Trust Informatics Policy. Information Governance Department. Computer Antivirus Management Policy

Transcription

1 Document Control Trust Informatics Policy Information Governance Department Computer Antivirus Management Policy Document Title Author/Contact Computer Antivirus Management Policy Pauline Nordoff-Tate, Information Assurance Manager Document Reference 15 Version 3 Status Approved Publication Date 26 th July 2012 Review Date 26 th July 2014 Approved by Dr Peter Williams Caldicott Guardian 23 rd July 2012 Ratified by (Relevant Group) Information Governance Group. 23 rd July 2012 Distribution: Royal Liverpool and Broadgreen University hospitals NHS Trust-intranet using SharePoint which will maintain the policy document in conjunction with each document author. Please note that the Intranet version of this document is the only version that is maintained. Any printed copies should therefore be viewed as uncontrolled and as such, may not necessarily contain the latest updates and amendments. Computer Anti-Virus Policy

2 Table of Contents Heading Page Number Control Sheet 1.0 Introduction Objective Scope Policy Malware Trojan Virus Worm Zero Day Antivirus Updates - Change Management Antivirus Updates - Desktop Server Antivirus Server Software Patch Management - Change Management Security Updates Testing Roles and Responsibilities IT Department Managers Staff Associated Documents and References Training & Resources Monitoring and Audit Equality and Diversity Recording and Monitoring of Equality & Diversity 5 Appendix 1 - Glossary of Terms 6 Computer Anti-Virus Policy i

3 Appendix 2 Blocked File Extensions 7 Appendix 3 - Document History / Version control 9 Computer Anti-Virus Policy ii

4 1.0 Introduction The Trust recognises that the Computer Antivirus Management Policy is a valuable resource in the prevention of various computer viruses within the environment. This policy is not a definitive statement of the purposes as there are likely to be new breakouts on a regular basis. Regular assessments are needed to ensure the security and reliability of the Trust s environment. This Policy should be read in conjunction with other Informatics Policies and the Staff Code of Conduct. This Policy is to be treated as a term of the employment contract. 2.0 Objective This policy aims to detail the approach that has been adopted by the Trust in relation to the management of threats resulting from the existence of malicious code (virus, worm, Trojan etc). 3.0 Scope External threat sources are increasingly utilising viruses and malicious code in their attempts to compromise systems, gain unauthorised access to information and to take control of computer resources. The wide proliferation of Worms, Trojans and the existence of Zero Day exploits dictates the requirement for a robust Antivirus management approach. The Trust has an obligation to ensure that all information processed during the normal operational practices are safe from such threats. 4.0 Policy The Policy acts as a guidance tool to protect the Trust networks and services from: 4.1 Malware Software intended to cause harm or disruption to computers or networks. There are many classifications of Malware but as a general term it deals with all forms of viruses, Trojan s and other software designed with malicious intent. 4.2 Trojan A program designed to covertly allow access to a machine without the users knowledge. A Trojan usually installs itself while disguised as a legitimate file or through social engineering methods with the intention of an attacker being able to control the target machine and abuse its resources. 4.3 Virus A malicious program or piece of code that is loaded onto a computer without permission and runs against your wishes. Computer Anti-Virus Policy Page 1

5 4.4 Worm A program or algorithm that replicates itself over a computer network and usually performs malicious actions, such as using up the computer's resources and possibly shutting the system down. 4.5 Zero Day A zero-day (0-day) exploit, is an exploit that takes advantage of security vulnerabilities on the same day that the vulnerabilities become generally known. 4.6 Antivirus Updates - Change Management The daily update of the antivirus signature databases is automatic and is classed as a routine change under the Trust Change Management procedures. Any change conducted to the application itself will be conducted in accordance with the Change Management procedures. 4.7 Antivirus Updates - Desktop All Trust Desktop computers will have an appropriate antivirus application installed. This application will update the signature database on a daily basis, ensuring the most current protection is available. Updates will be collected from the antivirus management server. 4.8 Server Antivirus Each server will have an appropriate antivirus application installed during the build phase and will not be introduced into the live environment without this application being fully current in relation to known threats. Updates will be conducted on a daily basis and will be collected from the antivirus management server Server The servers have the same antivirus client installed, providing coverage of traffic, and updates on the same basis as all other servers. These servers will also further enhance the protection cover by blocking specific file extensions on attachments. See Appendix 2 for a full list of blocked file extensions Software Patch Management - Change Management Any change made to Trust Servers is conducted in accordance with the Trust Change Management Procedures Security Updates The Microsoft Windows Update web site is checked on a quarterly basis for new security updates and identified updates are scheduled for implementation. If a Computer Anti-Virus Policy Page 2

