Malware Policy (A.12.2.1)
- To ensure Breezy HR information assets (data) and software are protected against intrusion, infection, damage, or compromise caused by malware, including viruses, Trojans, malicious scripts, and other malicious software
- To ensure appropriate anti-virus software is approved for use and applied to all hardware assets (within the scope of this policy) to protect information and software assets
Breezy’s Malware Policy shall apply to the following:
All information assets (data) either owned by Breezy or entrusted to Breezy by a client under an agreement that specifically details Breezy’s data responsibility, including but not limited to:
- Information assets held, processed, or stored at Amazon Web Service facilities under accounts owned by Breezy used to facilitate Breezy product offerings
- Any desktop or laptop used to access the aforementioned information assets
- The hardware and software assets owned by third parties that have been authorized by Breezy to access Breezy information assets
- All employees, contractors, and third-party users who have a legitimate requirement to access, process, store, or transmit Breezy information assets
Breezy shall use Apple Gatekeeper as its single product for providing protection against viruses, Trojans, and other malware on company laptops. Gatekeeper is installed on company laptops by manufacturer default with the Mac OS. This protection shall:
- At all times, be operated in real-time on all desktops, laptops, and other devices capable of supporting its operation.
- Be configured to receive, update, and act upon updates to virus/threat library definitions.
- Be configured to only allow applications from the Apple App Store or identified developers.
All personnel identified in the scope of this Malware Policy shall:
- Not undertake any action that prevents the anti-virus software from operating in real-time.
- Not undertake any action that prevents the automatic update of virus definitions.
- Promptly report any suspected or actual breach in accordance with the Virus Incident Escalation process and procedures noted below.
- Maintain awareness of the threats and characteristics of viruses and other malware.
Breezy shall use Google Apps Gmail service for email, which enhances its protection against viruses and other malware by implementing anti-spam controls to detect, isolate, and delete unsolicited email, which may be used to deliver viruses or other malware to users. Gmail rejects any message with a detected virus and notifies the sender the email was rejected because of the virus attachment. Gmail prevents downloading any attachment detected as containing a virus.
Virus Incident Escalation
Any user who notices activity or messages indicating a computer system or data has been affected or compromised by a virus or other malware shall:
- Immediately isolate the suspected computer system, including disconnecting and removing all wired or wireless network connections if applicable, preventing any further use of the system, and identifying all backup media and any other peripheral storage devices connected to the suspected computer system. If it is suspected the incident is aggressive and may have already spread within the Breezy network, the entire network shall be promptly disabled pending full virus scanning and remedial action.
- Immediately raise an information security incident, in accordance with the Incident Management Policy.
- NOTE: Use of the information security incident form should not be undertaken from the suspected computer system, as this may cause further distribution of the virus or malware. The incident should be reported verbally if an uncompromised computer system is not available.
Upon receipt of the information security incident notification, appropriate resources shall be promptly allocated to investigate, diagnose and disinfect the suspected computer system, along with any related backup media and peripheral storage devices. The same action shall be taken with any connected computer systems suspected of infection.
Following the successful resolution of the information security incident, Breezy shall examine the circumstances and understand how it occurred. This shall involve implementing corrective actions, which may include upgrading anti-virus software or its configuration. If user error is subsequently identified, then appropriate anti-virus and malware training shall be scheduled in accordance with the Information Security Training Policy.
- Hardware and software Asset Owners shall satisfy themselves, typically using risk assessments, that their assets are being provided with appropriate protection against infection by viruses and other malware.
- Information Asset Owners shall satisfy themselves, typically using a risk assessment, that their information is being provided with appropriate protection against breaches of confidentiality, integrity, or availability caused by viruses and other malware.
- The Information Security Manager shall coordinate and progress any information security incidents arising as a result of suspected or actual virus or malware activity and shall coordinate the post-incident analysis and arrange for any corrective actions identified.
- All employees, contractors, third-party users, and external users of Breezy information systems (as defined within the scope of this policy) shall comply with the requirements of this Malware Policy. Any incident of virus or malware infection or compromise that can be attributed to an individual not having adhered to this Policy shall result in disciplinary action.