Back

Establish, implement, and maintain a malicious code protection program.


CONTROL ID
00574
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Technical security, CC ID: 00508

This Control has the following implementation support Control(s):
  • Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties., CC ID: 15485
  • Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties., CC ID: 15484
  • Establish, implement, and maintain malicious code protection procedures., CC ID: 15483
  • Establish, implement, and maintain a malicious code protection policy., CC ID: 15478
  • Restrict downloading to reduce malicious code attacks., CC ID: 04576
  • Install security and protection software, as necessary., CC ID: 00575
  • Scan for malicious code, as necessary., CC ID: 11941
  • Protect the system against replay attacks., CC ID: 04552
  • Define and assign roles and responsibilities for malicious code protection., CC ID: 15474
  • Establish, implement, and maintain a malicious code outbreak recovery plan., CC ID: 01310
  • Log and react to all malicious code activity., CC ID: 07072
  • Lock antivirus configurations., CC ID: 10047


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Controls over mobile computing are required to manage the risks of working in an unprotected environment. In protecting AIs’ information, AIs should establish control procedures covering: - an approval process for user requests for mobile computing; - authentication controls for remote access to n… (3.5.2, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Software and information processing facilities are vulnerable to attacks by computer viruses and other malicious software. Procedures and responsibilities should be established to detect and prevent attacks. AIs should put in place adequate controls such as: - prohibiting the download and use of un… (3.5.3, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • A licensed or registered person should implement and update anti-virus and anti-malware solutions (including the corresponding definition and signature files) on a timely basis to detect malicious applications and malware on critical system servers and workstations. (2.5. ¶ 1, Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • O30: The organization shall establish procedures for protecting, detecting, and recovering from computer viruses. T49: The organization shall implement measures to prevent damage from malicious programs during development, maintenance, and operations. T49.3(1).2: The organization should write-protec… (O30, T49, T49.3(1).2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Malicious software (Critical components of information security 1) 2) q. xvi., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Administrators should not rely solely on AV software and email filtering to detect worm infections. Logs from firewalls, intrusion detection and prevention sensors, DNS servers and proxy server logs should be monitored on a daily basis for signs of worm infections including but not limited to: (Critical components of information security 18) v., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Measures for preventing intrusion of computer viruses, including installation and operation of vaccine software; (Article 28(1)(5), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • Information with a content that mutilates, destroys, alters, or forges an information and communications system, data, a program, or similar or that interferes with the operation of such system, data, program, or similar without a justifiable ground; (Article 44-7(1)(4), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • Endpoint protection, which includes but is not limited to behavioural-based and signature-based solutions, should be implemented to protect the FI from malware infection and address common delivery channels of malware, such as malicious links, websites, email attachments or infected removable storag… (§ 11.3.3, Technology Risk Management Guidelines, January 2021)
  • implement anti-hooking or anti-tampering mechanisms to prevent injection of malicious code that could alter or monitor the behaviour of the application at runtime; (Annex C.1(c), Technology Risk Management Guidelines, January 2021)
  • When exporting data from an AUSTEO or AGAO system, keyword searches are undertaken on all textual data and any identified data is quarantined until reviewed and approved for release by a trusted source other than the originator. (Security Control: 0678; Revision: 2, Australian Government Information Security Manual)
  • All suspicious, malicious and active content is blocked from entering a security domain. (Security Control: 0651; Revision: 4, Australian Government Information Security Manual)
  • Files that cannot be inspected are blocked and generate an alert or notification. (Security Control: 1291; Revision: 1, Australian Government Information Security Manual)
  • The organization must develop, maintain, and implement tools and procedures that incorporate countermeasures against malicious code for detecting potential cyber security incidents. (Control: 0120 Bullet 1, Australian Government Information Security Manual: Controls)
  • The organization must ensure the detection heuristics for the antivirus software and the Internet security software is set to a high level on the servers and workstations. (Control: 1033 Bullet 1, Australian Government Information Security Manual: Controls)
  • The organization must block all suspicious data, malicious content, and active content from entering the security domain of classified systems. (Control: 0651, Australian Government Information Security Manual: Controls)
  • The policy framework should include the management of anti-malicious software. (¶ 27(d), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should develop, implement, and maintain procedures to detect potential security incidents. One such procedure should be to implement malicious code countermeasures. The policies, procedures, and plans should include how to minimize the likelihood of a malicious code outbreak; how to… (§ 2.8.17, § 3.5.71, Australian Government ICT Security Manual (ACSI 33))
  • Are all of your desktop computers, laptops, tablets and mobile phones protected from malware by either (A8.1., Cyber Essentials Scheme (CES) Questionnaire, Version 13)
  • Is an offline backup or file journaling policy and solution in place to provide protection against malware that encrypts user data files? (Secure configuration Question 19, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • Ensuring proper regular operations including appropriate safeguards for planning and monitoring the capacity, protection against malware, logging and monitoring events as well as handling vulnerabilities, malfunctions and errors. (Section 5.6 Objective, Cloud Computing Compliance Controls Catalogue (C5))
