|
HHS-IRM-2000-0007 HHS IRM Policy for the Prevention, Detection, Removal and Reporting Of Malicious SoftwareJanuary 8, 2001HHS-IRM-2000-0007 TABLE OF CONTENTS
1. Purpose This document provides the policies for preventing, detecting, removing, and the reporting of malicious computer software, such as computer viruses. The purpose is to assure that pro-active security measures are taken to prevent malicious software from occurring; to raise awareness for recognizing and immediately reporting the occurrence of malicious software; and to ensure that appropriate action is taken to minimize the consequences of a malicious software attack. 2. Background The Department of Health and Human Services’ (HHS) security program complies with Federal laws, regulations, and directives and communicates uniform policies for the protection and control of information technology (IT) resources directly or indirectly relating to the activities of the Department. Computer systems and communication networks are subject to a variety of threats, many of which have emerged with the enormous growth in the use of personal computers, Local Area Networks (LAN), Wide Area Networks (WAN), and the Internet. Non-malicious threats can be through human error, hardware/software failures, and natural disasters. Malicious threats can range from rational (e.g., obtaining something of value at no cost) to irrational (e.g., destroying information or causing embarrassment). These threats must be adequately addressed through proper controls. In addition, HHS has an obligation to protect the privacy and security of personal data.Malicious software has the potential to cause harm to an organization through the modification, destruction, or release of information or processing resources, and the denial of critical services. Traditional computer safeguards and malware detection efforts play important roles in the implementation of an organization’s malicious software prevention strategy. Originally the most common "carrier" of viruses was the diskette, since "sneaker net" was the most common means of transferring software and data between computers. However, all organizations with Internet access are now more vulnerable to viruses. Since e-mail is widely used as a business communication tool, e-mail is a favorite infection vehicle for virus writers. As information systems grow in complexity, effective security safeguards must evolve. Security is enforced through a combination of technical and traditional management methods. 3. Scope The policy contained in this circular is applicable to all HHS information and infrastructure computing resources, at all levels of sensitivity, whether owned and operated by HHS or operated on behalf of HHS. This policy is mandatory for all Operating Divisions (OPDIVs), employees, contractors, and others who process, store, transmit, or have access to IT information and infrastructure computing resources in the Department. This policy applies to all existing automated systems and to any new systems technology acquired after the effective date of this policy. This policy applies to all operating system environments. 4. Policy
HHS will assure that its systems and data are safe and secure from unauthorized access that might lead to the alteration, damage, or destruction of automated resources and data, unintended release of data, and denial of service. 4.2 Reasonable measures Each OPDIV shall ensure that all reasonable measures are taken to prevent, detect, remove, and report viruses. 4.3 PreventionEach OPDIV shall establish access controls that limit or detect access to critical resources (e.g., data, files, application programs, and computer-related facilities and hardware), that helps to prevent unauthorized modification, disclosure, loss, or impairment of data. Each OPDIV shall have change controls, life cycle management procedures, and controls to prevent implementation of unauthorized or risk-inducing programs or modifications to existing programs and thus possible interruption of critical processes. 4.4 Detection 4.5 Removal
4.6 Reporting 5. Roles and Responsibilities Information systems security responsibilities and accountability shall be explicit. The responsibilities and accountability of owners, providers of information services, and users of computer systems and other parties concerned with the security of information systems shall be documented. The HHS Chief Information Officer (CIO) is responsible for establishing and implementing the information security policies to assure that pro-active security measures are taken to prevent malicious software and to ensure that appropriate action is taken to minimize the consequences of an attack. The Deputy Assistant Secretary for Information Resources Management (DASIRM) is responsible for monitoring and updating Department’s security policies, procedures, standards, and architecture to enable better detection and response capability. The DASIRM is responsible for notifying OPDIV CIOs and coordinating responses for incidents that span more than one OPDIV. The HHS Senior Information Systems Security Officer is responsible for developing and disseminating information concerning the potential dangers from malicious software, guidelines for its control, and serving as a central point for incident reporting, handling, prevention, and recognition. In addition, the HHS Senior Information Systems Security Officer shall promptly notify the HHS CIO, DASIRM, and OPDIV Security Officers of computer security incidents including the presence of viruses. OPDIV CIOs are responsible for: establishing and implementing policy, procedures, and practices to assure that OPDIV systems, programs, and data are secure and protected from unauthorized