Back

Log and react to all malicious code activity.


CONTROL ID
07072
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a malicious code protection program., CC ID: 00574

This Control has the following implementation support Control(s):
  • Analyze the behavior and characteristics of the malicious code., CC ID: 10672
  • Incorporate the malicious code analysis into the patch management program., CC ID: 10673


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • It is necessary to take measures in preparation for cases where computer virus infection or malicious program is detected on a computer (P22.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is necessary to stop all the operations in the related systems or networks, and recover them not through users' personal decision or methods, but through procedures stipulated in advance. (P22.1. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Enterprise security administrative features may be used daily to check the number of systems that do not have the latest anti-malware signatures. All malware detection events should be sent to enterprise anti-malware administration tools and event log servers. (Critical components of information security 18) iii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The FI should actively monitor for phishing campaigns targeting the FI and its customers. Immediate action should be taken to report phishing attempts to service providers to facilitate the removal of malicious content. The FI should alert its customers of such campaigns and advise them of security … (§ 14.1.6, Technology Risk Management Guidelines, January 2021)
  • Any data identified by a content filtering process as suspicious is blocked until reviewed and approved for transfer by a trusted source other than the originator. (Security Control: 0652; Revision: 2, Australian Government Information Security Manual, March 2021)
  • All anti-virus mechanisms must generate audit logs. (PCI DSS Requirements § 5.2 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Are anti-virus programs capable of detecting, removing, and protecting against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits)? (5.1.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (5.2 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (5.2 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (5.2 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (5.2 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (5.2 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1. (5.3.4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Additional testing procedure for service provider assessments only: Examine documentation and configuration settings to verify that methods to detect and alert on/prevent covert malware communication channels are in place and operating. (11.5.1.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine anti-malware solution(s) configurations to verify logs are enabled and retained in accordance with Requirement 10.5.1. (5.3.4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (PCI DSS Question 5.2(c), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (PCI DSS Question 5.2(c), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (PCI DSS Question 5.2(c), PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (PCI DSS Question 5.2(c), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7? (PCI DSS Question 5.2(c), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1. (5.3.4, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1. (5.3.4, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1. (5.3.4, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1. (5.3.4, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Audit logs for the anti-malware solution(s) are enabled and retained in accordance with Requirement 10.5.1. (5.3.4, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Malware detection events should be sent to the event log servers and the anti-malware administration tools. (Critical Control 5.1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Malicious software. When the Contractor or subcontractors discover and isolate malicious software in connection with a reported cyber incident, submit the malicious software to DoD Cyber Crime Center (DC3) in accordance with instructions provided by DC3 or the Contracting Officer. Do not send the ma… (§ 252.204-7012(d), 252.204-7012, SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING (DEC 2019))
  • CSPs or their subcontractors that discover and isolate malicious software in connection with a reported cyber incident shall securely submit the malicious software to the organization performing MCD Actions for analysis in addition to any other analysis organization employed by the CSP. The means of… (Section 6.5.4.1 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Malicious code is detected (DE.CM-4, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Malicious code is detected (DE.CM-4, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • Malicious code is detected. (DE.CM-4, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)