  • The logical and physical IT systems which the cloud provider uses for the development and rendering of the cloud service as well as the network perimeters which are subject to the cloud provider's area of responsibility are equipped with anti-virus protection and repair programs which allow for a si… (Section 5.6 RB-05 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Programs to prevent vulnerabilities and to remove electronic flaws must be updated at least annually. If sensitive or judicial data is processed on the system, the updates must occur at least every 6 months. (Annex B.17, Italy Personal Data Protection Code)
  • Telecommunications operators, value added service providers, corporate subscribers, or a party acting on their behalf has the right to combat information security violations and remove information security disruptions by removing malicious software from messages. Messages may only be examined by tec… (§ 20(1), § 20(3), Finland Act on the Protection of Privacy in Electronic Communications, Unofficial Translation)
  • The organization should implement a malicious software policy. (Mandatory Requirement 39.b, HMG Security Policy Framework, Version 6.0 May 2011)
  • (§ 4.2.4, OGC ITIL: Security Management)
  • Does the organization document the actions taken to eradicate and prevent future instances of viruses? (Table Row VIII.6, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Does the organization document the procedures to avoid propagating a virus to others? (Table Row VIII.7, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Put preventive, detective and corrective measures in place (especially up-to-date security patches and virus control) across the organisation to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam). (DS5.9 Malicious Software Prevention, Detection and Correction, CobiT, Version 4.1)
  • The control system shall provide the capability to manage malicious code protection mechanisms. (7.4.3.2 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • The control system shall provide the capability to employ protection mechanisms to prevent, detect, report and mitigate the effects of malicious code or unauthorized software. The control system shall provide the capability to update the protection mechanisms. (7.4.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • The application product supplier shall qualify and document which protection from malicious code mechanisms are compatible with the application and note any special configuration requirements. (12.3.1 ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • Obtain and examine the anti-virus policy and verify that it requires updating of anti-virus software and definitions. (§ 5.2.a, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Review the vendor documentation and examine the anti-virus software configurations to verify it detects, removes, and protects against all known types of malicious software. (Testing Procedures § 5.1.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel to verify that evolving malware threats are monitored and evaluated to confirm if systems that are not commonly affected by malicious software continue to not require anti-virus software. (Testing Procedures § 5.1.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the anti-virus configurations, including the master installation, to verify the anti-virus mechanisms are configured to conduct periodic scans. (Testing Procedures § 5.2.b Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine a sample of system components to verify the anti-virus mechanisms run periodic scans. (Testing Procedures § 5.2.c Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Use and regularly update antivirus software or programs (§ 5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Obtain and examine the anti-virus policy and verify that it requires updating of anti-virus software and definitions. (§ 5.2.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Anti-virus programs must be capable of detecting, removing, and protecting against all known malicious software. (PCI DSS Requirements § 5.1.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Periodic evaluations on systems that are not considered to be commonly affected by malicious software must be conducted to identify and evaluate the evolving malware threats to determine if the systems continue to not require anti-virus software. (PCI DSS Requirements § 5.1.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • All anti-virus mechanisms must conduct periodic scans. (PCI DSS Requirements § 5.2 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Use and regularly update antivirus software or programs (PCI DSS Requirements § 5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties. (5.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Protect all systems against malware and regularly update anti-virus software or programs. (Requirement 5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Protect all systems against malware and regularly update anti-virus software or programs. (Requirement 5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties. (5.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Protect all systems against malware and regularly update anti-virus software or programs. (Requirement 5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties. (5.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are anti-virus programs capable of detecting, removing, and protecting against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits)? (5.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Protect all systems against malware and regularly update anti-virus software or programs (Requirement 5:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Protect all systems against malware and regularly update anti-virus software or programs (Requirement 5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are security policies and operational procedures for protecting systems against malware: - Documented - In use - Known to all affected parties? (5.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Protect all systems against malware and regularly update anti-virus software or programs (Requirement 5:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Are anti-virus programs capable of detecting, removing, and protecting against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits)? (5.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Protect all systems against malware and regularly update anti-virus software or programs (Requirement 5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Protect all systems against malware and regularly update anti-virus software or programs (Requirement 5:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Are anti-virus programs capable of detecting, removing, and protecting against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits)? (5.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Protect all systems against malware and regularly update anti-virus software or programs (Requirement 5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