access that might lead to the alteration, damage, or destruction of automated resources; unintended release of data and denial of service; ensuring that all OPDIV employees and other users of HHS IT resources comply with this policy; ensuring that IT security requirements, procedures, and practices are provided in computer security training materials; and ensuring that security awareness and training is mandatory for all personnel who use, operate, supervise, or manage computer systems; that new employees receive orientation outlining their security responsibilities; and that program mangers are providing periodic security training (minimum of once a year) to their employees. The OPDIV Senior Information Systems Security Officers are responsible for: promptly notifying the HHS IT Security Officer of computer viruses; ensuring that appropriate procedures are implemented and instructions issued for the detection and removal of viruses; ensuring that all OPDIV personnel are aware of this policy and incorporate it into computer security briefings and training programs; ensuring that anti-virus scanning software engine shall be updated when the next update is available to maintain currency. The virus software signature files shall be updated within twenty-four hours of manufacturer’s release (unless it is needed immediately for an emergency) with the latest viruses for the detection and removal of malicious software;
ensuring that when a virus infection is confirmed the extent of contamination is determined; and serving as a focal point for incident reporting and subsequent resolution. Supervisors and managers shall ensure that their staffs (Federal and contractor ) are aware of their security responsibilities for preventing and reporting viruses, and receive periodic security training. Employees shall not disable or otherwise change anti-virus software on their workstation or other systems without specific authorization, shall comply with virus prevention activities, and report any suspected or actual viruses immediately to their help desk, system administrator, or other designated personnel. In recent years, there has been a proliferation of hoaxes disguised as virus warnings. These hoaxes are usually transmitted through e-mail and contain messages to send the alert to as many others as possible. They are NOT viruses, but may cause work disruption through false scares or represent a denial of service attack through their proliferation by overloading the e-mail system. All such "virus warnings" should be immediately reported to the system administrator or other designated personnel but not forwarded to others. 6. Applicable Laws/Guidance The following public laws and Federal regulations are applicable to this policy circular: 7. Information and Assistance Direct questions, comments, suggestions or requests for further information to the Deputy Assistant Secretary for Information Resources Management at (202) 690-6162. 8. Effective Date/Implementation The effective date of this policy is the date the policy is approved. OPDIVs shall have six months from the date of implementation of the EIM tools to fully comply with this policy. These policies and procedures will not be implemented in any recognized bargaining unit until the union has been provided notice of the proposed changes and given an opportunity to fully exercise its representational rights. The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary's policy statement dated August 7, 1997, as amended, titled "Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations." It is HHS' policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department's plans, projects, programs and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people. 9. Approved
_____/s/_____________________________ _01/08/01__ John J. Callahan Glossary Computer Security Incident - an event that may result in, or has resulted in the unauthorized access to, or disclosure of, sensitive or classified information; unauthorized modification or destruction of systems data; reduced, interrupted, or terminated processing capability; malicious logic or virus activity; or the loss, theft, damage, or destruction of any IT resource. Examples of incidents include the insertion of malicious code (e.g., viruses, Trojan horses, back doors); unauthorized scans or probes; successful and unsuccessful intrusions; and insider attacks. Computer Virus - an executable or self-replicating program spread from executables, boot records, and macros as a set of instructions, and attaches itself to programs, files, diskettes, or other storage media. This set of instructions can then be spread to other programs, files, disks, systems, or networks. The instructions can display a message, erase or alter files, stored data, or potentially render a workstation or network inoperable. Sometimes, instead of disruptive instructions, a virus can cause damage by replicating itself and depleting resources, such as disk space, memory or network connections. Non-virus threats to user systems include worms, Trojan Horses, and logic bombs. Worms infiltrate programs and alter or destroy data. A Trojan Horse is a destructive program that comes concealed in software that not only appears harmless but attractive to an unsuspecting user (such as a game or graphic application). Logic bombs are usually timed or event triggered to do damage. Detection - determining that a record, data file, or storage media is contaminated with a virus. Malicious software - any code that is intentionally included in software or firmware for an unauthorized purpose. Unauthorized Software - any software that does not have a certificate of authority to operate.
|
Last revised: January 8, 2001