Information Technology Standard 05.4.0

Virus & Malicious Code Protection Standard


Date of Current Revision or Creation:ÌýNovember 1, 2021


The purpose of an Information Technology Standard is to specify requirements for compliance with Â鶹´«Ã½ Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

The purpose of this standard is to define the requirements to protect and defend the Â鶹´«Ã½ network from the spread of a computer virus or other unintended or malicious destruction.

Definitions

Endpoint Protection - Software intended for the protection of laptop and desktop resources both on and off-campus that is licensed by Â鶹´«Ã½ for use by faculty and staff computers.

Data Users/Users - Individuals and organizations that access institutional data and information in order to perform their assigned duties or to fulfill their role in the University community.

Malicious Code - the term used for any code in any part of a software system or script that is intended to cause undesired effects, security breaches, or damage to a system. Malicious code can include attack scripts, viruses, worms, Trojan horses, backdoors, and malicious active content.

Standards Statement

Malicious Code Protection

Users will not willfully introduce virus-infected media or other foreign materials into any University systems without proper authorization and without using up-to-date, approved virus-scanning software.

Advanced endpoint protection will be used on ITS-managed desktops, laptops, and servers. All devices connected to the network, including off-campus computers, should have some form of anti-virus, endpoint protection, or be configured according to best practice for the operating system. Personally owned devices are also subject to compliance when connected to the Â鶹´«Ã½ network.

Information Technology Services will monitor network activity and take appropriate action to control infection. Any server or client known to be an infecting agent will be disconnected and the user notified immediately. The user or department will be responsible for bringing the device into compliance.

Malicious Code Protection

Users will not intentionally develop or experiment with malicious programs and are prohibited from knowingly propagating malicious programs including opening attachments from unknown sources.

Â鶹´«Ã½ will provide malicious program detection, protection, eradication, logging, and reporting capabilities for IT systems and users. Malicious program protection should remove or quarantine malicious programs that it detects; provide alert notifications; protect memory and storage devices; protect against files retrieved through a network connection or from an input storage device; allow only authorized personnel to modify program settings; monitor activity, maintain logs of protection activities, or some combination of these.

Disciplinary Action

Users who willfully disregard this Standard are subject to disciplinary actions as provided for in other organizational employment and human resources policies.

Procedures, Guidelines & Other Related Information

History

Date

Responsible Party

Action

October 2009

ITAC/CIO

Reaffirmed

October 2010

ITAC/CIO

Reaffirmed

October 2011

ITAC/CIO

Reaffirmed

October 2012

ITAC/CIO

Reaffirmed

December 2012

ITAC/CIO

Merged Virus Protection and Malicious Code Protection Standards

Numbering revision

August 2013

IT Policy Office

Departmental name update

August 2015 IT Policy Office/ISO Three year review; links and terminology updated.
December 2018 IT Policy Office Definitions and links checked
November 2021 IT Policy Office Definitions and links checked
Ìý