  • Protect all systems against malware and regularly update anti-virus software or programs (Requirement 5:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are anti-virus programs capable of detecting, removing, and protecting against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits)? (5.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are security policies and operational procedures for protecting systems against malware: - Documented - In use - Known to all affected parties? (5.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Protect all systems against malware and regularly update anti-virus software or programs (Requirement 5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are security policies and operational procedures for protecting systems against malware: - Documented - In use - Known to all affected parties? (5.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are all anti-virus mechanisms maintained as follows: (5.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Protect all systems against malware and regularly update anti-virus software or programs (Requirement 5:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are anti-virus programs capable of detecting, removing, and protecting against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits)? (5.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are security policies and operational procedures for protecting systems against malware: - Documented - In use - Known to all affected parties? (5.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Protect all systems against malware and regularly update anti-virus software or programs (Requirement 5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are security policies and operational procedures for protecting systems against malware: - Documented - In use - Known to all affected parties? (5.4, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are all anti-virus mechanisms maintained as follows: (5.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine documentation and interview personnel to verify that security policies and operational procedures for protecting systems against malware are: - Documented, - In use, and - Known to all affected parties. (5.4, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Confirmation whether such system components continue to not require anti-malware protection. (5.2.3 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Any system components that are not at risk for malware are evaluated periodically to include the following: (5.2.3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine system components to verify that an anti-malware solution(s) is deployed on all system components, except for those determined to not be at risk from malware based on periodic evaluations per Requirement 5.2.3. (5.2.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • For any system components without an anti-malware solution, examine the periodic evaluations to verify the component was evaluated and the evaluation concludes that the component is not at risk from malware. (5.2.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine documented policies and procedures to verify that a process is defined for periodic evaluations of any system components that are not at risk for malware that includes all elements specified in this requirement. (5.2.3.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Interview personnel to verify that the evaluations include all elements specified in this requirement. (5.2.3.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine the list of system components identified as not at risk of malware and compare to the system components without an anti-malware solution deployed per Requirement 5.2.1 to verify that the system components match for both requirements. (5.2.3.c, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Additional testing procedure for service provider assessments only: Examine documentation and configuration settings to verify that methods to detect and alert on/prevent covert malware communication channels are in place and operating. (11.5.1.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine documented results of periodic evaluations of system components identified as not at risk for malware and interview personnel to verify that evaluations are performed at the frequency defined in the entity's targeted risk analysis performed for this requirement. (5.2.3.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Are anti-virus programs capable of detecting, removing, and protecting against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits)? (PCI DSS Question 5.1.1, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are periodic evaluations performed to identify and evaluate evolving malware threats in order to confirm whether those systems considered to be commonly affected by malicious software continue as such? (PCI DSS Question 5.1.2, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are automatic updates and periodic scans enabled and being performed? (PCI DSS Question 5.2(b), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are anti-virus programs capable of detecting, removing, and protecting against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits)? (PCI DSS Question 5.1.1, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are periodic evaluations performed to identify and evaluate evolving malware threats in order to confirm whether those systems considered to be commonly affected by malicious software continue as such? (PCI DSS Question 5.1.2, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are automatic updates and periodic scans enabled and being performed? (PCI DSS Question 5.2(b), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are anti-virus programs capable of detecting, removing, and protecting against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits)? (PCI DSS Question 5.1.1, PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • Are periodic evaluations performed to identify and evaluate evolving malware threats in order to confirm whether those systems considered to be commonly affected by malicious software continue as such? (PCI DSS Question 5.1.2, PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • Are automatic updates and periodic scans enabled and being performed? (PCI DSS Question 5.2(b), PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • Are anti-virus programs capable of detecting, removing, and protecting against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits)? (PCI DSS Question 5.1.1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are periodic evaluations performed to identify and evaluate evolving malware threats in order to confirm whether those systems considered to be commonly affected by malicious software continue as such? (PCI DSS Question 5.1.2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are automatic updates and periodic scans enabled and being performed? (PCI DSS Question 5.2(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are security policies and operational procedures for protecting systems against malware documented, in use, and known to all affected parties? (PCI DSS Question 