Anti-virus and Malicious Code Policy Overview

Anti-virus and Malicious Code Policy Overview

• The policy aims to protect networks and devices from malicious software, including viruses, worms, Trojans, spyware, and malware.
• It is designed to minimize the impact on business in case of a malicious software breach and to meet PCI DSS requirements.
• The policy applies to all information processing facilities and mobile computing devices under the company's control, including workstations, servers, and other technology.
• Roles and responsibilities are defined for client, server, and anti-virus administrators, IT security manager, users, and third-party vendors.
• The policy mandates the use of approved anti-virus software, regular scanning for viruses, and strict controls on obtaining files and software from external networks.
• Users are required to be vigilant against unsolicited or suspicious emails, scan media from unknown sources for viruses, and report any suspected or detected viruses immediately.
• The policy requires third-party vendors to provide timely updates and support for the anti-virus solution on a 24x7 basis.
• Specific guidelines are provided for anti-virus scanning and configuration, including proactive and periodic scanning for viruses and scanning of files received on removable media.
• All systems connected to the network running any version of Microsoft Windows must have an anti-virus solution installed, and a risk assessment is required for other operating systems.
• Different anti-virus solutions are recommended for gateway virus scanning and email content scanning, with specific requirements for scanning web traffic and email attachments.
• Enforcement measures include the possibility of disciplinary action for policy violations, with deviations permitted only with a valid business case reviewed and approved by the Security Management Team and/or Legal Counsel.
• The policy references the Payment Card Industry Data Security Standard (PCI DSS) as part of its requirements.