Standard 8: Malware, viruses and email threats
Our practice has reliable protection against computer malware and viruses
The compliance indicators listed in the matrix identify the specific actions that comprise good security practice for Standard 8.
It is assumed the practice will provide appropriate education and training to facilitate compliance with this Standard.
The compliance indicators at level 4 reflect the minimum level of computer and information security acceptable for this Standard. The compliance indicators for higher levels provide the basis for incremental security improvement.
|Malware, viruses and email threats compliance indicators||Level 1 Initial||Level 2 Repeatable||Level 3 Defined||Minimum||Level 5 Optimised|
|Level 4 Managed|
|8.1 Policy content
||No formal policy
||No complete written policy
||Complete written policy
||Complete written policy, periodically reviewed
||Complete written policy, reviewed annually
|8.2 Policy communication
||Policy not communicated to the practice team
||Policy communicated verbally to the practice team
||Policy communicated in written format to relevant practice team members
||Policy communicated in written format, training provided and all practice team members have access to the policy
||Policy available in written format to relevant practice team members
Regular training for the practice team and communication strategy reviewed against policy
All practice team aware of the content and implications of the policy
|8.3 Software (antivirus/anti-malware)
||Software installed at internet service provider (ISP)
||Installed on practice server only
||Installed on practice server and main computer
||Installed on all practice computers
||Installed on all computers and mobile devices (practice and personal) that connect to the practice system
||Anti-virus not updated, update status unknown
||Manual updates ad hoc
||Manual daily updates on all computers
||Automatic data/signature file updates on server
Weekly updates on other computers
|Automatic daily updates on all computers and devices
||Manual scanning when prompted by incident
||Periodic (regular) manual scanning
||Automatic scanning every 3 months
||Automatic scanning monthly
||Automatic weekly, full scans of all computers
||None provided or unknown
||Ad hoc training
||Training prompted by incidents
||Ongoing education at practice meetings
||Ongoing education at practice meetings
Planned additional training (bi-yearly)
|Adapted and reproduced with permission from Dr Patricia Williams
Helpful templates for this Standard
Template 8.1 will assist in achieving compliance. Completion of this template will ensure you have fully documented the requirements of this Standard.
Malicious code (malware) includes viruses, worms and trojans. Malware can have many purposes and intentionally seeks to corrupt, destroy or steal data, or to use your computer for unauthorised purposes. Malware can interfere with computer functioning, resulting in minor inconvenience or in extreme cases system inoperability. Certain types of malware can also capture your passwords (e.g. key logging) and this is one reason why passwords should be changed regularly.
Malware is generally introduced into a system while communicating electronically with the outside world via email or the internet. It can also be transmitted via CDs/DVDs, USB flash drives (memory sticks) and other portable devices and media.
There are also various email threats such as phishing and spam. Other threats associated with internet use include spyware, adware and cookies. These types of threats are described in the glossary.
Certain types of software such as popular versions of internet ‘browsers’ or email programs allow easier downloading of viruses (and also expose computers to other security risks). Technical advice should be sought on whether changes to security and privacy settings would lower the risk of infection.
8.1 Policy content
Malware and virus software installation and monitoring procedures should be documented. This should also include advice on what to do if malware is detected.
This policy provides a guide to protection from malware. It should include:
- all computers attached to the practice network must have installed and fully enabled virus and malware checking software
- malware protection software that is not disabled or bypassed, nor the settings adjusted to reduce their effectiveness. This means that general users of the system are not authorised to alter these settings
- automatically updating malware protection software and its data files should be enabled for daily updating. This can be done overnight, so as not to impact on system response time. Technical advice may be required
- automatically scanning all email attachments
- automatically scanning all documents imported into the computer system
- nightly scanning of all computers
- training to detect and report all malware incidents
- practice team members trained in malware prevention procedures
- practice team members trained in malware detection and to report all incidents
- turn off the cookies feature in web browsers, although some legitimate software may need this to function properly.
8.2 Policy communication
The policy should be in written format and communicated to relevant practice team members.
8.3 Software (antivirus/anti-malware)
Antivirus and anti-malware software should be installed on all computers and servers. It should be centrally installed and controlled.
The risk of malware infection can be minimised by having a process in place that minimises the risk of downloading malware (e.g. checking email attachments for viruses, segregating downloading files until established they are safe, and turning off cookies).
Automatic updating of virus and malware definitions should be enabled on all computers and servers.
Automatic scans of computers should be enabled and occur regularly.
Practice team members should be educated and trained:
- not to respond or click on links in emails from unknown sources
- to only open attachments where the source of the file is known
- to ensure all files downloaded from the internet are scanned for viruses
- how to respond to pop-up messages from antivirus software
- to report unusual activity on the system, as no malware software is 100% effective.