5.4, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are anti-virus programs capable of detecting, removing, and protecting against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits)? (PCI DSS Question 5.1.1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Are periodic evaluations performed to identify and evaluate evolving malware threats in order to confirm whether those systems considered to be commonly affected by malicious software continue as such? (PCI DSS Question 5.1.2, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Are automatic updates and periodic scans enabled and being performed? (PCI DSS Question 5.2(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Are security policies and operational procedures for protecting systems against malware documented, in use, and known to all affected parties? (PCI DSS Question 5.4, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • As with other sophisticated computing devices, mobile devices are susceptible to infection by malware and other threats. Therefore, establish sufficient security controls to protect mobile devices from malware and other software threats. For example, install and regularly update the latest anti-malw… (¶ 5.3.1, PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users, Version 1.1)
  • Disable USB debugging and disallowing of untrusted sources should be enforced on an ongoing basis. As an additional defense-in-depth, the device should be monitored for jailbreaking or rooting activity, and when detected the device should be quarantined by a solution that either removes it from the … (¶ 5.4.3, PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users, Version 1.1)
  • Any system components that are not at risk for malware are evaluated periodically to include the following: (5.2.3, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Confirmation whether such system components continue to not require anti-malware protection. (5.2.3 Bullet 3, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Any system components that are not at risk for malware are evaluated periodically to include the following: (5.2.3, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Confirmation whether such system components continue to not require anti-malware protection. (5.2.3 Bullet 3, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Any system components that are not at risk for malware are evaluated periodically to include the following: (5.2.3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Confirmation whether such system components continue to not require anti-malware protection. (5.2.3 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Confirmation whether such system components continue to not require anti-malware protection. (5.2.3 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Any system components that are not at risk for malware are evaluated periodically to include the following: (5.2.3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • E-mail users should be trained to not open any attachments from unknown sources and to not open unexpected attachments from known sources. (Pg 12-II-35, Protection of Assets Manual, ASIS International)
  • There should be documented standards / procedures covering protection against malware, which provide users with information about malware. (CF.10.02.01a, The Standard of Good Practice for Information Security)
  • Malware protection software should protect against all forms of malware (e.g., computer viruses, worms, trojan horses, spyware, rootkits, botnet software, keystroke loggers, adware, and malicious mobile code). (CF.10.03.03, The Standard of Good Practice for Information Security)
  • Malware protection software should be configured to scan computer firmware (i.e., the Basic Input Output System and memory). (CF.10.03.05a, The Standard of Good Practice for Information Security)
  • Malware protection software should be configured to scan the Master Boot Record of hard disk drives (a popular target for boot sector-infecting viruses). (CF.10.03.05b, The Standard of Good Practice for Information Security)
  • Malware protection software should be configured to scan targeted files (including executables, image files such as JPEG, document formats such as adobe pdf and macro files in desktop software). (CF.10.03.05c, The Standard of Good Practice for Information Security)
  • Malware protection software should be configured to scan protected files (e.g., compressed or password-protected files). (CF.10.03.05d, The Standard of Good Practice for Information Security)
  • Malware protection software should be configured to be active at all times (i.e., scanning files as they are accessed to provide real-time protection). (CF.10.03.06a, The Standard of Good Practice for Information Security)
  • Malware protection software should be configured to perform scheduled scanning at predetermined times. (CF.10.03.06b, The Standard of Good Practice for Information Security)
  • The customer access sign-on process should include performing integrity checks to ensure connecting devices have not been compromised by malware (including computer viruses, worms, trojan horses, spyware, rootkits, keystroke loggers and botnet software). (CF.05.03.06a, The Standard of Good Practice for Information Security)
  • The risk of malware infection should be reduced by warning users not to click on suspicious or unknown hyperlinks inside e-mails or documents. (CF.10.02.04c, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures covering protection against malware, which provide users with information about malware. (CF.10.02.01a, The Standard of Good Practice for Information Security, 2013)
  • Malware protection software should protect against all forms of malware (e.g., computer viruses, worms, trojan horses, spyware, rootkits, botnet software, keystroke loggers, adware, and malicious mobile code). (CF.10.03.03, The Standard of Good Practice for Information Security, 2013)
  • Malware protection software should be configured to scan computer firmware (i.e., the Basic Input Output System and memory). (CF.10.03.05a, The Standard of Good Practice for Information Security, 2013)
  • Malware protection software should be configured to scan the Master Boot Record of hard disk drives (a popular target for boot sector-infecting viruses). (CF.10.03.05b, The Standard of Good Practice for Information Security, 2013)
  • Malware protection software should be configured to scan targeted files (including executables, image files such as JPEG, document formats such as adobe pdf and macro files in desktop software). (CF.10.03.05c, The Standard of Good Practice for Information Security, 2013)
  • Malware protection software should be configured to scan protected files (e.g., compressed or password-protected files). (CF.10.03.05d, The Standard of Good Practice for Information Security, 2013)
  • Malware protection software should be configured to be active at all times (i.e., scanning files as they are accessed to provide real-time protection). (CF.10.03.06a, The Standard of Good Practice for Information Security, 2013)
