Welcome to the third edition of The ISO27000 Newsletter, designed to keep you abreast of news and developments with respect to 17799 and information security.
The information contained in this newsletter is absolutely free to our subscribers and provides guidance on various practical issues, plus commentary on recent Information Security incidents.
Guidance and information included in this months issue:
ISO17799 SECTION 8: WHEN A VIRUS ATTACKS
Despite employing regularly updated anti-virus software and maintaining a constant awareness of the risks of virus infection, some viruses nevertheless can still enter and infect an organization's computer system. For example, a high profile case was reported earlier this year where a senior businessman was sent a price list infected with a virus by another company known to him, albeit a competitor.... he should of course have known better. But what steps can be taken to help mitigate this sort of situation?
Dealing with a virus in a professional and planned way reduces both its impact and its spread throughout the organization and beyond. A failure to respond appropriately to a virus incident can rapidly result in multiple system failures and continued infection.
We offer the following best practice guidelines on how to respond to virus incidents:
- If possible, appoint a Virus Control Officer who would be the first point of contact for all virus alerts and who co-ordinates follow-up actions.
- Consider regularly reviewing software and files used for critical business processes to identify and investigate unauthorized and/or suspicious changes.
- Ensure that your organization has a Virus Incident Response Plan, drawn up jointly by the Information Security Officer, Virus Control Officer and System Administrator. Where no agreed response plan is in place, the reaction of users, IT and management are likely to be ad-hoc and inadequate, possibly turning a containable incident into a significant problem.
- When a virus is detected:
- immediately locate and scan the relevant file(s) with your anti-virus software to determine if the virus has been immunized.
- communicate a virus alert to warn staff of the incident and the appropriate response
- establish whether the virus might have infected others and, if so, respond accordingly - if necessary close down workstations and possibly parts of the network.
- following the virus attack, review the measures taken to minimize damage and prevent a recurrence, and question whether procedures and safeguards remain adequate. Consider updating your anti-virus file definitions on a more frequent, possibly daily, basis.
- Ensure that your server anti-virus software is configured to proactively scan all incoming and outgoing files. (Also investigate the source of any virus detected on OUTBOUND e-mail as this may indicate a failure to scan files on a workstation or the use of unscanned floppy disks or CD-Roms.)
- Update your anti-virus file definition files on a regular basis
- Promote awareness among users of the risks associated with e-mail, and train them to be aware of this type of cyber crime and their responsibilities for its prevention.