You’ve been under the gun to get through a compendium of various compliance requirements. Each one seems more complicated and demanding than the one before it. Finally you get to the antivirus item and it’s almost like the clouds part, a beam of sunshine falls down on your shoulders, and angels start singing.
At last, something easy. Do you have antivirus? Yep! Check that off the list, take a big cleansing sigh, and move on.
Unfortunately, it’s not that easy.
You can’t simply say that you have antivirus and count your work as done. That’s like asking, “Do we have a cash flow?” and leaving it at that.
It’s not enough simply to have antivirus — you need to be using it and have it configured correctly as well. Here’s what you need to do with antivirus software to keep your machines protected.
Inventory Your Machines
First, determine which machines and devices need antivirus. Consider your production servers and your development and staging environments. Also consider personnel devices — laptops, desktops, and tablets. Don’t forget the devices that are being used remotely!
It’s easy to overlook devices unless you create and maintain a thorough inventory. Every security and compliance standard requires maintaining an inventory of your machines. Don’t only list your important boxes, but do a full-scale inventory of every device.
Even if you don’t need antivirus software on every machine, it’s helpful to keep an inventory of everything. That way, you can manage just one inventory that spans a multitude of compliance requirements. There’s just one place to go in and see everything.
Select the Right Antivirus
Make sure that the antivirus software you purchase will meet your needs. Will it detect and protect against all known types of malicious software? Can it be configured to do all the things that you expect it to?
Your selection of antivirus software is driven by two factors:
- The security and compliance requirements of your certification, which determine the requirements of your antivirus software.
- The risk tolerance of your organization. What risks are you willing to take on?
Depending on your risk tolerance, you might choose not to install antivirus software on every machine in your inventory. For some machines, the risk is minimal — they aren’t networked, or their operating system (such as Linux) is rarely targeted in comparison to Windows.
You should have a formal decision making process that’s documented. Review your stance on this matter at least annually, because the security landscape changes over time.
Check Antivirus Software Installations
Just because a machine was once marked as having A/V software, that doesn’t mean it still has it. I can’t tell you how many times a client was positive all their machines had antivirus, only to discover they didn’t.
Use the inventory to check every machine that should have antivirus software. Review the list annually to be sure that every device does in fact have A/V software. Provide documented evidence that the review was completed.
Check Your Antivirus Setup
Machines can still be vulnerable even if they have antivirus installed, because the A/V isn’t set up properly. When checking machines for antivirus software, verify that the antivirus definitions are kept up to date.
The systems should be receiving daily (at least!) updates of new vulnerabilities. New variants of viruses are propagated multiple times per day, and it’s imperative that your antivirus software is continually keeping up.
Also check the frequency that the software is scanning for viruses on each machine.
Verify that each individual system is generating logs for antivirus activity, and that a central logging system is monitoring those logs for any red flags. Look at the master installation and be sure it’s actively running and its settings are correct. Be sure it’s receiving feeds from every machine with A/V software. Also be sure the master installation and all of your distributed antivirus software isn’t capable of being disabled or altered by the users themselves.
What if You Need to Turn off Antivirus?
There may be brief times when you need to disable antivirus on a machine — for example, if you’re running testing on the device.
Turning off A/V should only be possible with proper authorization from management. It needs to be taken on a case-by-case basis, and only for a limited time. If possible, A/V software should be scheduled to turn off and to turn back on again automatically for that unique management approved case. That way you don’t risk someone forgetting to flip it back on when they’re done testing.
Personal Devices Used for Work
How do you ensure that antivirus is installed properly on personal devices that are used for work? In the best case scenario, you don’t have people using personal devices for work, because you can’t control those devices. Instead, distribute company devices to people who work remotely.
If you hire contractors to work for you, be sure that your contracts state that they must adhere to your company’s security requirements for their devices.
Make Antivirus Management Simpler
Good security means more effort than simply having antivirus software, but you can make the work more manageable by using TCT Portal. Our compliance management system simplifies and streamlines the work of compliance management. With TCT Portal, installing and checking antivirus requirements becomes a bite-size activity.