S 4.33 Use of a virus scanning program on exchange of data media and during data transfer

Initiation responsibility: IT Security Officer

Implementation responsibility: User

In addition to the implementation instructions presented in S 2.3 Data media control,a virus scan should be performed immediately before and after transferring data as well as when exchanging or sending diskettes or other data media (see S 4.3 Periodic runs of a virus detection program). It must be ensured in this case that the virus scanning program used also detects macro viruses.

A record of the scan performed by the sender should be enclosed with the data medium to be sent or appended to a file that is then sent electronically. It is recommended to keep a copy of this record. The recipient can use this record to gain an initial impression of the integrity of the data transferred, but the recipient is still required to scan the data media again for viruses. This does not mean that he/she no longer needs to conduct a second virus scan. The sender, on the other hand, can prove that the files were not infected before sending if the recipient claims the data received was infected with viruses.

Review questions:

• Is the scan for malicious software performed and logged before and after exchange of data?