SI.L1-B.1.XIII
Malicious Code Protection

FCI Data

Security Requirement

Provide protection from malicious code at appropriate locations within organizational information systems.

USU Policy, Procedures, and Standards

University Policy 5200: Information Security and Appropriate Use

Requires secure configuration and timely updates to protect university devices. Aligns with patch management expectations, though timeframes are not explicitly stated. IT staff are tasked with “timely incident response” and “consistent application of security patches, configurations, reporting, and updates.” This strongly aligns with flaw identification, reporting, and remediation. Incidents (including vulnerabilities) must be reported according to established procedures at https://infosec.usu.edu.

NIST Cybersecurity Framework v2

  • Protect (PR): PR.IP-12 - Vulnerabilities are identified and managed in a timely manner.
  • Detect (DE): DE.CM-08 - Vulnerability scans are performed to identify flaws.
  • Respond (RS): RS.MI-01 - Incidents (including vulnerabilities) are analyzed and prioritized.
  • Respond (RS): RS.MI-02 - Incidents are resolved based on severity and impact.

Implementation Details

Documentation should include details to meet the Security Requirement for this control. Complete this list for each system or systems that process or access FCI data:

  • List where and how malicious code protection (e.g., antivirus, anti-malware) is implemented.
  • List how real-time scanning and regular updates are enforced.
  • List how alerts and incidents related to malicious code are monitored and responded to.
  • List any additional measures in place to detect, prevent, or recover from malicious code activity.

Document How

  • designated locations for malicious code protection are identified
  • protection from malicious code at designated locations is provided

Example

quote block

All endpoints and servers at USU are protected by EDR, which provides real-time detection and response for malicious code. The system automatically updates definitions and scans downloaded files, email attachments, and removable media. Alerts are integrated with the SIEM platform and monitored by security analysts. Web traffic is filtered, and staff receive security awareness training annually.

quote block

Endpoint Detection and Response (EDR) Platform

What it does:
  • Provides advanced threat detection and response capabilities for endpoints.
How it helps a researcher:
  • Ensures that all devices accessing research data are protected against malware and other threats.
  • Automatically scans for and mitigates threats.
Example:
  • A researcher’s laptop is protected by EDR, which automatically scans for and mitigates threats, ensuring the research systems are secure.

USU Email Filtering Services

What it does:
  • Scans inbound and outbound email for malicious content using threat intelligence and heuristics.
How it helps a researcher:
  • Protects against phishing, malware, and spam, reducing exposure to threats via email.
Example:
  • A phishing email from a spoofed funding agency is quarantined before reaching the researcher’s inbox, preventing credential theft.

Network Perimeter Protections (e.g., Enterprise Firewall and IPS)

What it does:
  • Monitors and controls traffic at the boundary between internal and external networks.
  • Enforces access rules, blocks malicious traffic, and detects anomalies.
How it helps a researcher:
  • Ensures only authorized traffic reaches research systems and blocks suspicious behavior.
Example:
  • A firewall restricts access to a research database to VPN users on USU-managed devices. The IPS blocks an attack signature in incoming traffic.

USU SIEM Platform for Monitoring and Alerting

What it does:
  • Aggregates and analyzes security logs from across university systems to detect anomalies and generate alerts.
How it helps a researcher:
  • Provides real-time visibility into security events affecting research systems and supports incident response.
Example:
  • A researcher’s laptop attempts to connect to a malicious domain. The SIEM detects the event, alerts security staff, and triggers remediation.

Security Awareness & Phishing Training

What it does:
  • Provides training on cybersecurity topics and conducts phishing simulations to reinforce learning.
How it helps a researcher:
  • Empowers researchers to recognize and respond to phishing and social engineering threats.
Example:
  • A researcher identifies a phishing email and reports it, helping block the campaign for other users.

USU Services that could be leveraged to meet control requirements include*:

*List of services may not be complete or applicable for a given configuration. The use of a given service does not necessarily satisfy control requirements or may require specific configuration to meet control requirements. Documentation should include how the service is implemented to meet the control requirements.
Back to content

How might an auditor assess this control?

Method

  • Examine:
    • Review endpoint protection configurations, update schedules, and malicious code incident logs.
  • Interview:
    • Ask IT and security teams how malware is detected, blocked, and how users are trained.
  • Test:
    • Check that systems have functioning protection, verify alerting, and test detection of a benign file.

Objects (examples of items you could present to the auditor)

  • EDR Configuration Settings: Showing real-time scanning, alerting, and update status.
  • Alert Logs: Showing recent detections and responses to malicious activity.
  • Training Records: Demonstrating user awareness efforts.
  • Email Filtering Logs: Showing blocked malicious attachments or links.
  • Incident Reports: Documented responses to malware detections.
  • Policy Documentation: Describing required protection methods and responsibilities.