Anti-virus and Malicious Code Policy Overview

Questions and Answers

Is the policy designed to protect only networks from malicious software?

False

Does the policy cover all information processing facilities and mobile devices under the company's control?

True

Are users responsible for being vigilant against suspicious emails?

True

Are third-party vendors required to provide updates in a timely manner?

True

Is proactive and periodic scanning for viruses mandated by the policy?

True

Are different anti-virus solutions required for gateway virus scanning and email content scanning?

True

Is enforcement of the policy involved disciplinary action for employees found to have violated it?

True

Are automated updates and scheduled checks of files required for anti-virus protection on workstations, laptops, and servers?

True

Is deviation from the policy permitted without a valid business case reviewed and approved by the Security Management Team and/or Legal Counsel?

False

Study Notes

Anti-virus and Malicious Code Policy Overview

• The policy aims to protect all networks, information processing facilities, and mobile devices from malicious software, including viruses, worms, Trojans, and spyware.
• It is designed to minimize the impact of malicious software on business and to comply with PCI DSS requirements.
• The scope covers all information processing facilities and mobile devices under the company's control, including network gateways, laptops, workstations, servers, and other mobile technology.
• The policy outlines the roles and responsibilities of client, server, and anti-virus administrators, IT security manager, users, and third-party vendors.
• It emphasizes the need for approved anti-virus software installation and regular updates, strict controls on obtaining files from external networks, and monitoring the effectiveness of anti-virus software.
• Users are responsible for being vigilant against suspicious emails, scanning media from unknown sources for viruses, and reporting any suspected or detected viruses to the IT helpdesk.
• Third-party vendors are required to provide updates in a timely manner and offer support and guidance as necessary.
• The policy mandates proactive and periodic scanning for viruses and scanning of files received on removable media from outside the trusted network.
• It specifies the platforms requiring anti-virus configuration, including systems running Microsoft Windows and Linux/Unix operating systems.
• Workstations, laptops, and servers have specific requirements for anti-virus protection, including automated updates and scheduled checks of files.
• Different anti-virus solutions are required for gateway virus scanning and email content scanning, with specific protocols for scanning web traffic and email attachments.
• Enforcement of the policy involves disciplinary action for employees found to have violated it, with deviation permitted only with a valid business case reviewed and approved by the Security Management Team and/or Legal Counsel.

Description

Learn about the comprehensive policy designed to safeguard networks, information processing facilities, and mobile devices from malicious software, in line with PCI DSS requirements. The policy covers roles, responsibilities, installation of approved anti-virus software, proactive scanning, and enforcement measures.