TVM-02: Malware Protection Policy and Procedures

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: GRM-06: Policy, GRM-09: Policy Reviews, TVM-01: Anti-Virus / Malicious Software.

Control Statement

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to protect against malware on managed assets. Review and update the policies and procedures at least annually.

Implementation Guidance

Malware protection policies should focus on inspecting both inbound and outbound traffic and implementing controls to detect, prevent, block, and remove malware. Include expectations of time objectives for remediation programs that seek to ensure systems are free of infection when they connect to enterprise computing resources. Malware protection should be integrated across all computing infrastructure, including compute, network, endpoints, and secure access gateways. Organizations should centrally manage malware protection mechanisms, including planning, implementing, assessing, authorizing, and monitoring organizational-defined malware protection security controls. This process will help to cohesively address malware within predefined timeframes. Threat and vulnerability management policy should include the ability to address malware as a specific threat element. This should provide the organization with a guideline to handle malware using appropriate tools, relevant automation, and operational frameworks to meet their risk tolerance. If malware is identified by antivirus or anti-malware applications using a signature- or behavior-based detection process, malware removal should be updated according to applicable contractual agreements and organizational standards. Additionally, prevention software and associated signatures should be deployed centrally by the service provider throughout their environment.

Auditing Guidance

  1. Examine policy for adequacy, currency, communication, and effectiveness.
  2. Examine policy and procedures for evidence of review at least annually.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.