ICT-PR-001: Malware and Malicious Code Prevention

• Financial Accountability Act 2009 (Qld) (new window) Section 61 http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/F/FinAccountA09.pdf
• Financial and Performance Management Standard 2009 (Qld) (new window) Sub-sections 7, 8, 21 and 28 http://www.legislation.qld.gov.au/LEGISLTN/CURRENT/F/FinAccPManSt09.pdf

• Information Standard 18 Information Security (Principle 6) http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/informationstandards/current/Pages/index.aspx

• FNM-PR-003: Risk Management /strategic/eppr/finance/fnmpr003/
• IFM-PR-006: Maintaining the Security of the Department's Information and Systems /strategic/eppr/information/ifmpr006/
• ICT-PR-004: Using the Department's Corporate ICT Network /strategic/eppr/ict/ictpr004/

Statement of intent

Policy position
The Department of Education and Training (DET) is focussed on preventing and detecting computer infection by malware, malicious code and computer viruses, which have the potential to cause extensive disruption within large and diverse government agencies. This disruption can interfere with student learning activities, corporate business processes and diverts the attention of staff as they restore systems and overcome malware and malicious code attacks. This procedure aims to implement optimum security controls to protect information and systems against malware and malicious code.

Purpose
The department has adopted an agency-wide approach to combat malware and malicious code threats. It has entered into an enterprise software licensing agreement for antivirus software, including the option for staff to purchase antivirus software for home use. A range of control measures have also been implemented to protect schools, institutes, corporate and administrative offices from malware and malicious code threats (e.g. antivirus software at key entry points; maintaining currency of malware and malicious code definitions and regularly scanning IT devices).

IFM-PR-006: Maintaining the Security of the Department's Information and Systems states that security is everyone's responsibility. All system owners, administrators and users are to protect the department's information resources by diligently following the malware and malicious code management practices as defined in this procedure.

The use of emerging technologies such as the iPhone, iPod and Android based devices within the corporate ICT network are currently not supported by the department's antivirus solution. A departmental trial will determine the suitability of these devices for business productivity and teaching and learning. Schools, institutes and business units should take all reasonable care to ensure information is secure (as for any ICT device) when connecting these devices to the department's ICT network. For further information see ICT-PR-004: Using the Department's Corporate ICT Network. (Note: Users of these technologies are to be aware that following completion of the trial this statement will be revised and configuration and operation of these devices may be impacted).

Users accessing departmental computers, private devices, laptops, PDAs/Smartphones via departmental networks who breach and/or bypass the information security malware and malicious code prevention measures may be subject to disciplinary action. Such conduct may result in restriction and/or suspension of access privileges. Where community users have been identified as breaching and/or bypassing the information security malware and malicious code prevention measures, access rights will be withdrawn.

Depending on the severity of the user's conduct, the matter may be reported to state or federal police. This applies to staff, students and community users.

DET monitors and audits the antivirus software and records any or all malware and malicious code related activity. Users may be called on to explain any incident.

Scope
ICT-PR-001 Malware and Malicious Code Prevention applies to all departmental business units, including schools, TAFEs, corporate and regional offices. It is considered that TAFEs and those that have become statutory authorities would benefit from adopting consistent security management practices for malware and malicious code prevention. It covers, but is not limited to:

• all users of the departmental ICT network
• all electronic information collected by, or on behalf of, the department
• any existing and future information systems developed or acquired by the department to provide services internally or to any other agency
• all information systems that store, process, retrieve or transmit electronic information that is managed by or on behalf of the department. Standard antivirus software will be installed and updated on all ICT equipment accessing the network, which meets minimum hardware requirements prior to their use.
• service level agreements where providers have been engaged to manage ICT desktop services on behalf of the department.
  

Responsibilities

• approves this procedure and any subsequent reviews or amendments to this procedure and any associated departmental guidelines developed for the operations of this procedure.

• approves internal malware and malicious code response instructions, minimum configuration standard operating procedures and approved product list.

• oversees corporate antivirus contract and licensing of the corporate antivirus solution across the department
• ensures that third party service providers (e.g. Web Central/CITEC) anti virus/spam infrastructure (and response arrangements are sufficient) is managed and current as per agreements
• collects necessary information to facilitate payment of the department's corporate antivirus account
• provides advice and is responsible for overall management of any technical operations of an information security nature, including administration of network services, applications development and system investigations.

