Fayetteville Policies and Procedures  933.0

Antivirus and Anti-Spyware Requirements and Virus Reporting

  1. Overview
    This policy is intended to set minimum standards of antivirus and anti-spyware protection for devices on the University of Arkansas network.

  2. Purpose
    This policy is designed to protect university data, systems, and networks from viruses, malware, or malicious code that would compromise the integrity, confidentiality, or availability of the aforementioned data, systems, or networks.  

  3. Scope
    This policy applies to all computing devices that are in any way connected to the university infrastructure via any type of network connection. 

  4. Definitions
    1. Endpoint Detection and Response (EDR):  The process of monitoring and detecting, in real-time, any suspicious activity or events occurring at computing devices. The goal of EDR solutions is to allow visibility into threats on a detailed timeline and provide real-time alerts in the event of an attack. 
    2. Information Technology Service Management (ITSM):  ITSM describes the management of IT services, from strategic planning to deployment, support, and improvement.  ITSM systems include the following processes: Incident Management, Change Management, Problem Management, Request Fulfillment, Asset and Configuration Management (CMDB (configuration management database)), Knowledge Management, and a Service Catalog as part of the system. 
    3. Internet of Things (IoT):  The network of physical objects—" things "—that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the Internet. 
    4. Isolated and protected network (DMZ):  Network or network segment that is configured specifically for the process of cleaning an infected system without that system propagating to the production network. This is an area that IT (Information Technology) technicians can place rogue systems in to clean and certify that systems are virus free before returning to the production network.
    5. IT staff:  IT Staff across the University of Arkansas, including departmental IT staff and Information Technology Services staff.
    6. Unsupported operating systems:  Operating system on a device that is no longer supported by the vendor of that system. This also includes systems in which maintenance and support was not purchased with the system.

  5. Policy
    1. General Requirements
      1. All computing devices connected to the university infrastructure must have university-approved antivirus and/or endpoint detection and response (EDR) software installed with current virus definitions. This includes, but is not limited to, desktop computers, laptop computers, and servers. Other connected devices, including cell phones, tablets, streaming devices, and all other IoT devices, must have the most recent operating system and security updates installed. If a device is not compliant or up to date, it should be placed on an isolated and protected network. 
      2. Any activities with the intention to create and/or distribute malicious files (e.g. viruses, worms, Trojan horses, email bombs, etc.) are strictly prohibited in accordance with the Code of Computing Practices.
      3. Students, faculty, staff, or guests should not attempt to destroy or remove a virus or any evidence of that virus without direction from university IT staff. Any virus-infected computer will be removed from the network and remain off the network until it is verified as virus-free by IT staff.

    2. Reporting Virus Activity
      1. Virus activity must be reported and documented using the university internet technology service management (ITSM) system to track damage to data and systems, the scope of the impact, and the remediation steps across campus. Any device on the university network that is believed to be infected should be reported to the IT Help Desk immediately, regardless of whether the device is owned by the university, an employee, a student, or any other party. 
      2. Campus units should document and report all incidents to the Office of the Chief Information Security Officer (CISO). 
      3. Virus and malware-infected systems should be cleaned by department IT staff or escalated to the Office of the CISO as necessary to clean the infected systems. Department IT staff should receive training and follow documented procedures for removing viruses and/or spyware and certifying that a system is clean before returning it to the network.
      4. Virus and/or malware activity that is detected by the Office of the CISO and has not been automatically cleaned should be reported to the responsible department for cleaning and certification. 
      5. See also Computer and Network Security Policy.

    3. Unsupported Operating Systems
      Unsupported operating systems must be reported to departmental IT staff and the Office of the CISO, who will ensure the best security practices used and security configurations are applied and risks to the university are minimized.

  6. Reporting and Addressing Suspected Violations
    Anyone who has reason to believe that another person has violated this policy shall report the matter promptly to the Office of the CISO (Chief Information Security Officer) and/or their supervisor or department head. Failure to report a suspected violation is a violation of this policy. After a suspected violation of this policy has been reported or discovered, the issue will be handled as soon as possible to mitigate any harm to the university and its affiliates.

  7. Enforcement 
    Violation of this policy may result in loss of access and disciplinary action up to and including termination. For additional information, see the Code of Computing Practices. Code of Computing Practices | VCFA | University of Arkansas (uark.edu)

  8. Exemptions 
    Exemptions from this policy must be approved. Any questions about the contents of this policy or the applicability of this policy to a particular situation should be referred to the Office of the CISO. Please see the Exemption policy.

June 6, 2022