• Malware protection
  • Metadata
  • Servers do not require malware protection
  • Run malware protection on workstations
  • When malware is detected
  • Enforcement
  • References

Malware protection

MedStack Confidential

Metadata

• responsible officer: CTO
• date
  • effective: 2018-06-20
  • revised: 2019-10-12
  • reviewed: 2018-06-20

Servers do not require malware protection

• Servers do not require operating-system level anti-malware software
  • The SANS “Consensus Policy Resource Community”-based analysis
    • Servers run Debian Linux.
    • No non-administrative users have remote access capability.
    • No system is a file server.
    • No file sharing access is open to the server.
    • HTTP access is only open from the internet in order to forward to HTTPS.
    • No FTP access is open from the internet.
    • No other “risky” protocols/applications are available to this system from the Internet.
    • No mail server is running on the server.
    • No non-technical or non-administrative users have access.

      Code	Section	Title	Text
      SANS	Server Malware Protection Policy	Policy	operations staff will adhere to this policy to determine which servers will have anti-virus and/or anti-spyware applications installed on them and to deploy such applications as appropriate. 4.1 ANTI-VIRUS All servers MUST have an anti-virus application installed that offers real-time scanning protection to files and applications running on the target system if they meet one or more of the following conditions: • Non-administrative users have remote access capability • The system is a file server • NBT/Microsoft Share access is open to this server from systems used by non- administrative users • HTTP/FTP access is open from the Internet SANS Institute 2013 – All Rights Reserved • Other “risky” protocols/applications are available to this system from the Internet at the discretion of the Security Administrator All servers SHOULD have an anti-virus application installed that offers real-time scanning protection to files and applications running on the target system if they meet one or more of the following conditions: • Outbound web access is available from the system 4.2 MAIL SERVER ANTI-VIRUS If the target system is a mail server it MUST have either an external or internal anti-virus scanning application that scans all mail destined to and from the mail server. Local anti-virus scanning applications MAY be disabled during backups if an external anti-virus application still scans inbound emails while the backup is being performed. 4.3 ANTI-SPYWARE All servers MUST have an anti-spyware application installed that offers real-time protection to the target system if they meet one or more of the following conditions: • Any system where non-technical or non-administrative users have remote access to the system and ANY outbound access is permitted to the Internet • Any system where non-technical or non-administrative users have the ability to install software on their own 4.4 NOTABLE EXCEPTIONS An exception to the above standards will generally be granted with minimal resistance and documentation if one of the following notable conditions apply to this system: • The system is a SQL server • The system is used as a dedicated mail server • The system is not a Windows based platform

Run malware protection on workstations

• Mac OS
  • Periodically run appropriate anti-malware software (e.g. Malwarebytes).
• Linux
  • Use appropriate anti-malware software.
• Windows
  • Use (preferably multiple) industry standard anti-malware software.
• Updates
  • Keep malware software and definitions up to date using automatic updating.
• Mobile code
  • Use malware protection software to automatically control mobile code (e.g. javascript, Word macros).

    Code	Section	Title	Text
    ISO	A.12.2.1	Controls against malware	Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness.
    HIPAA	164.308(a)(5)(ii)(B)	Protection from malicious software	Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.
    NIST	SC-18	Mobile Code	The organization: Defines acceptable and unacceptable mobile code and mobile code technologies; Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and Authorizes, monitors, and controls the use of mobile code within the information system.

When malware is detected

• Quarantined the affected workstation.
• Correct the infection using anti-malware software.
• Report and document the incident.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title	Text
ISO	A.12.2	Protection from malware	To ensure that information and information processing facilities are protected against malware.
CHI	SR28	Protecting Against Malware	All organizations connecting to the EHRi or hosting components of the EHRi must implement appropriate detection and prevention controls and appropriate user-awareness procedures to protect against malicious software (viruses, worms, etc.)

November 13, 2019

Powered by