Copyright © 2017 Health and Social Care Information Centre.1

Anti-Virus and Malware

Contents

1Purpose

2Scope

3Applicability

4Guidance

Terminology

Policy

General

Administrative

5Key Words

1Purpose

The purpose of thisAnti-Virus and Malware Example Policy is to provide exemplar guidance in line with HMG and private sector best practicefor the implementation of an organisation wide Anti-Virus and Malware Policy. This is in order to allow the reader to produce the necessary policies and guidance for their business area and to ensure that the applicable and relevant anti-virus and malware security controls are set in place in line with the Department for Health, the wider NHS, health and social care and HMG requirements.

2Scope

The drafting of any policy governing the implementation and management of anti-virus and malware controls on NHS systems deployed in support of NHS or health and social care business functions.

3Applicability

This Example Policy is applicable to and designed for use by any NHS, health and social care or associated organisations that use or have access to NHS systems and/or information and data at any level.

4Guidance

This Example Policy provides guidance on the production of an Anti-Virus and Malware Policy.The Example Policy is in italics with areas for insertion shown as > and the rationale for each paragraph or section, where required, in [….]. This Example Policy is supported by a more detailed Good Practice Guide on Anti-Virus and Malware, which can be used to assist in determining what is and what is not required in the exemplar policy shown here.

Terminology

Term / Meaning/Application
SHALL / This term is used to state a Mandatory requirement of this policy
SHOULD / This term is used to state a Recommended requirement of this policy
MAY / This term is used to state an Optional requirement

Policy

General

  • <Insert name of organisation> systems shall run effective anti-virus and anti-malware software.
  • <Insert name of organisation> IT anti-virus and anti-malware software shall be configured to detect and remove known viruses and malware.
  • All <insert name of organisation> IT systems (servers, desktops, laptops) shall run one of the NHS approved and supported anti-virus and anti-malware software packages.
  • All servers, desktops and laptops shall be configured to run only one of the approved products at any time.
  • Anti-virus and anti-malware software shall be kept up to date.
  • Anti-virus and anti-malware definition files shall be kept up to date.
  • Anti-virus and anti-malware software updates shall be deployed across the network automatically following their receipt from the vendor.
  • Virus and malware signature updates shall be deployed across the network automatically following their receipt from the vendor.
  • Anti-virus and anti-malware software shall be configured for real time scanning and regular scheduled scans.
  • Tamper protection shall be enabled to prevent end users or malware altering the anti-virus and anti-malware software’s configuration or disabling the protection.
  • All IT equipment and removable media shall be scanned for viruses and malware before being introduced to the <insert name of organisation> network, system or device.
  • IT systems infected with a virus and malware that the anti-virus or anti-malware software has not been able to deal with shall be quarantined from the NHS network until virus free.
  • Any instance of virus or malware infection or detection shall be documented and raised as a security incident.

[Viruses and other malware are among the most common forms of attack facing NHS IT systems. To enable your organisation to reduce the risks of such threats, and minimise the effects of the attacks, it is important your systems remain as virus free as possible; the section above should list the minimum requirements to achieve this. For smaller organisations who may have outsourced their IT to a third-party provider; the statements outlined in this policy should be included in the relevant contract.]

Administrative

  • Changes that are required to the settings of any of anti-virus or anti-malware products shall follow the formal <insert name of organisation> change control process.
  • <Insert name of organisation> shall ensure that all anti-virus and anti-malware products are regularly and correctly updated from the vendor service.
  • <Insert name of organisation> may periodically test anti-virus and anti-malware defences by deploying a safe and non-malicious test file.
  • A log shall be kept of all scans undertaken, these logs should record as a minimum:

•Date.

•Time.

•Addresses of areas scanned.

•Malware found.

•Any action taken by the anti-virus and anti-malware software (e.g. quarantine or delete).

  • To prevent misuse and tampering by unauthorised staff, all administrative settings in the deployed anti-virus and anti-malware products shall be secured by means of a password.

[The effective management of Anti-Virus and Malware packages is fundamental to their successful use as security controls. Dependant on its size and structure, organisations should as a minimum aim to implement the administrative points above. For smaller organisations who may have outsourced their IT to a third-party provider; the statements outlined in this policy should be included in the relevant contract.]

5Key Words

Malware, Virus, Software, Systems.

Copyright © 2017 Health and Social Care Information Centre.1