IT Baseline Protection Manual S 2.154 Creation of a computer virus protection concept
S 2.154 Creation of a computer virus protection concept
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: IT Security Management
In order to obtain effective protection against computer viruses for an entire organisation, it is essential to select and implement co-ordinated and appropriate protective measures. This calls for a conceptual approach to ensure that suitable measures are applied to all IT systems concerned and that the necessary protection is maintained by a programme of updating.
The table of contents of a computer virus protection concept is shown below.
Table of contents of a computer virus protection concept
Part A: Awareness raising
Dependence of the institution on the use of IT
Description of the hazard potential
Computer viruses
Macro viruses
Trojan horses
Hoaxes
Damage scenarios
IT systems potentially affected
Part B: Necessary protective measures
Computer virus protection strategy
Non-networked IT systems
Networked terminals
Servers
Updating computer virus scanning programs
Non-networked IT systems
Networked terminals
Servers
Part C: Regulations
Regulations on protection against computer viruses
Ban on using non-approved software
Training of IT users
Rearranging the boot sequence
Creating an emergency floppy disk
Procedures in the event of computer virus infection
Measures for IT systems with non-resident virus-checking
1 Periodic running of a computer virus detection program
2 Virus checking on exchange of data media and during data transmission
3 Checking of incoming files for macro viruses
Regulation of responsibilities
Who to contact in relation to computer viruses
Responsibility of administrators
Responsibility of individual IT users
Responsibility of IT security management
Part D: Resources
Procedures in the event of computer virus infection
Reporting channels in the event of computer virus infection
User's Guide for the computer virus detection program
The measures described in the following explain how some important parts of this concept can be put into practice.
Additional controls:
Has the computer virus protection concept been put into effect by management?
Is the computer virus protection concept known to all those affected by it?