Professional Documents
Culture Documents
Summary: This document describes Southern Health NHS Foundation Trusts requirement
for anti-virus and anti-malware protection across Trust information systems
1
SH IG 49 - Anti-Virus and Anti-Malware Policy
Version: 2
September 2016
Version Control
Change Record
Reviewers/contributors
2
SH IG 49 - Anti-Virus and Anti-Malware Policy
Version: 2
September 2016
Quick Reference Guide
For quick reference, this page summarises the actions required by this policy. This does not negate the
need to be aware of and to follow the further detail provided in this policy.
1. All ‘end points’ and network ‘entry’ points should be protected from, and provide protection to the
resources they host or provide access to from malware and its effects.
2. Wherever possible AV software is to be installed on all suitable endpoints including all forms of
client and server regardless of whether they are networked or standalone.
3. The aim is that there is no less than 100% coverage of Anti-Virus installed on all endpoints that
capable of running the software. All endpoints running Anti-Virus must meet the compliance
requirements as outlined within this policy.
4. Technical Services will ensure that other relevant controls are in place to ensure a layered
security that includes; patch management, segregation of high risk devices; control of
administrative permissions; and boundary controls.
5. If a user observes any unusual activity leading them to suspect a malware attack, the user must:
6. Technical Services will respond to all malware attacks and will perform identification, remediation
and, if required, reporting to senior management and/or NHS Digital.
3
SH IG 49 - Anti-Virus and Anti-Malware Policy
Version: 2
September 2016
Contents
1. Background/General ..........................................................................................................................5
2. Purpose .............................................................................................................................................5
3. Scope ................................................................................................................................................5
4. Definitions..........................................................................................................................................5
5. AV Protection ....................................................................................................................................6
6. Layered Security, Reducing the Scope for Malware ..........................................................................6
7. AV Deployment to End Points............................................................................................................8
8. Suspected Malware Outbreak............................................................................................................9
9. Training requirements ...................................................................................................................... 10
10. Monitoring compliance ..................................................................................................................... 10
11. Associated trust documents ............................................................................................................. 10
4
SH IG 49 - Anti-Virus and Anti-Malware Policy
Version: 2
September 2016
Anti-Virus and Anti-Malware Policy
1. Background/General
1.1. Healthcare Trusts are increasingly dependent upon their usage of ICT network(s) as a key tool
for managing and delivering health care services and for communicating with their care partners.
A major threat to the delivery of ICT services is malicious software (malware) which has the
potential to undermine the confidentiality, integrity and availability of those services/data hosted
on ICT systems or can adversely impact the underlying infrastructure hosting these systems and
thus prevent access to the resources.
1.2. ICT has a responsibility to ensure that appropriate technical measures are implemented to
protect against malware and to ensure that appropriate controls are in place to rapidly detect,
isolate and remove any instances. A single technical solution cannot be relied upon and therefore
a ‘layered approach’ will be implemented in order to provide the best overall protection against
the omnipresent threat of malware from whichever vector it may appear.
2. Purpose
2.1. This document sets out the policy for the protection of the networked environment and for the
continued provision of the ICT services that we provide to our customers against the threat of
malware. It provides guidance and direction on minimising the risk of a malware infection(s) and
what to do if one is encountered.
3. Scope
3.1. This policy applies to ICT resources and to all staff authorised to use/access those computer
systems and communications networks whether they are employed directly by the Trust,
contractors, NHS Professionals, bank staff, voluntary organisations or suppliers granted access
for support purposes.
3.2. Systems developed and managed centrally by NHS Digital (e.g. NHSMail, SBS, etc.) or other
external providers as contracted by the Trust (e.g. RiO, eRoster/Employee Online, etc.) are not
under the direct control of SHFT IT Services and are considered outside the scope of this
guidance.
4. Definitions
Term Definition
Anti-Virus (AV) Software provides an electronic defence mechanism mitigating the risk of
a computing device being infected with or affected by malware.
Virus A computer virus is a computer program that can copy itself without
permission or knowledge of the user. A virus can only spread from one
computer to another when its host is taken to the uninfected computer; for
instance, by a user sending it over a network or carrying it on a removable
media.
5
SH IG 49 - Anti-Virus and Anti-Malware Policy
Version: 2
September 2016
targeted computer.
End points All devices (from servers to clients to networked equipment) with an
operating system that is capable of being affected or infected by malware.
Malware A term derived from the words "malicious" and "software". The expression
is a general term used to refer to a variety of forms of hostile, intrusive, or
annoying software or program code.
Spyware A type of malware designed to collect information from the target system
and transmit that data to external parties for unauthorised use. Most
commonly packaged with legitimate (or seemingly legitimate) software,
spyware installs itself without the user’s knowledge
Trojan horse A program that contains or installs a malicious program (the 'Trojan'). The
term is derived from the classical myth of the Trojan horse. Trojan horses
may appear to be useful or interesting programs (or at the very least
harmless) to an unsuspecting user, but are actually harmful when
executed.
5. AV Protection
5.1. All ‘end points’ and network ‘entry’ points should be protected from, and provide protection to the
resources they host or provide access to from malware and its effects. Generally an AV solution
will be deployed on all assets and will mediate all traffic that may be processed on that end point.
In the case of ‘boundaries’ the point of access to the environment is to provide protection from
malware to any traffic it allows into and out of the environment. For example email and web
traffic is to be scanned for malware at the point of entry/exit to/from the environment.
