Financial Institution Letters Guidance on Developing an Effective Computer Virus Protection Program
Financial institutions have become increasingly reliant on using the Internet as a vehicle for conducting business transactions and communicating with customers, vendors and other business partners. The most common method to conduct business is through commercially available e-mail applications. Unfortunately, the use of Internet-based e-mail applications can provide computer viruses with an entryway into a financial institutionís computer network. Therefore, management needs to understand the risks that computer viruses present to their Information Technology (IT) infrastructure.
Infected systems can harm business processes in many ways. Viruses can force the entire network to be shut down for a period of time and disrupt normal business functions. For organizations that rely on systems to interact in a timely manner, the cost of lost business or opportunities could be significant. Viruses can also be a threat to the confidentiality of data and to an institutionís reputation.
A computer virus protection program should be an integral part of an institutionís overall information security program. Oversight and accountability should be assigned to an appropriate party; however, the virus protection program should involve management, information security and systems operations personnel. Customer information security guidelines require that periodic risk assessments be provided to the Board of Directors. In these assessments, management details measures taken to mitigate risks. The effectiveness of the institutionís virus protection program should be addressed in these periodic risk assessments and status reports. An inadequate virus protection program may adversely affect certain components of an institutionís IT examination ratings.
An effective computer virus protection program includes installing and maintaining virus protection software for all hosts and clients. It should be installed on desktops, laptops, servers and gateways, and provide for automatic updates and version tracking.
A qualified individual should be responsible for the institutionís computer virus protection program. This individual should have sufficient knowledge and training to manage virus software and patches, and be able to assist users when possible infections occur. In many circumstances, institutions may rely upon an outside entity to provide assistance with anti-virus software and related services.
Policies and procedures should be established to inform employees of how to protect the financial institutionís systems from becoming infected by viruses. It is especially important to train employees to be cautious when opening e-mail attachments from unknown sources. Caution should be used even if the attachment comes from a known source.
Management should perform and document an assessment to determine what type of anti-virus software solution to use. Virus detection practices should include protection for servers and workstations.
Since viruses and worms exploit commercial, off-the-shelf (COTS) software and operating system weaknesses, these basic steps can be taken to protect systems:
Ensure that the most recent patches and releases have been installed on the financial institutionís systems, including desktops and laptops.
Decide what type of attachments will be allowed into the environment. Attachments with file extensions such as .EXE, .PIF, .SCR and .COM are commonly infected by viruses and should be blocked.
Scan all programs and files prior to uploading them into the system. On occasion, even purchased software from vendors has been infected.
At the server level, if possible, perform a daily scan to determine whether any program installed has changed in size.
Periodically perform an audit to ensure the adequacy of the anti-virus program.
Provide multiple layers of defense and response in a network to detect, identify, and respond to intrusion attacks.
Individuals responsible for anti-virus programs should check with their anti-virus vendors or their Web sites at least daily to determine if there are any recent viruses that require immediate updating of the virus protection software. Most vendors will provide a system to alert subscribers or users when to perform an update of their software. When an alert is received, financial institutions should update virus protection software immediately.
Alert services are available on viruses and worms to warn users of their existence before anti-virus programs are updated to prevent them. Awareness and education of their characteristics can be critical in protecting a computer before new anti-virus programs are made available.
There are various steps that a financial institution may take when a system becomes infected. The first step is informing employees whom they should contact if they suspect a virus infection has occurred. Employees should also be advised to inform the institutionís virus protection support group or security department of the events that occurred prior to the possible infection.
Polices should be established to determine what virus detection software to use and to ensure that the distribution process provides for virus prevention. Management should maintain sufficient controls to prevent the corruption of data or software and to correct problems caused by computer viruses or operating system vulnerabilities.