Information Security Policies: Workstation Anti-virus

Guideline Content

1. Goals

This procedure is intended to detail and describe the guidelines of working with an anti-virus system on Weizmann Institute of Science computers.

2. Terms and Definitions

End user: Institute employee or external worker who, in the context of his/her work uses Weizmann Institute computer information systems, and/or is exposed to internal information (hereinafter “the user”).

Information integrity: full parity between information repository and original data. All original data, and only the original data, must be stored in the information repository, with no unnecessary modification.

Information confidentiality: protection of information content from unauthorized entities.

Information availability: the ability to access information on demand.

Information security: all of the actions and measures taken to ensure information integrity, confidentiality and availability.

User ID: a unique ID set for each individual user throughout the Institute, for information systems identification purposes.

Password: a string containing a number of characters, which together with the user name serves to authenticate the user’s identity in the information system.

Malicious software (malware): software designed to be distributed among computers and inflict damage on information systems.

Anti-virus: software designed to detect and block malicious software on the computer, on which it is installed. Malicious software is detected via a current signature file (essentially a list of widespread existing virus types).

Classified information: internal information which, if exposed, may cause significant direct or indirect damage to the Institute (for example: personal information of Weizmann employees, sensitive commercial information, credit card information, etc.).

Internal information: all Weizmann Institute information, which, if disclosed to unauthorized parties, may cause damage to the Institute. Nearly all of the information at the institute is to be regarded internal and may not be used for anything but work-related purposes.

Privacy protection law: state law for protection of citizen privacy, with emphasis on personal citizen details stored on computer information systems. Should a person’s privacy be compromised, the law places liability solely on the information owner/repository holder, not on the person or persons having made illegal use of the information.

3. Responsibility
   1. Implementation and execution of these guidelines are the responsibility of the IT Infrastructure branch Information Security section, under Weizmann IT.
   2. All faculty computing administrators are fully responsible for implementation and enforcement of these guidelines, and for distribution, updating and maintenance of the anti-virus system under their control, which is outside the management of the IT infrastructure branch.

4. Applicability

These guidelines apply to all Institute workstations, whether belonging to the administrative or scientific sectors.

Routine working guidelines:

1. Software reporting the state of workstation information protection (anti-virus) to a central authority is to be installed on all Institute workstations.
2. The anti-virus software is to be capable of identifying viruses, Trojan horses and/or any other malicious code that may damage a workstation, network services, servers and other workstations on the Institute network, or pose the risk of exposing Institute information.
3. The anti-virus software is to be launched and activated automatically during operating system boot, and is to remain operational at all times.
4. End users are not to be allowed to perform changes in anti-virus software settings, aside from those authorized by information security policy. Should other unauthorized changes be needed, an official service request must be submitted via the Service Desk system, and is to be handled by the information security team.
5. End users are not to be allowed to cancel or terminate anti-virus software operation. Should this be necessary for troubleshooting of problems potentially involving the anti-virus software, a request must be submitted via the Service Desk system, and is to be handled by the information security team.
6. A full scan of all files on the computer is to be performed by the anti-virus software at least once a week. Such scans are presently scheduled for Friday or Saturday night hours only, so as not to interfere with regular activities.
7. The anti-virus software is to perform a real-time scan of files arriving as e-mail attachments. Additionally, automated scans are to be initiated on any new file entering a computer, typically by way of accessing network shares.
8. The anti-virus software is to notify both the central management system and the end user of any detection of malicious code and/or viruses on the system. It is the responsibility of the end user to report virus detection to the relevant faculty computing administrator, who must take action to neutralize the threat.
9. Workstations infected with viruses and/or other malicious software that have been detected though not yet removed by the anti-virus system – present a threat to the integrity of the data on the computer, as well as to all other campus computers. Such workstations must be brought into the Service Desk for backup and recovery, so as to eliminate all malicious software.
10. The anti-virus software version installed on workstations is to be the very latest supported by its vendor.
11. The anti-virus software is to be updated every time the vendor offers an update. Updates shall be performed automatically via the Institute’s network – and should not require automated workstation reboot. Prior to application of automatic updates, the software is to be tested on test computers with different operating systems, to ensure proper operation during updates.
12. Virus signatures are to be updated automatically as per the policy defined in the central management system.
13. Deviation from this policy is to be allowed on systems (computers) connected to scientific equipment, for which concerns may arise that updates may damage system functionality and/or interfere with active research experiments. Signatures and the anti-virus engine are to be updated in a controlled manner on such systems, by faculty computing administrators and/or by the information security team.
14. The anti-virus software is to store an internal application log listing scan activities and anti-virus system detections.
15. Anti-virus systems other than the standard Institute anti-virus systems (currently Symantec) are required to generate reports, to be delivered once a month to the Institute’s information security team. These reports are to cover at least the following: workstations detailed by names, IP addresses, anti-virus versions, signature versions, workstation update distribution, detected viruses, virus severity levels, deleted viruses and any other unhandled virus status.
16. Faculty computing administrators responsible for non-Symantec anti-virus systems shall send automated reports to the head of the information security section once a month. These reports will feature at least the following information: anti-virus agent-equipped computer inventory, agent version, workstation signature file version, a list of workstations lacking anti-virus software, monthly detections of workstation viruses, and their status (deleted, not deleted, in quarantine, etc.).

5. Virus Outbreaks

Unfortunately, a virus may at times cause an outbreak and highly accelerated infection.

Such an event typically necessitates rapid response, with such centralized measures taken as immediate patch updates, port blocking and more, depending on specific type of event.

Due to the fact that numerous central systems (Symantec, ESET) are active at the Institute, containing such an event without proper cooperation is impossible.

The following working guidelines apply to virus outbreaks:

1. Events of this nature typically result in many central anti-virus system alerts. Should the information security team or faculty computing administrator managing a central system (such as the Mathematics or Physics faculties) determine a cascade infection event – they must immediately notify the information security team and IT Service Desk.
2. The nature of the virus detected must be examined, and it must be determined whether or not the anti-virus system is capable of effectively handling it. Should any one of the systems be capable of doing so, the signature file must immediately be updated remotely on all workstations managed by that system.
3. Should an anti-virus system lack updates or not allow for a workaround enabling prevention of further infection, a high priority service request must be initiated with the anti-virus vendor’s support center. Should this be supported contractually, an expert is to be dispatched by the vendor to the Institute, so as to assist in having the system properly handle the incident.
4. On-demand reporting of signature update aspects must be supported on all anti-virus systems, so as to enable proper tracking of infection/mitigation rates.
5. During virus outbreaks, it is the responsibility of faculty computing administrators to act as per information security team instructions, and to serve as part of the incident mitigation team. Their presence is required, to ensure that they provide technical solutions for users and anti-virus systems managed separately from the Institute’s central anti-virus system.