6
SH IG 49 - Anti-Virus and Anti-Malware Policy
Version: 2
September 2016
The aim is that there is no less than 100% coverage of Anti-Virus installed on all endpoints that
capable of running the software.
Of the servers running Anti-Virus at least 100% must pass the compliance check by having Anti-
Virus signatures within 2 days of the current release.
Of the workstations running Anti-Virus at least 98% of the devices that have connected in the last
7 days must pass the compliance check by having; Anti-Virus signatures within 7 days of the
current release.
The exact process for patch management is contained within the Patch Management Process
documents but should aim to ensure that relevant devices are routinely patched with security
patches (patches which have failed testing may be excluded on a host by host basis):
Servers: should be no more than 2 months behind available and tested security patches
Desktops and Laptops: should be no more than 3 month behind available and tested security
patches. This should apply to no less than 90% of systems on or connected to the network;
Networks/Other: should be no more than 2 month behind available and tested security
patches.
7
SH IG 49 - Anti-Virus and Anti-Malware Policy
Version: 2
September 2016
individually. For users that require elevated privileges they should have a secondary ‘admin’
accounts created and only use these rights when they are required, all other work should be
carried out using their standard network user account.
6.8. Email
Email is a critical business tool for the trust and the widespread use and increasing reliance on
this service leaves it open to exploitation as a means of transmission of malware and phishing
attacks.
Attachments - All email including attachments is to automatically check for viruses before it
enters or leaves the email system.
Phishing and Scams - Social engineering techniques often attempt to convince users to open
attachments or ’click’ on hyperlinks (that will spread malware infections) or even divulge
sensitive information such as passwords. Technical controls are in place to protect against
this type of unsolicited email, although there is a constant risk that some email may
circumvent the controls and be delivered to the recipient, therefore an important mitigating
action is staff awareness.
This policy applies to all ‘supported’ assets used within the Trust regardless of who
manages/operates them or whether they are hosted on the ‘network’. Where departments
manage/operate independent standalone ICT systems the requirements below still apply
although they may be fulfilled differently as directed by individual Information Asset Owners.
Advice and guidance in the fulfilment of any conditions contained within this policy will be
provided by the ICT department
ICT Technical Services has implemented an enterprise anti-virus strategy with the deployment of
AV software throughout the computer network and on assets they support. This software
constantly scans networks and machines for virus attacks whilst running in the background and is
virtually transparent to the user. The use of anti-virus software is a requirement of the NHS
Digital/N3 Statement of Compliance (SOC) agreement, the NHS Information Governance Toolkit
8
SH IG 49 - Anti-Virus and Anti-Malware Policy
Version: 2
September 2016
and also ensures that trusts comply with their legal obligations outlined in the Data Protection
Action (1998) to protect personal data.
All end points must routinely have the trust standard AV software installed with on-access
scanning enabled; the anti-virus detection engine and the virus library files must be kept up to
date automatically without user interaction. Compliance with this will be regularly monitored by
ICT Technical Services staff and prompt action should be taken to resolve instance where
devices are not complaint. For this purpose AV compliance dashboards have been configured to
provide an overview to relevant teams and senior managers.
ICT are aware that in some instances the enterprise software cannot be installed on endpoints,
for example some machines may not be able run the software (i.e. legacy systems with
unsupported operating systems or non-networked devices). In circumstances where AV software
either cannot be installed or cannot run in default mode then additional safeguards are to be
implemented to limit the risk of any potential infection or spread of malware within the
environment.
In instance where the installation of AV software adversely affects the performance of the host or
the installed software; every effort should be made to find a solution other than removing the
software. For example most AV solutions can be configured to prevent scanning of particular
files/folders/processes or on access scanning can be disabled and a scheduled scan used
instead (outside of working hours if necessary). Any changes are to be kept to the minimum
required to address the issue(s) and not be unduly excessive in relaxation of the default
configuration.
Anti-Virus software must only be installed and configured by ICT and users must not disable,
uninstall, reconfigure or interfere with the anti-virus software installed on any PC or attempt to
install alternative solutions.
Users who operate their laptops on and off the network must regularly connect to the network to
ensure that the AV software virus definitions remain up-to-date.
Network file storage facilities (shared drive, home drive) should be used wherever possible to
store computer files. Files in these areas are backed-up each night. If a virus infection does
occur and the AV software cannot repair any ensuing damage, it may be possible to restore files
to a clean state from the backup media. (This is not possible for files stored on the C: drive or on
removable media).
Although many threats can be combated using technology the key to robust protection is
empowering each user with the necessary knowledge to help prevent or limit virus outbreaks.
End users should be made aware of good practice guidance such as, but not limited to, only
opening emails from trusted sources or attempting to download/install software on their PC.
Appropriate awareness campaigns/training should be aimed at staff to raise awareness.
If a user observes any unusual activity leading them to suspect a malware attack, the user must:
9
SH IG 49 - Anti-Virus and Anti-Malware Policy
Version: 2
September 2016
Gather any media, such as floppy disks, CD-ROM disc(s), USB memory stick(s), that was
used for transporting information in or out of the machine and make available to ICT;
Submit an Ulysses incident report;
Not use the PC (or suspected media) until it has been cleared as being safe to use.
9. Training requirements
No specific training requirements exist, although all Technical services staff, IAO and IAAs should
be aware of the requirements of this policy
10
SH IG 49 - Anti-Virus and Anti-Malware Policy
Version: 2
September 2016