Monday, July 30, 2007

Information Security Policy 101 – Virus Protection Policy

Part 18 in the Information Security Policy 101 Series

For many organizations the threats posed by viruses are manageable given appropriate controls. A Virus Protection Policy is the first step towards ensuring that appropriate controls are in place on workstations, laptops, email gateways, servers, etc.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

The purpose of the %ORGANIZATION% Virus Protection Policy is to describe the
requirements for dealing with computer virus, worm and Trojan horse infection,
prevention, detection and cleanup.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Virus Protection Policy applies to all persons with any type of access to an %ORGANIZATION% information resource.

The %ORGANIZATION% Virus Protection Policy applies equally to all individuals
that use any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Virus Protection Policy
The Virus Protection Policy is simple policy that you may find some overlap with other information security policies. One additional benefit of having a separate Virus Protection Policy is the ease of reference for users and support personnel. Be careful to write statements that do not contradict those in another policy, however rare.


- All %ORGANIZATION% owned and/or managed workstations, including laptops whether connected to the %ORGANIZATION% network, or standalone, must use the %ORGANIZATION% IT management approved virus protection software and configuration.
- All non-%ORGANIZATION% owned and/or managed workstations, including laptops must use %ORGANIZATION% IT management approved virus protection software and configuration, prior to any connection to an %ORGANIZATION% Information Resource.

The draft, approval, implementation, and enforcement of a Virus Protection Policy can decrease the amount of risk to an organization’s information resources as a result of malware (virus and/or spyware).


Next in the series: “Information Security Policy 101 – Policy Approval”

Previous: “Information Security Policy 101 – “Vendor/Third-Party Access Policy”

No comments: