Handbook of Operating Procedures > Series 700 Information Resources > 7.5.11 Malicious Code

7.5.11 Malicious Code

A. Purpose

To describe the requirements for dealing with computer virus, worm, Trojan Horse, and other unauthorized code prevention, detection and cleanup.

B. Persons Affected

All individuals who use any University of Texas at Tyler (the "University") Information Resources.

C. Definitions

Information Resources (IR): Any and all computer printouts, online display devices, magnetic storage media, and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting electronic data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, personal digital assistants (PDA), pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e. embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and service bureaus; and the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.

Information Resources Manager (IRM): Responsible to the State of Texas for management of the University's information resources. The designation of the IRM is intended to establish clear accountability for setting policy for information resources management activities, provide for greater coordination of the University's information activities, and ensure greater visibility of such activities within and between state agencies. The IRM has been given the authority and the accountability by the State of Texas to implement Security Policies, Procedures, Practice Standards and Guidelines to protect the Information Resources of the University.

Chief Information Officer (CIO): Responsible to executive management for administering the Information Technology functions within the University.  The CIO is the University's internal and external point of contact for all information technology matters.

Information Security Officer (ISO): Responsible to executive management for administering the information security functions within the University. The ISO is the University's internal and external point of contact for all information security matters.

Information Technology (IT): The University department responsible for computers, networking and data management.

Virus: A program that attaches itself to an executable file or vulnerable application and delivers a payload that ranges from annoying to extremely destructive. A file virus executes when an infected file is accessed. A macro virus infects the executable code embedded in Microsoft Office programs that allows users to generate macros.

Trojan Horse: Destructive programs—usually viruses or worms—that are hidden in an attractive or innocent-looking piece of software, such as a game or graphics program. Victims may receive a Trojan horse program by e-mail or on a diskette, often from another unknowing victim, or may be urged to download a file from a Web site or bulletin board.

Worm: A program that makes copies of itself elsewhere in a computing system. These copies may be created on the same computer or may be sent over networks to other computers. The first use of the term described a program that copied itself benignly around a network, using otherwise-unused resources on networked machines to perform distributed computation. Some worms are security threats, using networks to spread themselves against the wishes of the system owners and disrupting networks by overloading them. A worm is similar to a virus in that it makes copies of itself, but different in that it need not attach to particular files or sectors at all.

Server: A computer program that provides services to other computer programs in the same, or another, computer. A computer running a server program is frequently referred to as a server, though it may also be running other client (and server) programs.

Security Incident: In information operations, an assessed event of attempted entry, unauthorized entry, or an information attack on an automated information system, including unauthorized probing and browsing; disruption or denial of service; altered or destroyed input, processing, storage, or output of information; or changes to information system hardware, firmware, or software characteristics with or without the users' knowledge, instruction, or intent.

E-mail: Abbreviation for electronic mail, which consists of messages sent over any electronic media by a communications application.

D. Policy

The number of computer security incidents and the resulting cost of business disruption and service restoration continue to escalate. Implementing solid security policies, blocking unnecessary access to networks and computers, improving user security awareness, and early detection and mitigation of security incidents are some of the actions that can be taken to reduce the risk and drive down the cost of security incidents. The CIO, ISO, or their designees shall ensure:

• Procedures and tools exist to guard against, detect, and report malicious software
• IT and Information Security personnel are trained and proficient in the use of the security solutions used to protect against malicious software 
• Customers are aware of the security policies enforced on their workstations 

1. Computing Assets. All University workstation and server-based assets, whether connected to the University network or as standalone units, must use University approved antivirus/antimalware protection software and configuration provided by the University IT department.  The following item shall be followed:
   1. Virus protection software must not be disabled or bypassed 
   2. Settings for the virus protection software must not be altered in a manner that will reduce the software effectiveness 
   3. Automatic update frequency cannot be altered to reduce the frequency of updates 
   4. All servers attached to the University network must utilize University approved/standard virus protection software and setup to detect and clean viruses 
   5. All electronic mail gateways, devices, and servers must use University approved e-mail virus/malware/spam protection software and must adhere to University rules for the setup and use of this software 
   6. Any threat that is not automatically cleaned, quarantined, and subsequently deleted by malware protection software constitutes a security incident and must be reported to the IT Help Desk 
   7. Antivirus/antimalware signature updates shall occur on a frequency defined by the CIO but shall occur minimally once each calendar day 
2. Application Installation and Management. All University authorized applications and software shall be installed by IT staff. University managed antivirus and malware software shall ensure:
   1. Authorized applications and software operate according to a clearly defined security policy 
   2. All unauthorized applications and software are prevented from being executed. 
3. Licensing, Maintenance, and Support. Maintenance actions (software updates, definition updates, infections, etc.) shall be logged and retained for a period aligning with University and IT requirements to allow proper investigations into malware related incidents. Management shall ensure proper licensing, tracking, and related documentation.  This shall include processes and procedures supporting:
   1. Antivirus software installation on all systems 
   2. Regular threat scanning capable of detecting, removing, and protecting against known types of malicious software 
   3. Annual review and re-evaluation of low-risk systems and appliances not considered affected by malicious software based on current best practice 
   4. Pro-active monitoring and update mechanisms supporting this policy 
   5. Verification that mechanisms are in place for preventing users from disabling or modifying antivirus detection tools 
   6. Processes and procedures for exceptions to the policy exist and are followed based on a case-by-case evaluation 
   7. If antivirus mechanisms are disabled, additional security measures may need to be implemented for the period of time during which antivirus protection is not active.
4. Audit Controls and Management. On-demand documented procedures and evidence of practices should be in place for this operational policy.  Appropriate controls include:
   1. Virus and malware installation and update logs
   2. Associated virus scan and history logs
   3. Procedures for quarantine and removal of threats
   4. Documented remediation and communication procedures for large scale incidents

Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of Information Resources access privileges, civil, and criminal prosecution.

F. Review Responsibilities and Dates

The Division Head for this Policy is the Chief Information Security Officer and this Policy shall be reviewed every two (2) years or sooner, if necessary, by the Division Head or their designee.