SH IG 49

INFORMATION SECURITY SUITE OF POLICIES

Anti-Virus and Anti-Malware Policy

Version: 2

Summary: This document describes Southern Health NHS Foundation Trusts requirement
for anti-virus and anti-malware protection across Trust information systems

Keywords: Anti-virus; anti-malware; malicious software; information security; ICT security;

virus; worm; Trojan; rootkit; ICT; security; computer; network; data; information;
malicious software; email; internet; portable devices; workstation; laptop; tablet;
server; McAfee; information assurance; confidentiality; integrity; availability;

Target Audience: All

Next Review Date: 3 years, September 2019

Approved & Information Governance Group (IGG) Date of meeting:

Ratified by: 12 September 2016

Date issued: September 2016

Author: Edward Purcell, ICT Security Specialist

Director: Helen Reading, Associate Director of Technology

1
SH IG 49 - Anti-Virus and Anti-Malware Policy
Version: 2
September 2016
Version Control

Change Record

Date Author Version Page Reason for Change

16.09.13 E. Purcell 1.0 All New policy – approved at IGG
16.08.16 E. Purcell 2 All Updated to new SHFT policy template / reviewed content for accuracy /
amended AV compliance statement

Reviewers/contributors

Name Position Version Reviewed &

Date

IGG membership V1.0 October 2013

IGG membership V2 September 2016

2
SH IG 49 - Anti-Virus and Anti-Malware Policy
Version: 2
September 2016
Quick Reference Guide
For quick reference, this page summarises the actions required by this policy. This does not negate the
need to be aware of and to follow the further detail provided in this policy.

1. All ‘end points’ and network ‘entry’ points should be protected from, and provide protection to the
resources they host or provide access to from malware and its effects.

2. Wherever possible AV software is to be installed on all suitable endpoints including all forms of
client and server regardless of whether they are networked or standalone.

3. The aim is that there is no less than 100% coverage of Anti-Virus installed on all endpoints that
capable of running the software. All endpoints running Anti-Virus must meet the compliance
requirements as outlined within this policy.

4. Technical Services will ensure that other relevant controls are in place to ensure a layered
security that includes; patch management, segregation of high risk devices; control of
administrative permissions; and boundary controls.

5. If a user observes any unusual activity leading them to suspect a malware attack, the user must:

 Inform the ICT service desk immediately

 Switch off the machine (at the wall socket) and ensure no one else uses it;
 Gather any media, such as floppy disks, CD-ROM disc(s), USB memory stick(s), that was
used for transporting information in or out of the machine and make available to ICT;
 Submit an Ulysses incident report;
 Not use the PC (or suspected media) until it has been cleared as being safe to use.

6. Technical Services will respond to all malware attacks and will perform identification, remediation
and, if required, reporting to senior management and/or NHS Digital.

3
SH IG 49 - Anti-Virus and Anti-Malware Policy
Version: 2
September 2016
 Contents

1. Background/General ..........................................................................................................................5
2. Purpose .............................................................................................................................................5
3. Scope ................................................................................................................................................5
4. Definitions..........................................................................................................................................5
5. AV Protection ....................................................................................................................................6
6. Layered Security, Reducing the Scope for Malware ..........................................................................6
7. AV Deployment to End Points............................................................................................................8
8. Suspected Malware Outbreak............................................................................................................9
9. Training requirements ...................................................................................................................... 10
10. Monitoring compliance ..................................................................................................................... 10
11. Associated trust documents ............................................................................................................. 10

4
SH IG 49 - Anti-Virus and Anti-Malware Policy
Version: 2
September 2016
 Anti-Virus and Anti-Malware Policy

1. Background/General

1.1. Healthcare Trusts are increasingly dependent upon their usage of ICT network(s) as a key tool
for managing and delivering health care services and for communicating with their care partners.
A major threat to the delivery of ICT services is malicious software (malware) which has the
potential to undermine the confidentiality, integrity and availability of those services/data hosted
on ICT systems or can adversely impact the underlying infrastructure hosting these systems and
thus prevent access to the resources.

1.2. ICT has a responsibility to ensure that appropriate technical measures are implemented to
protect against malware and to ensure that appropriate controls are in place to rapidly detect,
isolate and remove any instances. A single technical solution cannot be relied upon and therefore
a ‘layered approach’ will be implemented in order to provide the best overall protection against
the omnipresent threat of malware from whichever vector it may appear.