• prepares and maintains response procedures
• instigates antivirus response teams when required
• provides advice and reviews of ICT-PR-001 when required
• ensures antivirus infrastructure is managed and up to date.

• manage and coordinate activities and resources to prevent and respond to incidents of malware and malicious code infection
• ensure departmentally approved antivirus software has been installed on all specified school and institute computers and are configured to departmental standards
• ensure where school/institute computers are managed by a service provider, that the Service Level Agreement contains a provision whereby antivirus software is installed and regularly updated on computers
• configure software according to standards defined in Antivirus Overview and Minimum Standards as defined in the Symantec Standard Configuration. These configuration standards include:
  • update malware and malicious code signature files daily
  • enable real time scanning for malware and malicious code on all desktop computers, mobile devices (PDAs) and servers.
• perform regular checks to confirm malware and malicious code definitions are up to date according to implemented setup. Investigate and resolve any issues identified.
  Note: Regular checks should be made on devices such as laptops that are not connected to the network.
• support installation, utilising Symantec knowledgebase as required, escalating issues that cannot be resolved to next support level as follows:
  • for schools, either to regional/district system technician or schools' service desk (if registered)
  • for system technicians and corporate ICT staff, escalate to the Service Centre
  • for TAFE institutes, escalate to the Unisys Help Desk.
• contain malware and malicious code infected device(s) to prevent further infection
• investigate source and remove malware and malicious code (in conjunction with next support level as required). Address any weaknesses in protection as necessary.
• report any malware and malicious code outbreak to the Service Centre (schools and corporate business units) or Unisys Help Desk (TAFE institutes). Guidance on the reporting process is found in the Virus Containment Workflow - Enterprise and Desktop Services.
  
  

• ensure they do not disable or interfere with the operation of antivirus software
• ensure corporate/education and TAFE personal computers/laptops in use are regularly made available for antivirus software updates
• exercise caution when opening email and related attachments (e.g. are they expected, etc.)
• do not download software from the Internet unless authorized by senior management and the technology support officer. Risks may include infringement of copyright in addition to introduction of malware or malicious code
• scan downloaded software for malware and malicious code. For technical assistance, contact the Service Centre (schools and corporate business units) or Unisys Help Desk (TAFE institutes).
• do not develop, distribute or run any computer programs or code that is intended to replicate itself, cause damage, and/or impede the performance of any computer, software application or network whether malicious or otherwise
• immediately report malware and malicious code infection, whether suspected or confirmed, to the Service Centre (schools and corporate business units) or Unisys Help Desk (TAFE institutes). Guidance on the reporting process is found in the Virus Containment Workflow - End User.
• report incidents of security breaches in relation to incidents of malware and malicious code infection and any unusual related behaviour to their immediate supervisor and ICT support staff, as per IFM-PR-006: Maintaining the Security of the Department's Information and Systems
• reporting incidents to the Manager, Operational Security can be made via the Information Security Incident Reporting form
• isolate infected computers from the network quickly to prevent further infection. To isolate the computer, either turn it off or disconnect the network cable. To mitigate large scale infection, contact the Service Centre (schools and corporate business units) or Unisys Help Desk (TAFE institutes).
• scan all files and information contained on portable media and storage devices (such as DVDs, USB drives, floppy disks, etc) for malware and malicious code prior to being used on any department information systems (such as laptops, PDAs, desktop computers, etc). Scanning can be either manual or automated. Automated methods are preferred. Seek further assistance from the System Technician/ICT Manager or through the Service Centre (schools and corporate business units) or Unisys Help Desk (TAFE institutes).

• provides information security governance advice and review according to the Information Security Management Framework
• manages and monitors compliance with information security policies and standards.

Forms

• Information Security Incident Reporting form

• Not applicable

Other relevant documents

• Virus Containment Workflow for Enterprise and Desktop Services/strategic/eppr/ict/ictpr001/access.html
• Virus and Malicious Code Containment Workflow for Users/strategic/eppr/ict/ictpr001/access.html
• Symantec Knowledgebase http://www.symantec.com/techsupp/enterprise/select_product_kb.html
• Definitions/strategic/eppr/ict/ictpr001/definitions.html

Contacts

For information about malware and malicious code, contact:

For TAFE Institutes, to log a job go to http://tafeit.admin.tafe/ or contact the TAFE Unisys Help Desk:

• ICT-PR-001: Virus and Malicious Code Prevention - Version: 1.0, 2.0