Recommended Policy Guidelines

Computer viruses are a reality and not likely to go away any time soon. Although their creation is malicious, in a corporate setting their spread is often innocent -- occurring as people simply do their jobs.

Establishing policies that make anti-virus behavior pro-active instead of re-active plays an important part in effective computer virus protection and prevention.

A designated computer emergency response team will augment good anti-virus software when a virus infection occurs. The team works to first contain and then disinfect compromised systems, as well as educate users and evaluate incident response to prevent future infections.

This is what we recommend:

Education
The key to effective anti-virus policy is education.  Computer users should be concerned about viruses.  Educating your users includes instructing them on how to protect themselves against computer viruses, and what to do if they become infected by a computer virus. 

Good habits need to be promoted.  One effective way of teaching good computer hygiene is in conjunction with the deployment of anti-virus software.  Guidelines for good habits should be included with general security guidelines.

One of the best educational environments can occur when there is a computer virus infection.  This can become a valuable learning experience.

Deployment of Anti-Virus Software
The deployment of good anti-virus software is unquestionable.  Users should be instructed in its proper use and configuration.  In addition, good anti-virus software is useless unless it is kept up to date.  The appropriate update mechanisms must be in place to ensure that it is kept current.

The wide deployment of high-quality anti-virus software, along with common-sense preventative measures such as restricting the installation of unauthorized software, write-protecting system and software diskettes, and changing system configurations to prevent booting from the diskette drive, will prevent the outbreak of many viruses.

Taking other actions such as ensuring the regular backup of data and the availability of clean boot disks will aid in post-infection recovery.

Incident Reporting
When a user believes their computer may be infected they should have a clear notion of what to do.  This includes the understanding that reporting the incident is an urgent matter.  The user must clearly know who should receive the incident report.

Users should feel confident that they will not be blamed or subjugated to recriminations when reporting an incident, and they should be assured that they will receive assistance that is appropriate to the incident and their needs.

Incident Response
Proper incident response provides that people reporting virus incidents receive swift and accurate advice and assistance at the level the user and the situation require. 

The response team will step the user through containment to stop the spread, disinfecting to clean their system, and the capture of incident information for future use. 

Notification
Ethics requires the swift acknowledgment of any infection of others.  People outside of the organization need to notified if the computer virus was passed to them through email, floppy diskettes, or however else it may have occurred.

Incident Trend Analysis
If your organization experiences more than just a few virus infections per year, trend analysis may be required to identify problem areas or individual users where special actions need to be taken.

Evaluation
Regular evaluation of anti-virus policy can help prevent problems from occurring in the future.  Particular points to evaluate should include:

1. Quality of anti-virus software.

2. Adequate deployment of anti-virus software.

3. Update frequency of virus definitions.

4. Identification of high risk areas or users.

5. Effectiveness of incidence reporting and response.