  • Malware protection software should be configured to perform scheduled scanning at predetermined times. (CF.10.03.06b, The Standard of Good Practice for Information Security, 2013)
  • The customer access sign-on process should include performing integrity checks to ensure connecting devices have not been compromised by malware (including computer viruses, worms, trojan horses, spyware, rootkits, keystroke loggers and botnet software). (CF.05.03.06a, The Standard of Good Practice for Information Security, 2013)
  • The risk of malware infection should be reduced by warning users not to click on suspicious or unknown hyperlinks inside e-mails or documents. (CF.10.02.04c, The Standard of Good Practice for Information Security, 2013)
  • There should be an easy process to distribute antivirus updates in the event of an outbreak. Checks should be made regularly to ensure the antivirus software is running. The organization should validate or debunk possible hoaxes by utilizing the Hoaxes page at the CIAC website. (Action 1.8.6, Special Action 6.1, SANS Computer Security Incident Handling, Version 2.3.1)
  • The organization should establish and maintain a malware defenses program. (Critical Control 5, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should use automated tools to continuously monitor servers, workstations, and mobile devices to verify anti-malware protection with anti-spyware, anti-virus, host-based Intrusion Protection System, and personal firewall functionality is up-to-date and active, and includes zero-day p… (Critical Control 5.1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The automated monitoring tool should use behavior-based anomaly detection in addition to the signature-based detection. (Critical Control 5.10, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The system must identify malicious software that is installed, executed, or attempted to be executed or installed inside of 1 hour and send notification to a list of enterprise personnel. In the future, the organization should strive for quicker responses. (Control 5 Metric, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The system must prevent the execution of, block the installation of, or quarantine malicious software inside of 1 hour of detection and send notification when this has occurred. In the future, the organization should strive for quicker responses. (Control Metric 5, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should develop plans for deploying filters on internal networks to stop an intruder or malware from spreading. (Critical Control 13.11, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should deploy toolkits and features that help prevent malware exploitation, such as Data Execution Prevention and enhanced mitigation experience toolkit. (Critical Control 5.7, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should use network-based flow analysis tools for analyzing inbound traffic and outbound traffic. (Critical Control 5.14, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, to prevent the execution of malware on organizationally-owned or managed user end-point devices (i.e., issued workstations, laptops, and mobile devices) and IT infrastructure network a… (TVM-01, Cloud Controls Matrix, v3.0)
  • Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to protect against malware on managed assets. Review and update the policies and procedures at least annually. (TVM-02, Cloud Controls Matrix, v4.0)
  • Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action. (CIS Control 8: Malware Defenses, CIS Controls, 7.1)
  • Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that can be configured to apply protection to a broader set of applications and executables. (CIS Control 8: Sub-Control 8.3 Enable Operating System Anti-Exploitation Features/ Deploy Anti-Exploit Technologies, CIS Controls, 7.1)
  • Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action. (CIS Control 8: Malware Defenses, CIS Controls, V7)
  • Enable anti-exploitation features such as Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that can be configured to apply protection to a broader set of applications and executables. (CIS Control 8: Sub-Control 8.3 Enable Operating System Anti-Exploitation Features/ Deploy Anti-Exploit Technologies, CIS Controls, V7)
  • Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets. (CIS Control 10: Malware Defenses, CIS Controls, V8)
  • Centrally manage anti-malware software. (CIS Control 10: Safeguard 10.6 Centrally Manage Anti-Malware Software, CIS Controls, V8)
  • ¶ 8.2.3 Protection against Malicious Code. An organization should implement safeguards to prevent malicious code, which may be introduced into systems through external connections and through files and software introduced from portable disks. Malicious code may not be detected before damage is done… (¶ 8.2.3, ¶ 9.2 Table Row "Scanners", ¶ 9.2 Table Row "Integrity Checkers", ¶ 9.2 Table Row "Removable Media Circulation Control", ¶ 10.3.3, ¶ 10.3.4, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • Protection Against Malicious Code. Users need to be aware that malicious code may be introduced into their environment through network connections. Malicious code may not be detected before damage is done unless suitable safeguards are implemented. Malicious code may result in compromise of security… (¶ 13.6, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • Malicious code detection and repair software should be installed on the system to prevent outbreaks. To help prevent malicious code attacks, the following guidelines are suggested: Prohibit the use of unauthorized software; protect against receiving files from external networks; scan e-mail and web … (§ 10.4.1, ISO 27002 Code of practice for information security management, 2005)
  • Protection against malware should be implemented and supported by appropriate user awareness. (§ 8.7 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • The organization's communications and control networks are protected through applying defense-in-depth principles (e.g., network segmentation, firewalls, physical access controls to network equipment, etc.). (PR.PT-4.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Mobile code technologies include, but are not limited to, Java, JavaScript, ActiveX, portable document format (PDF), Postscript, Shockwave movies, Flash animations and VBScript. Usage restrictions apply to both the selection and use of mobile code installed on servers and mobile code downloaded and … (12.2.2 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Mobile code technologies include, but are not limited to, Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations and VBScript. Usage restrictions apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual work… (15.4.2 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and (SI-3c.2., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and (SI-3c.2., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and (SI-3c.2., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization centrally manages malicious code protection mechanisms. (SI-3(1) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and (SI-3c.2., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization centrally manages malicious code protection mechanisms. (SI-3(1) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The access procedures should include procedures for preventing malicious code, viruses, and unauthorized software from being introduced into the system. (ID 8.2.2.j, AICPA/CICA Privacy Framework)
