SBS - The best value in QMS software

ISO 27001 A.10.4.1 - Detecting, Preventing and Recovering from Malicious Code Threats

Richard Regalado

Trusted Information Resource
#1
Implementing this control will help the implementing organization in detecting, preventing and recovering from threats borne from malicious code.

Malicious code - viruses, logic bombs, trojan horse, root kits, etc.

This is an example of a control where a technical solution (e.g. anti-virus software) should be augmented by non-technical activities (e.g. user awareness training). Because no matter how expensive your anti-virus software is, if users keep on opening attachments from unknown senders or downloading programs from web, your anti-virus software investment would not be enough.

Tips in implementing this control:

1. installation of anti-virus software and regular update of the virus definition files to regularly scan computers and associated media to includes files received over networks and from the web.

2. establishing regular awareness interventions (e.g. training, email blasts, reminders on the intranet, posters, etc.) to educate users against opening attachments from unknown users, using illegal software and other similar activities which may increase the likelihood of getting malicious code into the network

3. including in the regular reviews and audits; be in particular look-out for the presence of illegal files

4. having an approved policy for the use of authorized software

5. preparing a business continuity plan for recovery efforts from malicious code attacks

6. having an incident management procedure including allocation of roles and responsibilities to responders for malicious code attacks


What other techniques can you think of for the proper and effective implementation of this control? Feel free to share! Good day!
 
Elsmar Forum Sponsor
J

JSambrook

#2
Re: ISO 27001 A.10.4.1 Malicious Code

You can firewall different areas of the organization so that if you do get a virus, the damage it can do is limited.

For example, have Finance on a network that is tightly firewalled off from Marketing. I think we all know those folks in Marketing are always picking up viruses from the different sites (ahem) they visit.
 

Richard Regalado

Trusted Information Resource
#3
Re: ISO 27001 A.10.4.1 Malicious Code

You can firewall different areas of the organization so that if you do get a virus, the damage it can do is limited.

For example, have Finance on a network that is tightly firewalled off from Marketing. I think we all know those folks in Marketing are always picking up viruses from the different sites (ahem) they visit.
Excellent contribution JSambrook! Let's talk about network segregation more on another topic. :)
 
P

pldey42

#4
Re: ISO 27001 A.10.4.1 - Detecting, Preventing and Recovering from Malicious Code Thr

Some more ideas:

Use multiple firewalls from different vendors, so that if a virus gets past one, another might stop it.

Make sure the virus scanners scan USB devices prior to enabling them (or disable USB).

For software that's written in-house (including scripts) include an inspection process alongside testing – it's hard to get a logic bomb past another programmer.

Constantly remind everyone not to open attachments unless they're darn sure they're good (and make sure the virus scanner scans them). Remember that some viruses come from known users, whose e-mail address book has been hijaked by a virus. So if you get an odd or unexpected attachment from someone you know, especially one claiming to be a joke or an interesting picture, call them before opening it.

Keep all the servers, desktop machines and laptops fully up to date with (tested) patches.

Harden the machines so that only authorized staff can install new or modified software.

Take sensitive servers and databases entirely off-line if possible, and restrict electronic access to them. Along the same lines, only keep information for as long as necessary.

Encrypt the databases so that if a virus phones information home, it's useless without the encryption keys.

Define help desk processes that enable staff to quickly identify a possible virus attack and close down (parts of) the network quickly in order to quarantine it. Make sure someone has the skills to identify infected computers and clean them, and – critically – can make sure the virus does not get into the backups (or if it has, locate uninfected backups).

Engage an ethical hacking organization to perform penetration tests regularly, not just on the IT controls but also using social engineering techniques to assure people are on their toes and won't, for example, take a USB stick from the nice man in the parking lot and plug it into a machine in exchange for a few pennies ...

As has been said, keep everyone aware. One person, one mistake, and precious information gets compromised – and the bad guys spend their time looking for that one person.

Or – use Linux!