6 risk is identified as being of a sufficiently high risk prior to the normal quarterly check, system downtime is arranged in order to implement the fix at the earliest possible date Testing Prior to any change being released into the live environment, rigorous testing takes place to ensure that there will be no adverse impact upon services. This is achieved through the utilisation of a test machine several days prior to live implementation. During this period, the machine is used to establish if there is likely to be any adverse impact. It is accepted that although testing does occur, it cannot always guarantee that the update will not affect services. 5.0 Roles and Responsibilities 5.1 IT Department It is the responsibility of the Technical Services to ensure that the antivirus solution is maintained in order to ensure an appropriate level of protection is provided against malicious code. 5.2 Managers It is the responsibility of all Managers to ensure that staff within their departments have received appropriate training relating to Information Security and the use of IT Systems. 5.3 Staff It is the responsibility of all staff to ensure that malicious code is not introduced onto Trust systems through adherence to Trust IT related policies. 6.0 Associated Documents and References This policy has been developed in conjunction with the following documents and Trust policies: Data Protection Act 1998 Computer Misuse Act 1990 ISO27002 Code of Practice for Information Security Management Trust Information Assurance policy and Internet Access and Monitoring Policy Firewall Management/Network Security Policy 7.0 Training & Resources The implementation of policies in this area will be carried out across the Trust by all involved staff and will be led by the and Computer Anti-Virus Policy Page 3

7 associated teams (Information Quality, Data Protection, Information Security, Records Management, Freedom of Information etc). Information Governance elements will be included in standard Trust induction, core skills training programmes, specific data protection training packages and electronic learning packages. Managers will ensure that the relevant paragraphs are included in staff job descriptions. 8.0 Monitoring and Audit The Information Governance Group is a sub-group of the Trust Board with responsibility for the ratification of Information Governance policies and approval of work programmes. This group has senior level representation, chaired by the Caldicott guardian, and supported from all appropriate areas to ensure the Trust steers this agenda appropriately. It receives regular reports from the Information Assurance Manager and responsible staff dealing with all aspects of the agenda as outlined above, and approves central returns required by the Information Governance Toolkit to NHS Connecting for Health. The IGT will be used by the Trust to conduct baseline audit and construct action plans for future compliance with this agenda. The work programs in the individual areas will be created by adherence to the IGT standards and to the national standards appropriate to the individual field of activity. Minimum requirement to be monitored Process for monitoring, e.g audit Responsible individual / group/ committee Frequency of monitoring Responsible individual / group / committee for review of results Responsible individual / group/ committee for development of action plan Responsible individual / group / committee for monitoring of action plan and implementation Relevance of policy to Trust needs Audit / Review IGG Annually IGG IGG IGG 9.0 Equality and Diversity Trust is committed to an environment that promotes equality and embraces diversity in its performance as an employer and service provider. It will adhere to legal and performance requirements and will mainstream equality and diversity principles through its policies, procedures and processes. This policy should be implemented with due regard to this commitment. To ensure that the implementation of this policy does not have an adverse impact in response to the requirements of the Race Relations (Amendment Act) the Disability Discrimination Act 2005, and the Equality Act 2006 this policy has been screened for relevance during the policy development process and a full impact Computer Anti-Virus Policy Page 4

