Back

Establish, implement, and maintain a malicious code outbreak recovery plan.


CONTROL ID
01310
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a malicious code protection program., CC ID: 00574

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Software and information processing facilities are vulnerable to attacks by computer viruses and other malicious software. Procedures and responsibilities should be established to detect and prevent attacks. AIs should put in place adequate controls such as: - prohibiting the download and use of un… (3.5.3, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • O30.3: The organization shall take measures after an infection to prevent the spread of damage, recover systems, and prevent the infection from recurring. T51.2: When a virus is detected, the organization should take the following actions: disconnect the infected computers, report the infection to r… (O30.3, T51.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • In order to cope with PCs infected by malicious programs such as computer viruses, it is necessary to take measures in advance to ensure a smooth recovery. (P32.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is necessary to stop all the operations in the related systems or networks, and recover them not through users' personal decision or methods, but through procedures stipulated in advance. (P22.1. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • In other cases damaged from malicious programs, it is necessary to take measures according to the above procedures. (P22.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • If infected by a malicious program such as a computer virus, it is necessary to take after-infection measures to prevent the damage from spreading, and to recover systems and take preventive steps. For recovery measures, refer to [P22]. (P32.3., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The organization should determine if it needs to request assistance from the Defence Signals Directorate, and if it does, delay further actions until advised to continue from the Defence Signals Directorate, whenever malicious code is detected. (Control: 0917 Bullet 2, Australian Government Information Security Manual: Controls)
  • The organization should isolate the infected system, when malicious code is detected. (Control: 0917 Bullet 1, Australian Government Information Security Manual: Controls)
  • The organization should scan all previously connected systems, along with media that was used in a predetermined time period leading up to the cyber security incident for malicious code, whenever malicious code is detected. (Control: 0917 Bullet 3, Australian Government Information Security Manual: Controls)
  • The organization should isolate infected systems and infected media to prevent them from being reinfected, whenever malicious code is detected. (Control: 0917 Bullet 4, Australian Government Information Security Manual: Controls)
  • The organization should change all the passwords and key material that is stored on or potentially accessed from the compromised systems, whenever malicious code is detected. (Control: 0917 Bullet 5, Australian Government Information Security Manual: Controls)
  • The organization should advise users about the compromise, including changing the passphrases on compromised systems and other systems that use the same passphrase, whenever malicious code is detected. (Control: 0917 Bullet 6, Australian Government Information Security Manual: Controls)
  • The organization should use antivirus software or Internet security software to remove the infection, whenever malicious code is detected. (Control: 0917 Bullet 7, Australian Government Information Security Manual: Controls)
  • The organization should report the cyber security incident and perform the other procedures stated in the incident response plan, whenever malicious code is detected. (Control: 0917 Bullet 8, Australian Government Information Security Manual: Controls)
  • The organization should rebuild the affected machine or restore compromised systems from a good known backup, whenever malicious code is detected. (Control: 0917 Bullet 9, Australian Government Information Security Manual: Controls)
  • When malicious code is detected, the affected computers should be isolated; all connected computers and any media used within a certain time period of the infection should be scanned for the malicious code; all passwords and keys that may have been compromised should be changed; the integrity of the… (§ 2.8.29, § 3.5.75, § 3.5.76, Australian Government ICT Security Manual (ACSI 33))
  • The control system shall provide the capability to employ protection mechanisms to prevent, detect, report and mitigate the effects of malicious code or unauthorized software. The control system shall provide the capability to update the protection mechanisms. (7.4.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • Malware protection should include implementing emergency procedures for dealing with malware-related information security incidents. (CF.10.02.05a, The Standard of Good Practice for Information Security)
  • Malware protection should include implementing emergency procedures for dealing with malware-related information security incidents. (CF.10.02.05a, The Standard of Good Practice for Information Security, 2013)
  • A recovery plan should be developed to alleviate any virus outbreaks and clean the system. (§ 10.4.1, ISO 27002 Code of practice for information security management, 2005)
  • Procedures are in place to scan information assets that have been transferred or returned to the entity's custody for malware and other unauthorized software and to remove any items detected prior to its implementation on the network. (CC6.8 Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software, Trust Services Criteria)
  • Procedures are in place to scan information assets that have been transferred or returned to the entity's custody for malware and other unauthorized software and to remove any items detected prior to its implementation on the network. (CC6.8 ¶ 2 Bullet 5 Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software, Trust Services Criteria, (includes March 2020 updates))
  • Disruption campaigns must become so sustained and targeted that criminal cyber activity is rendered unprofitable and foreign government actors engaging in malicious cyber activity no longer see it as an effective means of achieving their goals. DOJ and other Federal law enforcement agencies have pio… (STRATEGIC OBJECTIVE 2.1 ¶ 1, National Cybersecurity Strategy)