  • Procedures exist to protect the system against infection by malicious code, viruses, and unauthorized software. (Security Prin. and Criteria Table § 3.5, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to protect the system against infection by malicious code, viruses, and unauthorized software. (Availability Prin. and Criteria Table § 3.8, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to protect the system against infection by malicious code, viruses, and unauthorized software. (Processing Integrity Prin. and Criteria Table § 3.9, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to protect the system against infection by malicious code, viruses, and unauthorized software. (Confidentiality Prin. and Criteria Table § 3.11, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should implement controls to prevent viruses, malicious code, and unauthorized software on the systems. (Generally Accepted Privacy Principles and Criteria § 8.2.2 j, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should implement controls to prevent viruses, malicious code, and unauthorized software on the systems. (Table Ref 8.2.2.j, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives. (CC6.8, Trust Services Criteria)
  • The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives. (CC6.8 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • The organization must implement and monitor the status of malicious code controls. (§ 15.g, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives)
  • Introduction of Malicious Code Mitigation: Use one or a combination of the following methods to achieve the objective of mitigating the introduction of malicious code (per Transient Cyber Asset capability): - Antivirus software, including manual or managed updates of signatures or patterns; - Applic… (Section 1. 1.4., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
  • For any method used to mitigate software vulnerabilities or malicious code as specified in 2.1 and 2.2, Responsible Entities shall determine whether any additional mitigation actions are necessary and implement such actions prior to connecting the Transient Cyber Asset. (Section 2. 2.3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
  • Introduction of malicious code mitigation: Use one or a combination of the following methods to achieve the objective of mitigating malicious code (per Transient Cyber Asset capability): - Review of antivirus update level; - Review of antivirus update process used by the party; - Review of applicati… (Section 2. 2.2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
  • Introduction of Malicious Code Mitigation: Use one or a combination of the following methods to achieve the objective of mitigating the introduction of malicious code (per Transient Cyber Asset capability): (Attachment 1 Section 1. 1.4., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • For any method used to mitigate software vulnerabilities or malicious code as specified in 2.1 and 2.2, Responsible Entities shall determine whether any additional mitigation actions are necessary and implement such actions prior to connecting the Transient Cyber Asset. (Attachment 1 Section 2. 2.3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • Other method(s) to mitigate malicious code. (Attachment 1 Section 2. 2.2 Bullet 6, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • Transient Cyber Asset and Removable Media Malicious Code Risk Mitigation: Each Responsible Entity shall implement, except under CIP Exceptional Circumstances, one or more plan(s) to achieve the objective of mitigating the risk of the introduction of malicious code to low impact BES Cyber Systems thr… (Attachment 1 Section 5., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • Other method(s) to mitigate the introduction of malicious code. (Attachment 1 Section 5. 5.1 Bullet 3, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • Other method(s) to mitigate the introduction of malicious code. (Attachment 1 Section 5. 5.2 5.2.1 Bullet 6, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • Mitigate the threat of detected malicious code. (CIP-007-6 Table R3 Part 3.2 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - System Security Management CIP-007-6, Version 6)
  • Is there an anti-virus/malware policy or program (workstations, servers, mobile devices) that has been approved by management? (§ G.7, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • CSR 1.9.4(6): The organization must check for malicious software and document the check. CSR 1.13.9(2): Before mobile or portable information systems are connected to the Medicare claims processing networks, the organization must scan for malicious code. CSR 5.12.2: The organization must implement m… (CSR 1.9.4(6), CSR 1.13.9(2), CSR 5.12.2, CSR 10.2.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The organization will maintain a virus quarantine application to view file content, origin, and type of virus without infecting the rest of the system. (Pg 46, C-TPAT Supply Chain Security Best Practices Catalog)
  • Remote users must scan their remote access devices for malicious code, vulnerabilities, and other security violations immediately after they connect to the DoD network. (§ 5, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • Provide protection from malicious code at appropriate locations within organizational information systems. (SI.1.211, Cybersecurity Maturity Model Certification, Version 1.0, Level 1)
  • Provide protection from malicious code at appropriate locations within organizational information systems. (SI.1.211, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Provide protection from malicious code at appropriate locations within organizational information systems. (SI.1.211, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Provide protection from malicious code at appropriate locations within organizational information systems. (SI.1.211, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Employ mechanisms to analyze executable code and scripts (e.g., sandbox) traversing Internet network boundaries or other organizationally defined boundaries. (SC.4.202, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Provide protection from malicious code at appropriate locations within organizational information systems. (SI.1.211, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Employ mechanisms to analyze executable code and scripts (e.g., sandbox) traversing Internet network boundaries or other organizationally defined boundaries. (SC.4.202, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Provide protection from malicious code at appropriate locations within organizational information systems. (SI.L1-3.14.2 Malicious Code Protectio, Cybersecurity Maturity Model Certification, Version 2.0, Level 1)
