Policies and Standards ISO PS014 Protection from Malicious Software [Previous]  [Next]  [Policy Home]

Policy Name: Protection from Malicious Software
Policy Number: IS PS0014
Effective Date: July 23, 2007
Review Date: July 23, 2008
Last Revision Date: July 23, 2007
Last Revision By: Bruce Edwards
Contact Name: Bruce W. Edwards
Contact Email: ISOPolicy@louisville.edu
Approved By: Compliance Oversight Council
Version: 1.0

POLICY:

Malicious software (viruses, worms, trojans, root kits, hostile Active X controls, etc.) must be actively guarded against within the University network. All computing devices must be configured with appropriate safeguards against malicious software.

Anti-virus, anti-spyware and firewall software must be deployed on all windows based workstations, portable computers, servers and other computing devices that attach to the University networks. Non-Windows computing devices should use equivalent products, if available. Servers behind a properly configured hardware firewall and meeting other enterprise class configuration, administration and maintenance requirements may be exempted from some of these requirements. All exemptions must follow IS PS004 Policy Exception Management Process.

Administrative Standards:

• Antivirus software is available from central IT for workstations, servers and for home use (free of charge to all employees, students and affiliates). Exceptions to the recommended tools such as firewalls, antivirus, and anti-spyware should be approved by IT.
• Intrusion detection, network monitoring, incident logging, and response coordination necessary for the detection, elimination, and recovery from various forms of attack on University resources is managed by the IT Division (See ISO PS006 Security Incidents.)
• Systems found to be infected will be removed from the network until such time as the infection is removed or the system is reformatted.
• The Dean of each School or Administrative Division Head is responsible for the implementation of these security policies and standards so that all computing devices in their areas of responsibility have implemented the appropriate virus protection, anti-spyware and firewall controls as outlined in this document and that all such tools are kept current with the most recent updates installed.
• Proper preparation of all systems (desktops, laptops, servers, printers and handheld devices) must be conducted. Tier Support must install virus protection, anti-spyware and firewall software on all applicable computing devices and should ensure that unnecessary services are disabled before distribution to the user community (see http://security.louisville.edu/Resources/Tools/Tools.html and navigate to the "Windows Services" section for guidelines on what services to disable. This link will be updated soon).
• System Administrators must ensure that the appropriate virus protection, anti-spyware and firewall programs are installed on all servers and ensure that unnecessary services are disabled before installation in the production environment.
• Use of Peer-to-Peer (P2P) software "file sharing" applications is not permissible for any file sharing activities to facilitate abuse of copyright and intellectual property laws.
• Instant messaging programs must not be used for file sharing.
• The Information Systems Security Officer will work with Audit Services, Information Technology and others to schedule periodic audits of servers, workstations, laptops and other computing devices to ensure compliance with the established virus protection, anti-spyware and firewall standards.

Technical standards:

• All computing devices must be appropriately configured for automatic virus detection and spyware blocking.
• Virus and anti-spyware definitions must be updated at least weekly. An automatic definition update option should be enabled if supported by the virus or anti-spyware protection tool.
  Note: Information Technology will centrally provide updates to the virus definition files.
• All software, regardless of origin, should be scanned for viruses and spyware before installation on any University system.
  Note: Software obtained directly from IT has already gone through this process. Software from approved and/or major vendors has low risk (but is has happened) of virus or spyware contamination. Software downloaded from freeware/shareware or other non-major vendor web sites has the highest risk of spyware or virus contamination, this software should always be scanned before installation.
• Workstation virus scanning software should be configured to automatically scan all e-mail attachments upon receipt with auto-protect/real time protection enabled.
• All computing devices not running approved anti-virus and anti-spyware software must be scanned for malicious software prior to connection to the University network. The central IT Division has CD based software for this purpose.
• Home computer systems connecting, as privileged users, to the University networks must meet the same anti-virus, anti-spyware and firewall standards as systems on the University premises. Note: This does not mean browsing web pages but does mean other activities including but not limited to "I" and "H" drive connections, via SSH Secure Shell, etc.
• All virus and spyware occurrences that are not fully removed by the anti-virus or anti-spyware software must be reported to Tier support for cleansing of the computer (See ISO PS006 Security Incidents.)
• Anti-virus, anti-spyware or firewall protection programs must not be disabled while connected to the campus network. Note: If installation of software requires the temporary termination of these programs, the computing device must be disconnected from the network while the software is being installed. The protection programs must be restarted before the computing device is reconnected to the network.
• Memory sticks, flash drives, CDs, floppy diskettes and other removable media from unknown or untrusted sources must be scanned for viruses and spyware. Auto-start mechanisms must be by passed when first using removable media that has not been scanned for viruses and spyware.

Software Standards:

The following software has been tested and is recommended by the IT Division for Windows anti-virus, anti-spyware and firewall protection:

• Symantec Anti-Virus Corporate Edition (provided by the University for all faculty, staff, students and affiliated entities).
• Spybot Search and Destroy.
• Spyware Blaster.
• Microsoft Defender.
• Microsoft Windows Firewall.
• Zone Alarm Firewall.

All persons while conducting/performing work, teaching, research or study activity or otherwise using University resources. Scope/Applicability also includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates.

POLICY AUTHORITY / ENFORCEMENT:

The University's Information Security Officer (ISO) is responsible for the development and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.

POLICY REVIEW:

This policy will be reviewed annually to determine if the policy is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed.

COMPLIANCE:

Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.

Version / Revision Date / Description

1.0 / July 23, 2007 / Original Publication

Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council

[Next]