Door recognizes the importance of safeguarding its information resources against malware and viruses, which are among the most common and damaging cyber threats. By implementing a comprehensive set of measures, including antimalware and antivirus systems, access controls, user security awareness, and incident response planning, Door aims to reduce the risk of disruption to its operations and protect its stakeholders’ interests. This policy is based on best practices in the industry, including the SOC 2 framework.
The purpose of this policy is to outline the requirements for preventing and addressing computer virus, worm, spyware, malware, and other types of malicious software that could affect Door’s information resources.
This policy applies to all Door staff using Door information resources.
Door’s Information Security Program Manager or their designee shall ensure that:
- A risk assessment is conducted periodically to identify potential vulnerabilities related to malware and viruses, prioritize them based on their likelihood and impact, and develop mitigation plans accordingly.
- Procedures and tools are in place to guard against, detect, and report malicious software, and they are reviewed and updated periodically to reflect changes in the threat landscape and technological advances.
- IT personnel receive appropriate training and support to use the security solutions used to protect against malicious software effectively.
- End users are informed of the security policies enforced on their workstations and trained on how to avoid and report suspicious activities.
All workstation and server based assets used for Door business, whether connected to the Door network or as standalone units, must use Door approved antivirus/antimalware protection software and configuration provided by the Door technical staff.
The following procedures shall be followed:
- Virus protection software must not be disabled or bypassed
- Settings for the virus protection software must not be altered in a manner that will reduce the software effectiveness
- Automatic update frequency cannot be altered to reduce the frequency of updates
- All servers attached to the Door network must utilize Door approved/standard virus protection software and setup to detect and clean viruses
- All electronic mail gateways, devices, and servers must use Door approved e-mail virus/malware/spam protection software and must adhere to Door rules for the setup and use of this software
- Any threat that is not automatically cleaned, quarantined, and subsequently deleted by malware protection software constitutes a security incident and must be reported to the IT Help Desk
- Antivirus/antimalware signature updates shall occur on a frequency defined by the Information Security Program Manager but shall occur minimally once each calendar day
¶ 4.2 Application Installation and Management
All Door authorized applications and software shall be installed by Door’s Managed Service Provider or Door’s internal technical staff. Door managed antivirus and malware software shall ensure:
- Authorized applications and software operate according to a clearly defined security policy
- All unauthorized applications and software are prevented from being executed.
¶ 4.3 Licensing, Maintenance and Support
Maintenance actions (software updates, definition updates, infections, etc.) shall be logged and retained for a period aligning with Information Security and Door requirements to allow proper investigations into malware related incidents.
Management shall ensure proper licensing, tracking, and related documentation. This shall include processes and procedures supporting:
- Antivirus software installation on all systems
- Regular threat scanning capable of detecting, removing, and protecting against known types of malicious software
- Annual review and re-evaluation of low-risk systems and appliances not considered affected by malicious software based on current best practice
- Pro-active monitoring and update mechanisms supporting this policy
- Verification that mechanisms are in place for preventing users from disabling or modifying antivirus detection tools
- Processes and procedures for exceptions to the policy exist and are followed based on a case-by-case evaluation
- If antivirus mechanisms are disabled, additional security measures may need to be implemented for the period of time during which antivirus protection is not active.
¶ 5. Audit Controls and Management
On-demand documented procedures and evidence of practices should be in place for this operational policy. Appropriate controls include:
- Virus and malware installation and update logs
- Associated virus scan and history logs
- Procedures for quarantine and removal of threats
- Documented remediation and communication procedures for large scale incidents
- Regular audits to evaluate the effectiveness of the policy and its implementation.
- Findings from audits are documented and remediated as necessary.
- An annual review of the policy and its implementation to ensure continued alignment with industry best practices and SOC 2 controls.
Staff members found in policy violation may be subject to disciplinary action, up to and including termination.
This policy is to be distributed to all Door staff and contractors using Door information resources.