IS7015 - Antivirus

Purpose

Malicious codes such as viruses, worms, trojans, spy ware, rootkits, ransomware etc. represents a significant threat to the performance and security of DMACC’s IT assets.

This procedure aims to provide guidelines to protect DMACC’s IT assets against malicious codes through an enterprise level Malware solution suite.

Scope

This procedure applies to:

All staff (permanent and on contractual basis) and non-employees (contractors, consultants, suppliers, vendors etc.) of DMACC and other individuals, entities or organizations that have access to and use DMACC’s information systems to perform their daily job-related responsibilities or meet their contractual obligations

Relevant DMACC technical operations or third-party personnel responsible for administering and maintaining DMACC’s Malware infrastructure.

Procedure Statements

All servers, desktops, laptops, and handheld devices of DMACC must be protected against malicious code using enterprise level Malware solution and Anti Malware solution. The Malware solution suite must ensure early detection, efficient containment, and eradication of malicious code. Malware software must be used on all systems commonly affected by malicious code to protect systems from current and evolving malicious software threats.

Selection of Malware

• The DMACC IT Security Team (IST) shall identify suitable and reliable Malware software available as the corporate Malware software.
• Selected Malware software shall be capable to detect, remove and protect against all known types of malicious software (for example viruses, Trojans, worms, spyware, adware, ransomware, and rootkits)
• The DMACC IST shall ensure that the Malware software selected is compatible with all IT infrastructure used in DMACC which are affected with virus.
• The DMACC IST shall be responsible for licensing and renewal for Malware software.
• The Malware enterprise solution must support signature update rollback.

Installation and Configuration

• The DMACC IST shall approve deployment of Malware software on DMACC systems.
• All servers, desktops, laptops, and handheld devices shall have Malware agent installed and configured before they are connected to the network.
• Malware agent installation shall be password protected and remotely managed to ensure that end users cannot uninstall the agent or change any settings or to disable the agent.
• Malware agent shall be configured for full system scan the machine at least once every week. The time of scanning can be either when the system boots up or during non-peak usage hours depending on load on various departments in DMACC.
• Malware agent shall be configured to do a real time scan of all the files when they are accessed, copied, or moved. This will ensure that all viruses are detected before they get activated.
• Malware agent shall be configured to scan all removable disks before use.
• Malware agent shall be configured to quarantine virus infected files if they cannot be cleaned.
• Malware agent shall notify the user if it is unable to clean or quarantine the malicious code detected on the machine.
• Malware software shall be installed on email servers including SMTP gateway. Malware software shall be configured to scan attachments in all emails. If a virus is found in an incoming SMTP mail, then the following actions shall be taken:
• Infected attachment shall be deleted.
• Infected attachment shall be quarantined.
• Access to websites and other resources on the Internet known to host malicious content shall be prevented using a web content filtering mechanism.

Malware Signature Update

• The DMACC IST shall ensure that new Malware signatures are applied as soon as they are released by the Malware Solution Vendor.
• The design of the Malware application architecture shall ensure that all systems across the DMACC are updated with latest signatures within 12 hours from the time of release
• The number of Malware servers, the location of the servers, the server hardware sizing and bandwidth requirements shall be designed and implemented to ensure that the updates are propagated and installed on all the agents appropriately
• All systems on the DMACC network shall be configured to receive the signature updates from the Malware server. The Malware server shall be configured to pick up the signature pattern from the vendor website. The Malware server shall be configured to “push” the latest signature updates to the systems
• Systems which are not on the DMACC network (mobile users) shall be configured with alternate update options whereby the signatures can directly be updated from the vendor website

Malware Server Security

• Operating System and applications on the Malware servers shall be configured as per the standard industry security practices to protect the solution itself.
• Malware servers shall be protected from unauthorized logical and physical access.
• The application accessing Malware shall be able to provide unique usernames and passwords for administrative use
• The default usernames and passwords of the application shall be disabled
• Necessary redundancy arrangement needs to be made for critical Malware Servers

Monitoring

• The DMACC IST with the help of the vendor shall develop guidelines for performance monitoring and acceptable performance threshold levels of the Malware servers. Malware administrator shall carry out performance monitoring for the following parameters:
• CPU Utilization
• Memory Utilization
• Network Performance
• Disk Utilization
• Logging shall be enabled for the operating system as well as for the Malware application on the Malware servers and shall be logged in a central repository. The DMACC IST is responsible for monitoring the logs.

Tracking New Threats and Vulnerabilities

• The DMACC IST shall keep track of new threats arising from malicious codes with respect to DMACC’s environment.
• When a new vulnerability is published, the DMACC IST shall identify the steps that need to be taken to ensure that the associated risks are mitigated.

Backup and Redundancy

• Backup of the Malware systems shall be carried out as required by the Data Backup and Recovery Procedure.
• Following components shall be backed up for Malware systems.
• Operating system files with the objective of recovering the system in case of system failure
• Malware application files with the objective of recovering the Malware software in case of system failure
• Configuration settings with the objective for replicating the settings during reconfiguration in the case of system recovery
• AV or threat protection logs, or reports generated should be backed up and stored according to the Logging & Monitoring Procedure.
• OS and application log files
• Necessary redundancy arrangement needs to be made for critical Malware Servers.

Incident Reporting

• Users shall report to DMACC Technical Support in the event of a virus not being cleaned by the Malware agent. Malware administrator shall initiate Incident management process once the incident is notified by the user.
• In case of virus outbreak, the DMACC IST may choose to invoke the IRP (incident response plan) if called for by the IRP team lead.

Change Management

• All critical changes to the Malware infrastructure including the following shall adhere to change management process. This will include the following:
• OS /Malware Application upgrade
• Changes in Malware architecture or update schedule
• Addition/Removal of a Malware server/ Component

Vendor Support

• The Service Level Agreement with Malware vendor shall include the following provisions:
  • Providing signature updates including the urgent signatures for zero-day virus and newer versions of the software
  • Providing technical support including onsite support within specified time frames
  • Contact persons and response times for technical escalations