Pol-Protection from Malicious Software
policy Protection Malicious Software modified Fri Oct 14 2022 09:01:48 GMT-0400 (Eastern Daylight Time)
University of Louisville
OFFICIAL
UNIVERSITY
ADMINISTRATIVE
POLICY
POLICY NAME
Protection from Malicious Software
EFFECTIVE DATE
July 23, 2007
POLICY NUMBER
ISO-014 v2.0
POLICY APPLICABILITY
This policy applies to all University workforce, faculty and student members (including, but not limited to: faculty, staff, students, temps, trainees, volunteers, and other persons as deemed appropriate) while conducting/performing work, teaching, research or study activity using University resources and includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates.
REASON FOR POLICY
Protection from malicious software (viruses, worms, trojans, root kits, hostile Active X controls, etc.) must be utilized within the university network.
POLICY STATEMENT
All computing devices must be configured with appropriate safeguards against malicious software. Anti-virus, anti-malware and firewall software must be enabled on all windows based computing devices that attach to the University networks. Non-Windows computing devices should use equivalent safeguards. Servers must be configured so that they are protected by the university’s enterprise firewall and meet all other enterprise class configuration, administration and maintenance requirements. All exemptions must follow IS0-004 Policy Exception Management Process.
STANDARDS
Administrative Standards:
- Antivirus software and updates are automatically distributed by IT to all Active Directory attached computing systems. Personal machines running Windows based operating systems can get free virus protection through Microsoft Security Essentials. Mac users can obtain free copies of the Symantec Endpoint Protection for Macintosh through the iTech Xpress store. Exceptions to the recommended tools such as firewalls, antivirus, and anti-malware should be approved by IT.
- Intrusion detection, network monitoring, incident logging, and response coordination necessary for the detection, elimination, and recovery from various forms of attack on university resources is managed by the IT department (See ISO-006 Security Incidents).
- Systems found to be infected will be removed from the network until the infection is removed and the system has been properly protected..
- Proper preparation of all computing systems (desktops, laptops, servers, printers and mobile devices) must be conducted. Tier Support must ensure installation of virus protection, and anti-malware; enable firewalls on all applicable computing devices; and disable unnecessary services before distribution to the user community.
- In adherence to the server policy, system administrators must ensure that virus protection and anti-malware is up to date and the firewall is enabled. In addition, ensure that unnecessary services are disabled before connecting to the university’s network.
- Use of Peer-to-Peer (P2P) software "file sharing" applications is not permissible for any file sharing activities to facilitate abuse of copyright and intellectual property laws.
- Non-university approved instant messaging programs such as Google Talk do not include virus protection and are not permissible methods of file sharing.
Technical standards:
- All computing devices must be appropriately configured for automatic virus detection and malware blocking.
- Virus and anti-malware definitions must be updated at least weekly. An automatic definition update option should be enabled if supported by the virus or anti-malware protection tool. Virus protection is automatically configured and updated for Windows OS systems joined to the university’s active directory domain.
- All software not obtained directly through IT, regardless of origin, should be scanned for viruses and malware before installation on any university system. Note: software downloaded from freeware/shareware or other untrusted vendor web sites has the highest risk of malware or virus contamination and should always be scanned before running the installation executable.
- Workstation virus scanning software must be configured to scan all e-mail attachments upon receipt with auto-protect/real time protection enabled.
- All computing devices not running updated anti-virus and anti-malware software must be scanned for malicious files prior to connection to the university network.
- Home computer systems connecting to the university networks must meet the same anti-virus, anti-malware and firewall standards as systems on the university premises.
- All virus and malware detections must be reported to Tier 1 support for evaluation and cleansing of the computer (See ISO PS006 Security Incidents).
- Anti-virus, anti-malware or firewall protection programs must not be disabled while connected to the campus network. Note: If installation of software requires the temporary termination of these programs, the computing device must be disconnected from the network while the software is being installed. The protection programs must be restarted before the computing device is reconnected to the network.
- Removable media (flash drives, CDs, external drives, etc.) from unknown or untrusted sources must be scanned for viruses and malware. Auto-start mechanisms must be by passed when first using removable media that has not been scanned for viruses and malware. Removable media used in untrusted or publicly accessible machines in locations such as hotels and lecture halls is discouraged and should be scanned when use is unavoidable.
Software Standards:
The following software has been tested and is recommended by the IT Department for anti-virus, anti-malware and firewall protection:
- System Center Endpoint Protection (provided by the University for all faculty, staff, students and affiliated entities).
- Microsoft Security Essentials.
- Symantec Endpoint Protection for Apple OSX.
- Microsoft Defender (Windows 8, 8.1, 10).
- Microsoft Windows Firewall.
RESPONSIBILITIES
The Dean of each School or Administrative Department Head is responsible for the implementation of these security policies and standards so that all computing devices in their areas of responsibility have implemented the appropriate virus protection, anti-malware and firewall controls as outlined in this document and that all such tools are kept current with the most recent updates installed.
Policy Authority/Enforcement: The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.
Policy Compliance: Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.
FORMS/ONLINE PROCESSES
Policy exception process: ISO-004 Policy Exception Management Process.
Security Incidents Policy: ISO-006 Security Incidents
ADMINISTRATIVE AUTHORITY
Vice President for Risk, Audit, and Compliance
RESPONSIBLE UNIVERSITY DEPARTMENT/DIVISION
Information Security Office
502-852-6692
isopol@louisville.edu
HISTORY
This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.
This policy will be reviewed annually to determine if the policy addresses University risk exposure and is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed per the Policy Management process.
Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council
Revision Date(s):
1.0 / July 23, 2007 / Original Publication
1.1 / January 29, 2013 / Content Update
2.0 / March 8, 2016 / Review and update content and update to template format
2.0 / August 13, 2018 / Review and update grammar (should/must, division/department) and punctuation.
2.0 / September 13, 2019 / Update Reason for Policy.
Reviewed Date(s): September 29, 2014; March 8, 2016; June 13, 2017; August 13, 2018
The University Policy and Procedure Library is updated regularly. In order to ensure a printed copy of this document is current, please access it online at http://louisville.edu/policies.