  • Provide protection from malicious code at appropriate locations within organizational information systems. (SI.L1-3.14.2 Malicious Code Protection, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • The organization must implement policies and procedures to detect incidents caused by malicious code. (§ 8-305, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Procedures shall be implemented to guard against, detect, and report malicious software. The covered entity shall assess these procedures to determine if it is a reasonable and appropriate safeguard in the environment and, if it is reasonable and appropriate, then implement it, or document why it is… (§ 164.308(a)(5)(ii)(B), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software. (§ 164.308(a)(5)(ii)(B), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • The agency shall implement a malicious code protection process that includes automatically updating all systems that have Internet access. (§ 5.10.4.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Protection from viruses, worms, Trojan horses, and other malicious code—scanning, updating definitions. (§ 5.2.1.4 ¶ 1(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The agency shall employ virus protection mechanisms to detect and eradicate malicious code (e.g., viruses, worms, Trojan horses) at critical points throughout the network and on all workstations, servers and mobile computing devices on the network. The agency shall ensure malicious code protection i… (§ 5.10.4.2 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Determine whether the financial institution and service provider use a layered anti-malware strategy, including integrity checks, anomaly detection, system behavior monitoring and employee security awareness training, in addition to traditional signature-based anti-malware systems. (TIER I OBJECTIVES AND PROCEDURES Cyber Resilience Objective 10:5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Protect offline data backups from destructive malware that may corrupt production and online backup versions of data. (App A Objective 6:3f, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Uses security software that is current, deployed effectively, and designed to keep up with the evolution of malicious code. (App A Objective 13:6e Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management has implemented defense-in-depth to protect, detect, and respond to malware. (App A Objective 6.17, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • The organization should reduce the risks of malicious code by installing antivirus software, keeping definition files up-to-date, educating users, and preventing malicious code from automatically executing. (Pg 29, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • [FedRAMP Assignment: to include blocking and quarantining malicious code and alerting administrator or defined security personnel near-realtime] in response to malicious code detection; and (SI-3c.2. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization centrally manages malicious code protection mechanisms. (SI-3(1) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization centrally manages malicious code protection mechanisms. (SI-3(1) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The system must be protected against malicious code attacks by implementing mechanisms (that can be automatically updated) to check for malicious code. (§ 5.6.16, Exhibit 4 SI-3, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Does the Credit Union Information Technology policy include virus protection and updating the virus protection software? (IT - Policy Checklist Q 14, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • The organization should have software deployed throughout its systems to detect and stop malicious code. The software should be deployed at the application client level, the application server level, and the host level. The following is specific advice for preventing malicious code attacks: use anti… (§ 3.1.2 ¶ 3, § 5.2.2, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1)
  • [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and (SI-3c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and (SI-3c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and (SI-3c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and (SI-3c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Calls for System and Communications Protection (SC): Organizations must: (i) monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • ensuring that no malicious code is introduced to compromise or otherwise impair the station and the PIV Card; and (2.7.1 ¶ 3 Bullet 3, FIPS Pub 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors)
  • Incident handling procedures should be provided for instances of security incidents such as malicious code attacks. (§ 3.7, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Organizational records and documents should be examined to ensure malicious code software is installed on workstations, servers, mobile devices, and entry and exit points to the system; the software works on e-mail, attachments, removable media, and Internet access; the software is automatically upd… (SI-3, SI-3(1), SI-3(2), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and (SI-3c.2. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and (SI-3c.2. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and (SI-3c.2. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization centrally manages malicious code protection mechanisms. (SI-3(1) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization centrally manages malicious code protection mechanisms. (SI-3(1) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Cell phone users should treat messages from unknown individuals with suspicion. The messages should be destroyed without opening them and connections should be denied. Users should not accept the installation of unknown programs they did not initiate. (§ 4.1.5, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