8 assessment conducted where necessary prior to consultation. The Trust will take remedial action when necessary to address any unexpected or unwarranted disparities and monitor practice to ensure that this policy is fairly implemented. This policy and procedure can be made available in alternative formats on request including large print, Braille, moon, audio, and different languages. To arrange this please refer to the Trust translation and interpretation policy in the first instance. The Trust will endeavour to make reasonable adjustments to accommodate any employee/patient with particular equality and diversity requirements in implementing this policy and procedure. This may include accessibility of meeting/appointment venues, providing translation, arranging an interpreter to attend appointments/meetings, extending policy timeframes to enable translation to be undertaken, or assistance with formulating any written statements. 9.1 Recording and Monitoring of Equality & Diversity The Trust understands the business case for equality and diversity and will make sure that this is translated into practice. Accordingly, all policies and procedures will be monitored to ensure their effectiveness. Monitoring information will be collated, analysed and published on an annual basis as part of our Single Equality and Human Rights scheme. The monitoring will cover all strands of equality legislation and will meet statutory employment duties under race, gender and disability. Where adverse impact is identified through the monitoring process the Trust will investigate and take corrective action to mitigate and prevent any negative impact. The information collected for monitoring and reporting purposes will be treated as confidential and it will not be used for any other purpose. Computer Anti-Virus Policy Page 5

9 Appendix 1 - Glossary of Terms Malware Malicious ware deals with all forms of viruses including Trojans and other software designed with malicious intent. Trojan A Trojan is a piece of software which disguises itself as a legitimate file wit the intention of attacking a target. Worm usually an algorithm which replicates itself over a computer network which is designed with malicious Computer Anti-Virus Policy Page 6

10 Appendix 2 Blocked File Extensions File extension.ade.adp.bas.bat.chm.cmd.com.cpl.crt.exe.hlp.hta.inf.ins.isp.js.jse.lnk.mda.mdb.mde.mdz.msc.msi File type Microsoft Access project extension Microsoft Access project Microsoft Visual Basic class module Batch file Compiled HTML Help file Microsoft Windows NT Command Script Microsoft MS-DOS program Control Panel extension Security certificate Program Help file HTML program Setup Information Internet Naming Service Internet Communication settings JScript file Jscript Encoded Script file Shortcut Microsoft Access add-in program Microsoft Access program Microsoft Access MDE database Microsoft Access wizard program Microsoft Common Console Document Microsoft Windows Installer package Computer Anti-Virus Policy Page 7

11 .msp.mst.pcd.pif.reg.scr.sct.shs.url.vb.vbe.vbs.wsc.wsf.wsh Windows Installer patch Visual Test source files Photo CD image or Microsoft Visual Test compiled script Shortcut to MS-DOS program Registration entries Screen saver Windows Script Component Shell Scrap Object Internet shortcut VBScript file VBScript Encoded Script file VBScript file Windows Script Component Windows Script file Windows Script Host Settings file Computer Anti-Virus Policy Page 8

12 Appendix 3 - Document History / Version control Version Date Comments Author Draft 12/12/2006 Draft version produced for N Morgan review 1 20/12/2006 Minor revisions made N Morgan /07/2007 Placed into Trust format A Penketh /05/2009 Policy Review no changes D Mort required /06/2010 Minor revisions made Information Assurance Manager /09/2010 Minor revisions Information Assurance Manager /07/2012 Minor Revisions Servers have the Technical Support Team Manager same AV Client, Security updates are checked on a quarterly basis. 23/07/2012 Minor revisions Information Assurance Manager 12/10/2012 Trust format changes Information Assurance Manager Review Process Prior to Ratification NAME OF GROUP/DEPARTMENT/SPECIALIST DATE COMMITTEE North Mersey HIS December 2006 Information Governance Group March 2007 Information Governance Group(virtual meeting) August 2010 Information Governance Group 23 rd July 2012 Computer Anti-Virus Policy Page 9