-1

For a whitepaper about anti-malware products used in combination with (server side) applications and infrastructure components (database server) I am looking for standards, guidelines and codified best-practices which recommend, demand or forbid anti malware programs (virus scanners).

I am also looking for published guidelines or interpretations on how are the terms interpreted by auditors.

(I added an self-answer with my findings so far, they should serve as an example and prove of effort)

eckes
  • 962
  • 8
  • 19

1 Answers1

0

The things I found so far:

  • PCI DSS is very specific in requiring an active malware program. There is an interpretation which says this applies to Linux servers as well (and only excepts midrange or host systems)
  • The European General Data Protection Regulation does not directly mention anti-malware, it does how ever require state of the art technical and organizational controls to protect integrity, availability and privacy for data. Most interpretations include anti malware by that definition (especially given the prevalence of direct mentioning in audit and security standards below)
  • SOX Act also emphasizes on needed controls for protecting integrity of finance reporting systems (as well as cybersecurity). Control frameworks mandated by the SEC like COBIT also mention anti-malware procedures.
  • ISO 27001 features an Appendix of controls including anti-malware procedures and controls (A.12.2 Protection from malware) -BSI (german) IT Grundschutz Katalog M.4.3 Einsatz von Viren-Schutzproframmen
eckes
  • 962
  • 8
  • 19
  • All industry best practices I know of recommend using anti virus products, because they are mostly focused on complex infrastructures and networks with a high number of end users that are not IT professionals. Oftentimes they do not have the necessary skills to identify viruses and malware by themselves. – Tom K. Apr 10 '18 at 14:19
  • Yes, but on-Access Scanners reallly muss with IO intensive app servers, databases and Webservers. So most controls are targeted towards desktop/endpoint, Mobile, Browser, E-Mail/Webproxy But not Transaction processing. (And if they do everybody tries to avoid it) – eckes Apr 10 '18 at 14:22