S 2.160 Regulations on computer virus protection

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Head of IT Section

In order to obtain effective protection against computer viruses, certain additional measures must be put in place over and above the use of virus scanning programs. With this in mind, it is necessary to address the following points, among others:

Use of computer virus scanning programs

The use of these programs is to be specified and documented in accordance with the chosen strategy and the chosen product (cf. S 2.156 Selection of a suitable computer virus protection strategy, S 2.157 Selection of a suitable computer virus scanning program). In addition it is necessary to determine how, at what intervals and by whom the computer virus scanning programs will be updated (cf. S 2.159 Updating the computer virus scanning programs used).

Training of IT users

The IT users affected must be informed of or given training in (cf. S 3.5 Education on IT security measures, S 3.4 Training before actual use of a program, S 6.23 Procedures in the event of computer virus infection) matters relating to the dangers posed by computer viruses, macro viruses, Trojan horses and hoaxes (cf. T 5.23 Computer viruses, T 5.43 Macro viruses, T 5.21 Trojan horses, T 5.80 Hoaxes), necessary IT security measures, behaviour in the event of computer virus infection and handling of the computer virus scanning program.

Ban on the use of non-approved software

The installation and use of non-approved software, in particular software that has not been virus-checked, must be forbidden (cf. S 2.9 Ban on using non-approved software). Over and above that it may be necessary to stipulate that checks on observance of the ban are performed regularly (cf. S 2.10 Survey of the software held).

Protective measures on the IT system

The boot sequence during operating system startup must be rearranged such that as a rule the system is started first from the hard disk (or from the network) and only then from an external medium (floppy disk, CD-ROM; cf. S 4.84 Use of BIOS security mechanisms). In addition, an emergency floppy disk must be created for every available computer type, in order to allow a successful cleanup in the event of a computer virus infection (cf. S 6.24 Creating a PC emergency floppy disk). If a new computer virus does cause damage despite the precautions, a backup must be used. Data backups must therefore be created on a regular basis (cf. S 6.32 Regular data backups). When data backups are reloaded, care must be taken that no files infected by the computer virus are restored to the system as a result.

Measures for IT systems with non-resident virus checking

In IT systems on which no resident computer virus scanning program is installed, as an alternative it is necessary to stipulate the regular use of a computer virus scanning program (cf. S 4.3 Periodic runs of a virus-detection program), checking for viruses when data media are exchanged and data is transferred (cf. S 4.33 Use of a virus scanning program on exchange of data media and during data transfer) and checking for macro viruses when incoming files are received (cf. S 4.44 Checking incoming files for macro viruses) in order to ensure the rapid detection of computer viruses and to prevent their being spread further.

Reporting of computer viruses

It must be stipulated to whom the discovery of a computer virus must be reported without delay. The form of the report (form sheet) and the means of communication (by telephone, in person, in writing, by e-mail) must also be regulated (see S 2.158 Reporting computer virus infections).

Regulation of responsibilities

The tasks, authorities and responsibilities for protection against computer viruses must be laid down for the following:

• The contact person for computer viruses

• The administrator of network servers

• IT users of terminals

• IT security management

Updating the computer virus protection concept

When changes are made to IT systems, when new IT systems are installed and when networking changes are made, the computer virus protection concept must be updated and adapted (cf. S 2.34 Documentation of changes made to an existing IT system).

These arrangements must be made known to those people affected. The observance of these arrangement should be checked from time to time in order to ensure that the computer virus protection concept is consistently implemented.

Additional controls:

• When was the last check made? Have the results been documented?

• How are the people concerned informed of the relevant arrangements?