Page 1 of 12 Anti-virus Policy Version No 2.0
ANTI-VIRUS POLICY
Document Author Authorised
Written By: Information Security Manager Date: April 2019
Authorised By: Chief Executive Date: 24th June 2019
Lead Director: Director of Finance, Estates and IM&T
Effective Date: 24th June 2019
Review Date: 23rd June 2022
Approval at: Policy Management Sub-Committee
Date Approved: 24th June 2019
Page 2 of 12 Anti-virus Policy Version No 2.0
DOCUMENT HISTORY (Procedural document version numbering convention will follow the following format. Whole numbers for approved versions, e.g. 1.0, 2.0, 3.0 etc. With decimals being used to represent the current working draft version, e.g. 1.1, 1.2, 1.3, 1.4 etc. For example, when writing a procedural document for the first time – the initial draft will be version 0.1)
Date of Issue Version
No. Date
Approved Director Responsible
for Change Nature of Change
Ratification / Approval
19 Mar 16 0.1 Executive Director for Integrtation and Transformation
New Policy
24 Mar 16 0.1 Executive Director for Integrtation and Transformation
Approved Deputy SIRO
24 Mar 16 1 24 Mar 16 Executive Director for Integrtation and Transformation
Approved Trust Executive Committee
April 2019 1.1 Director of Finance, Estates and IM&T
Policy review
13 June 19 1.1 Director of Finance, Estates and IM&T
Endorsed at Information Governance Sub-Committee
24 June 19 2.0 24 June 19 Director of Finance, Estates and IM&T
Approved at Policy Management Sub-Committee
NB This policy relates to the Isle of Wight NHS Trust hereafter referred to as the Trust
Page 3 of 12 Anti-virus Policy Version No 2.0
Contents 1 Executive Summary ....................................................................................................... 4
2 Introduction .................................................................................................................... 4
3 Definitions ...................................................................................................................... 4
4 Scope ............................................................................................................................. 4
5 Purpose ......................................................................................................................... 4
6 Roles and Responsibilities ............................................................................................. 4
6.1 Information Communication Technology Executive Led Sub Committee ................. 4
6.2 Senior Information Risk Officer (SIRO) ................................................................... 4
6.3 Deputy Director for IM&T ........................................................................................ 4
7 Policy detail/Course of Action ......................................................................................... 5
8 Consultation ................................................................................................................... 6
9 Training .......................................................................................................................... 6
10 Monitoring Compliance and Effectiveness ...................................................................... 6
11 Appendices .................................................................................................................... 6
Page 4 of 12 Anti-virus Policy Version No 2.0
1 Executive Summary This policy defines the requirements for Anti-virus on all computing devices relation to the Isle of Wight NHS Trust.
2 Introduction Malware is an increasing problem for companies often resulting in systems being taken off-line for several days whilst infections are resolved and data recovered. This policy provides a baseline to which all systems connected to the Trust’s network must adhere to in order to mitigate risks of this nature.
3 Definitions Malware (Malicious Software) is a generic name given to software which is designed to cause disruption or data loss. This includes common used terms such as ‘Virus’, ‘Trojan’, ‘Spyware’
4 Scope This policy is applicable to all computing devices which connect to the Trust’s Information Comunication Technology (ICT) network.
5 Purpose The purpose of this Policy is to set the minimum protection required to allow computing devices to connect to the Trust’s ICT network.
6 Roles and Responsibilities
6.1 Information Communication Technology Sub Committee The Information Communication Technology Sub Committee, are responsible for monitoring compliance with this policy.
6.2 Senior Information Risk Officer (SIRO) The SIRO is responsible for ensuring that the Trust has in place robust arrangements for the management of viruses and that all risks are reported and managed to mitigate any risks.
6.3 Deputy Director for IM&T The Deputy Director for IM&T, must ensure that the Trust has in place a robust anti-virus policy that is adopted across the breadth of the Trust.
Page 5 of 12 Anti-virus Policy Version No 2.0
7 Policy detail/Course of Action
All workstations, laptops and servers must be running approved anti-virus and anti-malware protection which has been configured in accordance with appendix C.
All removable media must be subject to an anti-virus scan upon use.
Users must not accept, or run, software from untrusted sources.
Users must not undertake any activities with the intention to create and/or distribute malicious programs (e.g. viruses, worms, Trojans, e-mail bombs, etc) into the Trusts networks or systems.
Users must inform the IT Service Desk immediately if a virus is detected on their system.
Portable Device users (laptops) must connect to the Trust network periodically (either whilst on-site or remotely via VPN) to ensure that the anti-virus software is updated.
Any system or workstation found to be without adequate protection as defined by this policy will be removed from the network until adequate protection is implemented. Any user being found to be wilfully violating the anti-virus policy may be subject to one or more of the following sanctions:
Removal of any equipment used from the network until adequatly protected
Revocation of rights to Trust ICT systems and networks
Any costs incurred by the IT department to remove the virus may be passed to the on to the department or organisation responsible for the outbreak..
Subject to disciplinary action In the event of a virus outbreak, the Information Communication Technology (ICT) Team reserves the right to temporarily remove equipment, or disable parts of the network to safeguard other systems. Procedure for suspected infection If a user suspects the system may be infected, the follow actions must be taken
Inform the ICT service desk immediately
Switch off the machine
Ensure no-one uses the machine
Be prepared to inform IT of any actions taken which may have caused the system to be infected.
Page 6 of 12 Anti-virus Policy Version No 2.0
The IT Team will:
Check the infected PC and any media
Rebuild the PC if the infection is severe (e.g. Conficker, Cryptolocker)
Check any servers that may have been accessed from the infected system
Attempt to determine the source of the infection
Ensure the incident is logged.
8 Consultation This policy has been circulated to the ICT and Information Governance Team prior to ratification and approval.