  • The smart grid Information System should have mechanisms in place to detect unauthorized mobile code and take the appropriate corrective action. (SG.SC-16 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must implement malicious code protection techniques. (SG.SI-3 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid Information System must prevent the circumvention of the malicious code protection by users. (SG.SI-3 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should manage the use of malicious code protection mechanisms centrally. (SG.SI-3 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Mechanisms for centrally managing the malicious code protection must not degrade the system's operational performance. (SG.SI-3 Additional Considerations A4, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Provide protection from malicious code at appropriate locations within organizational information systems. (3.14.2, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Provide protection from malicious code at designated locations within organizational systems. (3.14.2, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Provide protection from malicious code at designated locations within organizational systems. (3.14.2, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization must address false positives during malicious code detection and eradication, and the potential impact on system availability. (App F § SI-3.d, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should centrally manage virus protection mechanisms. (App F § SI-3(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The Information System should implement detection mechanisms and inspection mechanisms to identify unauthorized mobile code and to take any necessary corrective actions. (App F § SC-18(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should ensure mobile code that is acquired, developed, and/or used meets the mobile code requirements. (App F § SC-18(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The Information System should prevent mobile code from being automatically executed in defined applications and requires defined actions before executing the mobile code. (App F § SC-18(4), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The use of malicious code protection on the Industrial Control System is determined after careful consideration and verification that it does not adversely impact the operational performance. (App I § SI-3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use compensating controls in accordance with the general tailoring guidance when the Industrial Control System cannot centrally manage the malicious code protection mechanisms. (App I § SI-3 Control Enhancement: (1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The information system identifies {organizationally documented unacceptable mobile code} and takes {organizationally documented corrective actions}. (SC-18(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization configures malicious code protection mechanisms to {block malicious code} in response to malicious code detection. (SI-3c.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization configures malicious code protection mechanisms to {quarantine malicious code} in response to malicious code detection. (SI-3c.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization configures malicious code protection mechanisms to { send alert to administrator} in response to malicious code detection. (SI-3c.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization configures malicious code protection mechanisms to {organizationally documented action} in response to malicious code detection. (SI-3c.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. (SI-3d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization centrally manages malicious code protection mechanisms. (SI-3(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization configures malicious code protection mechanisms to {block malicious code} in response to malicious code detection. (SI-3c.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization configures malicious code protection mechanisms to {quarantine malicious code} in response to malicious code detection. (SI-3c.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization configures malicious code protection mechanisms to { send alert to administrator} in response to malicious code detection. (SI-3c.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization configures malicious code protection mechanisms to {organizationally documented action} in response to malicious code detection. (SI-3c.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. (SI-3d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization centrally manages malicious code protection mechanisms. (SI-3(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization configures malicious code protection mechanisms to {block malicious code} in response to malicious code detection. (SI-3c.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization configures malicious code protection mechanisms to {quarantine malicious code} in response to malicious code detection. (SI-3c.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization configures malicious code protection mechanisms to { send alert to administrator} in response to malicious code detection. (SI-3c.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization configures malicious code protection mechanisms to {organizationally documented action} in response to malicious code detection. (SI-3c.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. (SI-3d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization configures malicious code protection mechanisms to {block malicious code} in response to malicious code detection. (SI-3c.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization configures malicious code protection mechanisms to {quarantine malicious code} in response to malicious code detection. (SI-3c.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization configures malicious code protection mechanisms to { send alert to administrator} in response to malicious code detection. (SI-3c.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization configures malicious code protection mechanisms to {organizationally documented action} in response to malicious code detection. (SI-3c.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system. (SI-3d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization centrally manages malicious code protection mechanisms. (SI-3(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and (SI-3c.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization centrally manages malicious code protection mechanisms. (SI-3(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and (SI-3c.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and (SI-3c.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization centrally manages malicious code protection mechanisms. (SI-3(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization centrally manages malicious code protection mechanisms. (SI-3(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and (SI-3c.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and (SI-3c.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [TX-RAMP Assignment: to include alerting administrator or defined security personnel] in response to malicious code detection; and (SI-3c.2., TX-RAMP Security Controls Baseline Level 1)
  • The organization centrally manages malicious code protection mechanisms. (SI-3(1) ¶ 1, TX-RAMP Security Controls Baseline Level 2)
  • [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [TX-RAMP Assignment: to include alerting administrator or defined security personnel]] in response to malicious code detection; and (SI-3c.2., TX-RAMP Security Controls Baseline Level 2)