2. Purpose

2.1. This document sets out the policy for the protection of the networked environment and for the
continued provision of the ICT services that we provide to our customers against the threat of
malware. It provides guidance and direction on minimising the risk of a malware infection(s) and
what to do if one is encountered.

3. Scope

3.1. This policy applies to ICT resources and to all staff authorised to use/access those computer
systems and communications networks whether they are employed directly by the Trust,
contractors, NHS Professionals, bank staff, voluntary organisations or suppliers granted access
for support purposes.

3.2. Systems developed and managed centrally by NHS Digital (e.g. NHSMail, SBS, etc.) or other
external providers as contracted by the Trust (e.g. RiO, eRoster/Employee Online, etc.) are not
under the direct control of SHFT IT Services and are considered outside the scope of this
guidance.

4. Definitions

Term Definition

Anti-Virus (AV) Software provides an electronic defence mechanism mitigating the risk of
a computing device being infected with or affected by malware.

Virus A computer virus is a computer program that can copy itself without
permission or knowledge of the user. A virus can only spread from one
computer to another when its host is taken to the uninfected computer; for
instance, by a user sending it over a network or carrying it on a removable
media.

Worm A computer worm is a self-replicating computer program. It uses a network

to send copies of itself to other PCs on the network and it may do so
without any user intervention. Unlike a virus, it does not need to attach
itself to an existing program. Worms always harm the network (if only by
consuming bandwidth), whereas viruses always infect or corrupt files on a

5
SH IG 49 - Anti-Virus and Anti-Malware Policy
Version: 2
September 2016
 targeted computer.

End points All devices (from servers to clients to networked equipment) with an
operating system that is capable of being affected or infected by malware.

Malicious Software designed to infiltrate or damage a computer system without the

software owner's informed consent.

Malware A term derived from the words "malicious" and "software". The expression
is a general term used to refer to a variety of forms of hostile, intrusive, or
annoying software or program code.

Social A technique used by attackers to attempt to subvert security controls, by

Engineering attempting to convince a legitimate user to divulge sensitive information
such as passwords, IP Addresses or details of security mechanisms in use
or to enable others to do likewise, or to run inappropriate malware.

Spyware A type of malware designed to collect information from the target system
and transmit that data to external parties for unauthorised use. Most
commonly packaged with legitimate (or seemingly legitimate) software,
spyware installs itself without the user’s knowledge

Spam Unsolicited email, is email received from an unrequested source, which

attempts to convince the user to perform an action (usually to purchase
goods or services or click on a link).

Trojan horse A program that contains or installs a malicious program (the 'Trojan'). The
term is derived from the classical myth of the Trojan horse. Trojan horses
may appear to be useful or interesting programs (or at the very least
harmless) to an unsuspecting user, but are actually harmful when
executed.

Rootkits A stealthy type of software, designed to hide the existence of certain

processes or programs from normal methods of detection and enable
continued privileged access to a computer

Adware A software package which automatically renders advertisements

5. AV Protection

5.1. All ‘end points’ and network ‘entry’ points should be protected from, and provide protection to the
resources they host or provide access to from malware and its effects. Generally an AV solution
will be deployed on all assets and will mediate all traffic that may be processed on that end point.
In the case of ‘boundaries’ the point of access to the environment is to provide protection from
malware to any traffic it allows into and out of the environment. For example email and web
traffic is to be scanned for malware at the point of entry/exit to/from the environment.

6. Layered Security, Reducing the Scope for Malware

6.1. Widespread use of AV software on all Endpoints

Wherever possible AV software is to be installed on all suitable endpoints including all forms of
client and server regardless of whether they are networked or standalone. This will ensure that
any risks of cross infection between disparate systems are minimised.

6
SH IG 49 - Anti-Virus and Anti-Malware Policy
Version: 2
September 2016
 The aim is that there is no less than 100% coverage of Anti-Virus installed on all endpoints that
capable of running the software.

Of the servers running Anti-Virus at least 100% must pass the compliance check by having Anti-
Virus signatures within 2 days of the current release.

Of the workstations running Anti-Virus at least 98% of the devices that have connected in the last
7 days must pass the compliance check by having; Anti-Virus signatures within 7 days of the
current release.

