How to develop an Anti-Virus Security Policy Program

1. Identify risks to your company’s assets that can be protected by the implementation of an anti-virus program. This should be completed by first identifying company assets (including financials, human resources information, products/services R&D, as well as physical assets like product and infrastructure). Once these assets are identified, they can be assigned a risk factor that is based on threats due to virus infiltration. Key risks might include, data integrity and productivity loss.
   
   
2. Ensure that your company has clear objectives for its anti-virus program. In other words, your company needs to establish what risks are being managed by implementing anti-virus software. This will provide a framework for the deployment of your anti-virus software, and for the management of your anti-virus program. An example of a company’s objectives might be:· “Prevent viruses from entering any single system or the network in order to protect company assets, ensure maximum employee productivity and data Integrity.”
   
   
3. Once your company has clear objectives for its anti-virus program, you then need to extrapolate what instructions need to be given in order to comply with the objectives.
   
   
4. Begin by breaking down the objectives to identify their lowest common denominators (LCDs). In the example above, these would be;
   · Prevent viruses from accessing individual systems
   · Prevent viruses from accessing the network
   
   
5. Once you have identified the LCDs you then need to identify what instructions are required in order to comply with these objectives.
   
   
6. These instructions are the policies for your anti-virus program. Some examples of policies that would instruct on compliance with the above objectives might include;
   · Virus screening software must be installed and enabled on all (Organization’s Name) firewalls, FTP servers, mail servers, intranet servers, and desktop machines.
   · Externally-supplied floppy disks may not be used on any (Organization’s Name) personal computer (PC) or local area network (LAN) server unless these disks have first been checked for viruses and received a decal indicating that no viruses were found.
   · To promptly detect and prevent the spread of computer viruses, all (Organization’s Name) personal computers (PCs) and servers must run integrity checking software. This software detects changes in configuration files, system software files, application software files, and other system resources. Integrity checking software must be continuously enabled or run daily.
   
   
7. Each policy would exist in a policy document that would include the following information:
   · Corporate Objective – this would tell the audience what corporate objective was being met by the policy
   · Operational Objective – this would tell the audience what operational objective was being met by the policy
   · Scope of Use – this tells the audience under what circumstances the policy applies
   · Policy Statement – this is the actual policy statement, like the ones listed above
   · Audience – this indicates which groups, or individuals, must comply with this policy
   · References- this points to other corporate documents which are relevant to this policy
   · Revision Date - this indicates the last time the policy was revised
   
   
8. In addition to the policy documents, the policy program should also include information at the beginning of the policy book regarding audits, compliance management, revision management, as well as a place for the employee to sign-off to establish acceptance and agreement to comply. This document can be a part of a larger corporate security policy
   program, and the anti-virus policies can become a subsection of this program.
   
   
9. Auditing must take place regularly, and there are two types of auditing. Scheduled audits which can be planned for by individuals and departments, and unscheduled mini-audits by department managers and the audit manager. The scheduled audits should expect higher rates of compliance than the unscheduled “surprise” audits. However, 100% compliance is an indication that the policies do not adequately protect the corporate assets. This is because compliance should be difficult to achieve to ensure that the maximum level of protection is achieved, to the extent that it does not hinder regular business practices. The point at which this balance between protection and execution of regular business activities is achieved is a fluid measurement, and depends on the changing priorities of businesses. It is extremely important that this balance is monitored through regular review sessions with management to ensure that it is consistently achieved. A security threshold set too low exposes a business to unnecessary risks. Similarly a security threshold set too high can create productivity losses, as well as morale problems.
   
   
10. Once the policies are developed, and the program is in place, it is extremely important to train the end-users who are expected to comply. This includes executive management teams, who must also be included as an audience within a security policy program. Compliance can be achieved through behaviour modification programs like rewards for
    high levels of compliance, as well as through an on-going training program for existing employees, and a separate program for new employees.
    
    
11. Finally, ensure that corporate resources are deployed to ensure that the program will be kept up. Do so by planning the investment required prior to creating a deploying the program. You can justify the investment by putting a matrix together of the costs involved in not having a anti-virus program. These costs should be drawn from the risks to corporate assets that were identified at the beginning of your program.