richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/Standards/ISO-27002-OST/ISO27002-EN-2022/a-8.7-Protection-against-malware.md

4.8 KiB
Raw Blame History

#iso27002/2022/EN

8.7  Protection against malware

Control

Protection against malware should be implemented and supported by appropriate user awareness.

Purpose

To ensure information and other associated assets are protected against malware.

Guidance

Protection against malware should be based on malware detection and repair software, information security awareness, appropriate system access and change management controls. Use of malware detection and repair software alone is not usually adequate. The following guidance should be considered:

a)   implementing rules and controls that prevent or detect the use of unauthorized software [e.g. application allowlisting (i.e. using a list providing allowed applications)] (see 8.19 and 8.32)

b)   implementing controls that prevent or detect the use of known or suspected malicious websites (e.g. blocklisting);

c)   reducing vulnerabilities that can be exploited by malware [e.g. through technical vulnerability management (see 8.8 and 8.19)];

d)   conducting regular automated validation of the software and data content of systems, especially for systems supporting critical business processes; investigating the presence of any unapproved files or unauthorized amendments;

e)   establishing protective measures against risks associated with obtaining files and software either from or via external networks or on any other medium;

f)   installing and regularly updating malware detection and repair software to scan computers and electronic storage media. Carrying out regular scans that include:

  1.   scanning any data received over networks or via any form of electronic storage media, for malware before use;

  2.   scanning email and instant messaging attachments and downloads for malware before use. Carrying out this scan at different places (e.g. at email servers, desktop computers) and when entering the network of the organization;

  3.   scanning webpages for malware when accessed;

g)   determining the placement and configuration of malware detection and repair tools based on risk assessment outcomes and considering:

  1.   defence in depth principles where they would be most effective. For example, this can lead to malware detection in a network gateway (in various application protocols such as email, file transfer and web) as well as user endpoint devices and servers;
  2.   the evasive techniques of attackers (e.g. the use of encrypted files) to deliver malware or the use of encryption protocols to transmit malware;

h)   taking care to protect against the introduction of malware during maintenance and emergency procedures, which can bypass normal controls against malware;

i) implementing a process to authorize temporarily or permanently disable some or all measures against malware, including exception approval authorities, documented justification and review date. This can be necessary when the protection against malware causes disruption to normal operations;

j) preparing appropriate business continuity plans for recovering from malware attacks, including all necessary data and software backup (including both online and offline backup) and recovery measures (see 8.13);

k)   isolating environments where catastrophic consequences can occur;

l) defining procedures and responsibilities to deal with protection against malware on systems, including training in their use, reporting and recovering from malware attacks;

m)  providing awareness or training (see 6.3) to all users on how to identify and potentially mitigate the receipt, sending or installation of malware infected emails, files or programs [the information collected in n) and o) can be used to ensure awareness and training are kept up-to-date];

n)   implementing procedures to regularly collect information about new malware, such as subscribing to mailing lists or reviewing relevant websites;

o)   verifying that information relating to malware, such as warning bulletins, comes from qualified and reputable sources (e.g. reliable internet sites or suppliers of malware detection software) and is accurate and informative.

Other information

It is not always possible to install software that protects against malware on some systems (e.g. some industrial control systems). Some forms of malware infect computer operating systems and computer firmware such that common malware controls cannot clean the system and a full reimaging of the operating system software and sometimes the computer firmware is necessary to return to a secure state.