(ii) Implementation specifications:
(B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.
Tell Me More:
The Protection from Malicious Software implementation specification requires covered entities to address implementing procedures for guarding against, detecting, and reporting malicious software. Malicious software refers to viruses, worms, Trojan horses and backdoor programs. Malicious software either has negative behaviors or is used by attackers to further their goals of attacking enterprise networks and systems. The key difference between the types of malicious software is their means of spreading.
Entities should utilize policy, education and awareness, and technical prevention and detection controls best suited for their environments, to avoid introduction and exploitation of malicious software in state information systems.
Questions to consider:
- Does the organization have virus protection and firewall programs installed? If you connect to an intranet or the Internet, or if you allow anyone to install data or software from a diskette, CD, or DVD, such programs are necessary.
- Are the programs appropriate for the organization and its system configuration? An off the shelf product may be appropriate for your environment to sufficiently lessen the degree of risk associated with receiving malicious software or you may need to implement a customized program.
- If the system configuration is a network, is anti-virus software (updates and scans) controlled at the server level (thereby assuring there is no chance an “end-user” could override or ignore an update)? Do you have appropriate safeguards at the server and workstation levels? It is important to protect all access points.
- Does the organization prevent use of non-business related software from home or any other location, including downloads? Such programs often carry malicious software.
- Are systems properly “patched” (patch management) in an expeditious manner to avoid being exploited by malicious logic that takes advantage of improperly patched systems? System updates are issued on an ongoing basis and should be installed.
- Are users periodically trained on opening suspicious e-mail attachments, e-mail from unfamiliar senders, and hoax e-mail? Users need to be involved in protecting systems from malicious software.
- NIST SP 800-16 IT Security Training Requirements: Role and Performance Based Model
- NIST SP 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
- NIST SP 800-63 Recommendation for Electronic Authentication