following a virus-alert notification. This process should be in addition to the regular virus update process.
3.4 Perform forensic action following a virus infection in restoring the computer systems and investigating the incident.
4 ENFORCEMENT
4.1 All staffs are required to comply with this security policy and its appendices. Disciplinary actions including termination may be taken against any Organization staffs who fail to comply with the Organization’s security policies, or circumvent/violate any security systems and/or protection mechanisms.
4.2 Staff having knowledge of personal misuse or malpractice of IT Systems must report immediately to management and IT Security.
4.3 Organization’s staff must ensure that Organization’s contractors and others parties authorized by the Organization using its internal computer systems, comply with this policy.
4.4 Where the role of the service provider is outsourced to a vendor, the outsourced vendor should ensure compliance with this policy.
Click here to download Anti Virus Policy template.
