S 2.158 Reporting infections of malware,

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: User

Informing the central contact persons

When malware is detected, the primary concern is to prevent further IT systems from becoming infected. In general, the particular virus protection program used should support automatic reporting of malware infections. The automatic report must be sent to a central location and processed there. The employee responsible should then decide how to proceed further based on the current situation.

Even though automatic reporting is available, the users should still inform the person appointed as the contact when the virus protection program reports a possible infection or they otherwise suspect their system is infected with malware. It makes sense in this case to provide the users with single point of contact (central alarm centre) for reporting all types of security incidents (e.g. a user help desk, the support department, or a similar location). When in doubt, a user may not be able to decide reliably if the problem is really due to an infection of malware or due to a hardware or software defect, for example.

The contact persons and the central alarm centre personnel must be trained accordingly and decide which additional steps should be taken, if any, based on the information available (see also S 1.8 Handling of security incidents for more information on this subject). It is also important in this regard that all employees are aware of the reporting paths and who to contact (see S 6.60 Specification of reporting paths for security incidents).

Informing additional locations by the central contact person

In addition to informing the organisation's own employees or organisational units, it may also be necessary under some circumstances to inform external personnel who may possibly be affected by the malware infection as well. This especially includes anyone who may have received or have been infected by the malware.

In terms of raising awareness, it makes sense under some circumstances to inform the internal employees who are not directly affected by the malware. The following information on the malware incident should be provided in this case:

• the type of malicious software detected,
• how the malware was able to infect the organisation (via e-mail, for example),
• if the malware was noticed based on certain symptoms (it plays a certain melody, displays a certain message, etc.),
• the damage that could be caused by the malicious software,
• the damage already caused by the malicious software,
• the damage that cannot be caused by the malicious software,
• the appropriate response at the current time, and
• who will remove the malicious software and how it will be removed

Clear rules and regulations must be made stating which internal and external locations must be informed in case of a malware infection. Additional information on this subject can be found in S 6.65 Notification of parties affected by security incidents.

Review questions:

• Is there a central alarm centre available for reporting malware incidents?
• Is a message sent automatically to the central contact persons when the virus protection programs used detect a potential infection?
• Is it ensured that all users are aware of the central contact persons and reporting paths for malware incidents?
• Are there rules specifying when and to what extent external locations need to be informed in the case of malware incidents?