6.2. Isolation of devices that cannot be protected by AV Software

Whenever a networked device cannot have AV software installed such devices are to be
configured to operate in a separate ‘unprotected’ VLAN with appropriate mitigation separating
such devices from the rest of the environment. This will minimise the risks to both the ‘protected’
and ‘unprotected’ devices minimising the risk of propagation between devices.

6.3. Patch Management

Systems that are fully patched are significantly less likely to be affected by malicious software.
Malware targets known weaknesses or vulnerabilities in target operating systems or applications
and uses these to attack the target system. For known weaknesses vendors quickly distribute
software updates/patches to prevent exploitation via that particular mechanism, it is therefore
important to follow up on these newly release patches to ensure any newly identified vulnerability
is mitigated as quickly as possible. Regular review, assessment and installation of the latest
patches should be completed as close to regular release cycles.

The exact process for patch management is contained within the Patch Management Process
documents but should aim to ensure that relevant devices are routinely patched with security
patches (patches which have failed testing may be excluded on a host by host basis):

 Servers: should be no more than 2 months behind available and tested security patches

 Desktops and Laptops: should be no more than 3 month behind available and tested security
patches. This should apply to no less than 90% of systems on or connected to the network;

 Networks/Other: should be no more than 2 month behind available and tested security
patches.

6.4. Restricted Download rights

No software programs or executable files are to be downloaded from the Internet and installed on
devices without permission from the relevant team. Technical controls are in place to restrict the
ability of the majority of users to download files from the Internet. A limited number of ICT
Technical Services staff have greater flexibility to download however, all users should take
appropriate precautions to ensure they limit the possibility of downloading malicious software.

6.5. Administrative/Privileged Access Rights

Accounts with elevated privileges are primarily only available to those in ICT Technical Services
and there is a slow but steady move to reduce the number of users with such rights and the
extent of such rights both outside of and within ICT. Administrative groups should be set up to
ensure that where elevated rights are granted users are granted the minimum level of privileges
necessary for them to carry out their work via groups rather than to have rights assigned

7
SH IG 49 - Anti-Virus and Anti-Malware Policy
Version: 2
September 2016
 individually. For users that require elevated privileges they should have a secondary ‘admin’
accounts created and only use these rights when they are required, all other work should be
carried out using their standard network user account.

6.6. Boundary Protection/Firewalls

The network is to be protected by firewalls both on the boundary to the N3 and Internet; they
should also be implemented internally to segment any ‘unprotected’ VLAN(s) as covered in 6.2.
This perimeter around the network ensures that only authorised traffic can pass in or out of the
network, in the instance of a malware outbreak internally on the network this can help to prevent
the malware stealing data by transferring it out of the network. It will also prevent additional
malware being brought into the network, for example further updates/instructions or remote
control of the malware.

6.7. Web (Internet) Traffic

Additional to the firewalls mentioned above web/internet traffic should also be controlled by
passing through a web proxy/filter which limits exposure of internal IP addresses, what sites
users can access and scans all connected sessions for malware. Traffic should always be
directed through the proxy servers however, occasionally applications will not work through a
proxy and it is necessary to by-pass it. Every effort is to be made to facilitate connections with the
web/internet via the proxy’s and only in exceptional cases are these to be by-passed.

6.8. Email
Email is a critical business tool for the trust and the widespread use and increasing reliance on
this service leaves it open to exploitation as a means of transmission of malware and phishing
attacks.

 Attachments - All email including attachments is to automatically check for viruses before it
enters or leaves the email system.

 Phishing and Scams - Social engineering techniques often attempt to convince users to open
attachments or ’click’ on hyperlinks (that will spread malware infections) or even divulge
sensitive information such as passwords. Technical controls are in place to protect against
this type of unsolicited email, although there is a constant risk that some email may
circumvent the controls and be delivered to the recipient, therefore an important mitigating
action is staff awareness.

7. AV Deployment to End Points

This policy applies to all ‘supported’ assets used within the Trust regardless of who
manages/operates them or whether they are hosted on the ‘network’. Where departments
manage/operate independent standalone ICT systems the requirements below still apply
although they may be fulfilled differently as directed by individual Information Asset Owners.
Advice and guidance in the fulfilment of any conditions contained within this policy will be
provided by the ICT department

ICT Technical Services has implemented an enterprise anti-virus strategy with the deployment of
AV software throughout the computer network and on assets they support. This software
constantly scans networks and machines for virus attacks whilst running in the background and is
virtually transparent to the user. The use of anti-virus software is a requirement of the NHS
Digital/N3 Statement of Compliance (SOC) agreement, the NHS Information Governance Toolkit

8
SH IG 49 - Anti-Virus and Anti-Malware Policy
Version: 2
September 2016
 and also ensures that trusts comply with their legal obligations outlined in the Data Protection
Action (1998) to protect personal data.

