PURPOSE:
This Anti-Malware Policy outlines the standards and procedures for preventing, detecting, and responding to malware infections on Idaho College of Osteopathic Medicine (ICOM) information assets and systems. The purpose of this policy is to protect the institution's data, systems, and reputation from the threats posed by malware, maintaining confidentiality, integrity, and availability of institutional resources and ensuring a secure computing environment for all users. This policy applies to all devices and systems that connect to the institution's network or access institutional data, regardless of location or ownership.
SCOPE:
This policy applies to all individuals who access, use, or manage ICOM information assets and systems, including but not limited to:
- Faculty
- Staff
- Administrators
- Students
- Affiliates
- Contractors
- Vendors
- Guest users
This policy encompasses all information assets and systems, including but not limited to:
- Institutionally owned devices (desktops, laptops, servers, mobile devices)
- Personally owned devices (desktops, laptops, mobile devices) when used to access institutional resources ("Bring Your Own Device" or BYOD)
- All operating systems and software
- Network infrastructure
- Data stored and accessed within SaaS applications
- All forms of malware, including but not limited to viruses, worms, Trojans, ransomware, spyware, adware, and rootkits.
DEFINITIONS:
- Information Assets and Systems: All the institution's valuable information, data, and the technology used to store, process, and transmit that information. This includes things like student records, financial data, research, software, computers, and networks.
- Malware (Malicious Software): Software designed to intentionally cause harm or disruption to computer systems, networks, or data. This is a broad term encompassing various types of threats, including viruses, worms, Trojans, ransomware, spyware, adware, and rootkits.
POLICY:
Mandatory Anti-Malware Software: All devices within the scope of this policy must have up-to-date and actively running anti-malware software that meets the institution's minimum standards, as specified by the Information Security Office.
Real-time Protection: Anti-malware software must be configured for real-time, active scanning and protection against malware threats.
Automatic Updates: Anti-malware software must be configured to automatically receive and install the latest signature updates and software updates from the vendor to ensure protection against newly identified threats.
Prohibited Actions: Users are strictly prohibited from:
- Disabling or circumventing anti-malware software or its protective features.
- Intentionally downloading, installing, or executing known or suspected malware.
- Overriding security warnings or alerts from anti-malware software without explicit authorization from the Information Technology Office.
- Connecting devices known to be infected with malware to the institution's network or using them to access institutional data.
- Installing unauthorized software or browser extensions that could introduce malware risks.
Email and Web Browsing Security:
- Users must exercise caution when opening email attachments or clicking on links, especially from unknown or untrusted sources.
- Users should avoid visiting websites with poor reputations or those known to distribute malware.
- The institution may implement email filtering and web content filtering to proactively block known malware distribution channels.
Removable Media Security: The use of removable media (USB drives, external hard drives, etc.) should be minimized. The use of unencrypted removable media for sensitive data is prohibited.
Incident Reporting: Any suspected malware infection, security alert, or unusual system behavior must be reported immediately to the Information Technology Office or the IT Help Desk.
Incident Response: The Information Security Office will manage and coordinate the response to malware incidents. This may include isolating infected devices, disinfecting systems, data recovery, and forensic analysis. Users must cooperate fully with incident response efforts.
BYOD Considerations: For personally owned devices used to access institutional resources (BYOD), users are responsible for ensuring their devices comply with this Anti-Malware Policy, including installing and maintaining approved anti-malware software. The institution may require verification of anti-malware compliance for BYOD devices.
POLICY EXCEPTIONS:
Exceptions to this policy may be granted in limited circumstances by the Chief Information Officer, with appropriate justification and compensating controls in place.
ENFORCEMENT:
Enforcement of this Anti-Malware Policy is the responsibility of all managers, supervisors, and system administrators, under the overall direction of the Chief Information Officer. Violations of this policy may result in disciplinary actions, up to and including termination of employment or access privileges, and potential legal consequences. The Information Technology Office will monitor compliance with this policy and investigate reported violations.
POLICY REVIEW AND UPDATES:
This Anti-Malware Policy will be reviewed and updated at least annually, or as needed to reflect changes in malware threats, technology, regulations, institutional risk assessments, or business needs. The Chief Information Officer is responsible for coordinating policy reviews and updates.
PRIMARY POLICY OWNER:
Chief Information Officer
APPROVAL:
Effective: 7/8/25
Last Reviewed: 7/8/25
Review Requirement: Annual