Hope this helps,
Pat
 
Thread starter Similar threads Forum Replies Date
N ISO 27001 for Jumb Burger - Risk Assessment sheet IEC 27001 - Information Security Management Systems (ISMS) 10
T ISO 27001 sample audit report IEC 27001 - Information Security Management Systems (ISMS) 0
M Choosing Auditors - ISO 9001 / ISO 27001 (UK) IEC 27001 - Information Security Management Systems (ISMS) 2
M ISO 27001 ISMS scope for companies with subsidiaries IEC 27001 - Information Security Management Systems (ISMS) 0
S How to Learn all aspects of ISO 27001:2013 | The best way to grab the knowledge on 27001:2013 (Step by Step) IEC 27001 - Information Security Management Systems (ISMS) 7
P Relevance of Offsite backups process compliance and ISO 27001 certification. IEC 27001 - Information Security Management Systems (ISMS) 3
P Why does the standard clause use the term Issues in place of Context - ISO 27001 4.1 IEC 27001 - Information Security Management Systems (ISMS) 3
P What is the exact difference between Risk and Opportunity in context of ISO 27001? IEC 27001 - Information Security Management Systems (ISMS) 7
L Implementation of ISO 27001 as part of the GDPR compliance journey Other Medical Device Related Standards 2
Le Chiffre Is ISO/IEC 27001 appropriate for most small businesses? IEC 27001 - Information Security Management Systems (ISMS) 2
A Policies Mandatory or essential for ISO 27001 implementation IEC 27001 - Information Security Management Systems (ISMS) 6
A ISO/IEC 27001 - Issue during implementation of system IEC 27001 - Information Security Management Systems (ISMS) 3
A ISMS implementation - ISO 27001: 2013 Company Objectives IEC 27001 - Information Security Management Systems (ISMS) 1
B Integrating ISO 9001/27001 External Audits - Audit Time Reduced? Discounts? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
Richard Regalado ISMS Auditing Guideline V2 (based from ISO/IEC 27001:2013) IEC 27001 - Information Security Management Systems (ISMS) 7
K Risk Assessment Registry - ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 9
Richard Regalado ISO/IEC 27001:2016 Overview and Vocabulary - FREE! IEC 27001 - Information Security Management Systems (ISMS) 3
Richard Regalado ISO/IEC 27001 Mandatory Documentation Checklist IEC 27001 - Information Security Management Systems (ISMS) 1
P Recommended books on ISO 27001:2013 Implementation and Internal Auditing IEC 27001 - Information Security Management Systems (ISMS) 4
A ISO 27001 function wise or department wise audit questionnaire with control & clauses IEC 27001 - Information Security Management Systems (ISMS) 3
S Sample document for integrated ISO 20000 & ISO 27001 Other ISO and International Standards and European Regulations 3
W What are the benefits of ISO 27001 for my IT Organization IEC 27001 - Information Security Management Systems (ISMS) 3
S Clarification in organizing required documents for ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 6
A Risk Register template as per ISO 27001:2013 wanted IEC 27001 - Information Security Management Systems (ISMS) 9
Richard Regalado Sharing a Statement of Applicability (SOA) for ISO/IEC 27001:2013 IEC 27001 - Information Security Management Systems (ISMS) 2
S ISO 27001:2013 - How to document Context Of the Organization IEC 27001 - Information Security Management Systems (ISMS) 13
C ISO 27001:2013 ISMS Internal Audit Checklist/Questionnaire IEC 27001 - Information Security Management Systems (ISMS) 29
G ISO 27001 for a Hosting Provider IEC 27001 - Information Security Management Systems (ISMS) 3
P ISO 27001:2013 Clause 4.1 and 4.2 Clarification and Guidance IEC 27001 - Information Security Management Systems (ISMS) 13
W Working in a company where we try to implement ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 9
L Where to purchase ISO/IEC 27001:2013 IEC 27001 - Information Security Management Systems (ISMS) 3
L Implementing ISO 27001 A12.1.1 Security Requirements Analysis and Specification IEC 27001 - Information Security Management Systems (ISMS) 2
I ISO 27001:2013 Released - Transition Requirements? IEC 27001 - Information Security Management Systems (ISMS) 6
J ISO 27001 - Business Continuity Event Simulation Testing Business Continuity & Resiliency Planning (BCRP) 8
R Required artifacts (records) for ISO 27001 Auditing IEC 27001 - Information Security Management Systems (ISMS) 9
P What are the benefits of certified ISMS for ISO 27001 standard? IEC 27001 - Information Security Management Systems (ISMS) 3
Richard Regalado DRAFT ISO/IEC 27001:201? ISMS Requirements (Open for Comments!) IEC 27001 - Information Security Management Systems (ISMS) 0
R ISO 27001 A.8.2.2 Information Security Awareness, Education and Training IEC 27001 - Information Security Management Systems (ISMS) 10
A Risk Assessment, Business Continuity Planning, Testing, BCP, etc as part of ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 8
K Information Classification Labeling - ISO/IEC 27001:2005 Labeling Requirements IEC 27001 - Information Security Management Systems (ISMS) 1
L Time Required to Implement ISO 27001 if ISO 9001 certified & SOX compliant? IEC 27001 - Information Security Management Systems (ISMS) 3
G Customer Property Cl. 7.5.4 - Where does ISO 9001 stop and ISO 27001 start? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 33
T ISO/IEC 27001 to ISO/IEC 12207 Mapping - Cross Reference Matrix IEC 27001 - Information Security Management Systems (ISMS) 2
T Person in charge's role or responsibility in ISMS? ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 3
Richard Regalado A.15 Compliance - One of the grey areas of ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 7
S Checklist for ISO 27001 ISMS Internal Audit IEC 27001 - Information Security Management Systems (ISMS) 2
G ISO 27001 Corrective Action Document Requirements IEC 27001 - Information Security Management Systems (ISMS) 10
S Security Gap Assessment Methodology based on ISO 27001 or COBIT IEC 27001 - Information Security Management Systems (ISMS) 1
Richard Regalado ISMS Asset Identification Process - Clause 4.2.1.d.1 of ISO/IEC 27001 IEC 27001 - Information Security Management Systems (ISMS) 4
P ISO 27001 Information IEC 27001 - Information Security Management Systems (ISMS) 8

Similar threads

Top Bottom