All end points must routinely have the trust standard AV software installed with on-access
scanning enabled; the anti-virus detection engine and the virus library files must be kept up to
date automatically without user interaction. Compliance with this will be regularly monitored by
ICT Technical Services staff and prompt action should be taken to resolve instance where
devices are not complaint. For this purpose AV compliance dashboards have been configured to
provide an overview to relevant teams and senior managers.

ICT are aware that in some instances the enterprise software cannot be installed on endpoints,
for example some machines may not be able run the software (i.e. legacy systems with
unsupported operating systems or non-networked devices). In circumstances where AV software
either cannot be installed or cannot run in default mode then additional safeguards are to be
implemented to limit the risk of any potential infection or spread of malware within the
environment.

In instance where the installation of AV software adversely affects the performance of the host or
the installed software; every effort should be made to find a solution other than removing the
software. For example most AV solutions can be configured to prevent scanning of particular
files/folders/processes or on access scanning can be disabled and a scheduled scan used
instead (outside of working hours if necessary). Any changes are to be kept to the minimum
required to address the issue(s) and not be unduly excessive in relaxation of the default
configuration.

Anti-Virus software must only be installed and configured by ICT and users must not disable,
uninstall, reconfigure or interfere with the anti-virus software installed on any PC or attempt to
install alternative solutions.

Users who operate their laptops on and off the network must regularly connect to the network to
ensure that the AV software virus definitions remain up-to-date.

Network file storage facilities (shared drive, home drive) should be used wherever possible to
store computer files. Files in these areas are backed-up each night. If a virus infection does
occur and the AV software cannot repair any ensuing damage, it may be possible to restore files
to a clean state from the backup media. (This is not possible for files stored on the C: drive or on
removable media).

Although many threats can be combated using technology the key to robust protection is
empowering each user with the necessary knowledge to help prevent or limit virus outbreaks.
End users should be made aware of good practice guidance such as, but not limited to, only
opening emails from trusted sources or attempting to download/install software on their PC.
Appropriate awareness campaigns/training should be aimed at staff to raise awareness.

8. Suspected Malware Outbreak

If a user observes any unusual activity leading them to suspect a malware attack, the user must:

 Inform the ICT service desk immediately

 Switch off the machine (at the wall socket) and ensure no one else uses it;

9
SH IG 49 - Anti-Virus and Anti-Malware Policy
Version: 2
September 2016
  Gather any media, such as floppy disks, CD-ROM disc(s), USB memory stick(s), that was
used for transporting information in or out of the machine and make available to ICT;
 Submit an Ulysses incident report;
 Not use the PC (or suspected media) until it has been cleared as being safe to use.

In the case of an expected malware attack ICT will:

 Open an incident and issue an incident reference to the user.

 Arrange for the following to take place (where appropriate):
o Check the infected PC.
o Check any media that has been used with the infected PC.
o Check any other PC that the media has been used with.
o Delete or clean any infected files.
o Check any servers that may also have been accessed.
o Try to determine where the virus may have originated.
o Ensure the incident is completed within the appropriate timescales.
o Ensure the user has completed a trust incident report and forwarded to the risk
management department, and inform the Trust’s ICT security team immediately.
o Depending on the severity and impact of the incident a full incident report may be
required and this will completed by the ICT Security Specialist. Serious incidents are
reportable to NHS Digital (via the incident reporting tool on the IGTK portal) and this will
be completed in all cases as appropriate.

9. Training requirements
No specific training requirements exist, although all Technical services staff, IAO and IAAs should
be aware of the requirements of this policy

10. Monitoring compliance

Element to be Lead Tool Frequency Reporting

Monitored

Policy review Edward Purcell IGG Development Plan 3 years IGG

AV Compliance Edward Purcell McAfee EPO Reporting Weekly As required to
Head of ICT
Operations

11. Associated trust documents

This policy should be read in conjunction with other relevant Information Security Policies;

 ICT Security Policy

 ICT Network Security Policy
 Patch Management Policy

10
SH IG 49 - Anti-Virus and Anti-Malware Policy
Version: 2
September 2016