S 2.160 Rules designed for protection against malware

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, Head of IT

To achieve effective protection against malicious software, it is necessary to specify organisational and personnel rules in addition to implementing technical security safeguards. The most important aspects to be taken into account in this context are summarised in the following:

• All users and administrators must be made aware of the problems associated with malware and must receive training specifically targeted to the corresponding groups on the security safeguards to be observed.
• The tasks, authorities, and responsibilities for protection against malware must be clearly defined. This applies especially to the administrators, the users, the IS management team, and the central contact for malware-related issues.
• Rules and regulations must be established relating to the handling of software and IT systems.
• A procedure must be specified for reporting security incidents, and in particular for reporting malware infections, to the offices responsible for handling such incidents (see S 2.158 Reporting infections of malware).
• To enable fast detection of malware when exchanging data media and during data transmissions and to minimise the risk of spreading malware, it must be specified that users are required to check exchanged data media and data transmissions for malware.
• Rules must be established specifying how to proceed in the event of an infection by malware. In particular, it must be specified which people and which organisations need to be informed in such a case (see S 6.23 Procedures in the event of malware).
• On IT systems on which no resident virus protection program is installed, a virus protection program must be run regularly as a substitute (see S 4.3 Use of virus protection programs).

All employees must be instructed which rules and regulations apply to them.

Regular checks and spot checks should be conducted to determine if the rules and regulations are being followed in order to detect violations and react accordingly, if necessary.

Review questions:

• Have the rules required for protection against malware been specified?
• Are the tasks, authorities, and responsibilities for protection against malware clearly defined?
• Are the people affected familiar with the rules designed to protect against malware that apply to them?
• Are spot checks and regular checks conducted to determine if the rules designed to protect against malware are being followed?