9 Training This anti-virus policy does not have a mandatory training requirement or any other training needs.
10 Monitoring Compliance and Effectiveness The effectiveness of the anti-virus solution will be demonstrated through system generated reports against potential virus infections recorded on the ServiceDesk.
11 Appendices Appendix A Financial and Resourcing Impact Assessment on Policy Implementation Appendix B Equality Impact Assessment (EIA) Screening Tool Appendix C Approved Software Products
Page 7 of 12 Anti-virus Policy Version No 2.0
Appendix A
Financial and Resourcing Impact Assessment on Policy Implementation
NB this form must be completed where the introduction of this policy will have either a positive or negative impact on resources. Therefore this form should not be completed where the resources are already deployed and the introduction of this policy will have no further resourcing impact.
Document title
Anti-virus Policy (No change in resourcing requirements)
Totals WTE Recurring £
Non Recurring £
Manpower Costs
Training Staff
Equipment & Provision of resources
Summary of Impact: Risk Management Issues:
Benefits / Savings to the organisation: Equality Impact Assessment Has this been appropriately carried out? YES/NO Are there any reported equality issues? YES/NO If “YES” please specify:
Use additional sheets if necessary Please include all associated costs where an impact on implementing this policy has been considered. A checklist is included for guidance but is not comprehensive so please ensure you have thought through the impact on staffing, training and equipment carefully and that ALL aspects are covered.
Manpower WTE Recurring £ Non-Recurring £
Operational running costs
Totals:
Staff Training Impact Recurring £ Non-Recurring £
Totals:
Page 8 of 12 Anti-virus Policy Version No 2.0
Equipment and Provision of Resources Recurring £ * Non-Recurring £ *
Accommodation / facilities needed
Building alterations (extensions/new)
IT Hardware / software / licences
Medical equipment
Stationery / publicity
Travel costs
Utilities e.g. telephones
Process change
Rolling replacement of equipment
Equipment maintenance
Marketing – booklets/posters/handouts, etc
Totals:
Capital implications £5,000 with life expectancy of more than one year.
Funding /costs checked & agreed by finance:
Signature & date of financial accountant:
Funding / costs have been agreed and are in place:
Signature of appropriate Executive or Associate Director:
Page 9 of 12 Anti-virus Policy Version No 2.0
Appendix B
Equality Impact Assessment (EIA) Screening Tool
1. To be completed and attached to all procedural/policy documents created within
individual services. 2. Does the document have, or have the potential to deliver differential outcomes or affect
in an adverse way any of the groups listed below? If no confirm underneath in relevant section the data and/or research which provides evidence e.g. JSNA, Workforce Profile, Quality Improvement Framework, Commissioning Intentions, etc. If yes please detail underneath in relevant section and provide priority rating an determine if full EIA is required.
Gender
Positive Impact Negative Impact Reasons
Men N/A N/A
Women N/A N/A
Race
Asian or Asian British People
N/A N/A
Black or Black British People
N/A N/A
Chinese people
N/A N/A
People of Mixed Race
N/A N/A
White people (including Irish people)
N/A N/A
People with Physical Disabilities,
N/A N/A
Document Title: Anti-virus Policy
Purpose of document Policy on the Use of anti-virus software
Target Audience Users of devices attached to the ICT Network
Person or Committee undertaken the Equality Impact Assessment
Carl Moreira-Smith
Page 10 of 12 Anti-virus Policy Version No 2.0
Learning Disabilities or Mental Health Issues
Sexual Orientation
Transgender N/A N/A
Lesbian, Gay men and bisexual
N/A N/A
Age
Children
N/A N/A
Older People (60+)
N/A N/A
Younger People (17 to 25 yrs)
N/A N/A
Faith Group N/A N/A
Pregnancy & Maternity N/A N/A
Equal Opportunities and/or improved relations
N/A N/A
Notes: Faith groups cover a wide range of groupings, the most common of which are Buddhist, Christian, Hindus, Jews, Muslims and Sikhs. Consider faith categories individually and collectively when considering positive and negative impacts. The categories used in the race section refer to those used in the 2001 Census. Consideration should be given to the specific communities within the broad categories such as Bangladeshi people and the needs of other communities that do not appear as separate categories in the Census, for example, Polish. 3. Level of Impact If you have indicated that there is a negative impact, is that impact:
YES NO
Legal (it is not discriminatory under anti-discriminatory law)
Intended
If the negative impact is possibly discriminatory and not intended and/or of high impact then please complete a thorough assessment after completing the rest of this form. 3.1 Could you minimise or remove any negative impact that is of low significance? Explain how below:
3.2 Could you improve the strategy, function or policy positive impact? Explain how below:
Page 11 of 12 Anti-virus Policy Version No 2.0
3.3 If there is no evidence that this strategy, function or policy promotes equality of opportunity or improves relations – could it be adapted so it does? How? If not why not?
Scheduled for Full Impact Assessment Date:
Name of persons/group completing the full assessment.
Date Initial Screening completed 20/03/2016
Page 12 of 12 Anti-virus Policy Version No 2.0
Appendix C Approved Software Products Sophos Endpoint Protection (www.sophos.com) Configuration Standards Approved anti-virus software should be installed and configured to the following standards on all applicable desktop and server equipment:
All anti-virus configuration settings will be locked down to prohibit unauthorised users from disabling the software or altering the standard configuration
Anti-virus software on desktops will periodically check (at least daily) for updates to the anti-virus engine and the DAT (pattern/signature) file and will automatically apply.
Anti-virus software on servers and gateways will check for updates on a (minimum) daily basis.
Anti-virus will be automatically enabled at all times when the system is in use with the following exceptions:
When software upgrades dictate disablement
To facilitate problem diagnosis.