SI.L1-B.1.XIV
Update Malicious Code Protection

FCI Data

Security Requirement

Update malicious code protection mechanisms when new releases are available.

USU Policy, Procedures, and Standards

University Policy 5200: Information Security and Appropriate Use

Requires all university-owned devices to meet or exceed security procedures at https://computers.usu.edu, which includes configuration management and endpoint protection. IT staff are tasked with “consistent application of security patches, configurations, reporting, and updates.” This would include antivirus and EDR definitions.

NIST Cybersecurity Framework v2

  • Protect (PR): PR.PT-03 - Malicious code is detected and addressed.
  • Protect (PR): PR.IP-05 - Protection technologies are updated regularly to address new threats.

Implementation Details

Documentation should include details to meet the Security Requirement for this control. Complete this list for each system or systems that process or access FCI data:

  • List the tools or systems used to provide malicious code protection (e.g., antivirus, endpoint protection).
  • List how updates for malware definitions and software are applied (e.g., automated or manual processes).
  • List how update compliance is monitored and enforced.
  • List any additional procedures that support regular and reliable protection updates.

Document How

  • malicious code protection mechanisms are updated when new releases are available

Example

quote block

USU uses EDR across all systems accessing FCI. The platform is configured to automatically receive malware definition and agent updates. Systems are monitored centrally, and update compliance reports are reviewed. Security personnel are notified of any update failures, and remediation is tracked through the ticketing system.

quote block

Endpoint Detection and Response (EDR) Platform

What it does:
  • Provides advanced threat detection and response capabilities for endpoints.
How it helps a researcher:
  • Ensures that all devices accessing research data are protected against malware and other threats.
  • Automatically scans for and mitigates threats.
Example:
  • A researcher’s laptop is protected by EDR, which automatically scans for and mitigates threats, ensuring the research systems are secure.

Endpoint Management Tools (e.g., Intune, Jamf)

What it does:
  • Allows USU IT to remotely configure, secure, and manage university-owned endpoints.
  • Enforces security policies, deploys software updates, ensures disk encryption, and maintains device compliance reporting.
How it helps a researcher:
  • Ensures that both Windows and macOS devices used by researchers are consistently secured and compliant with institutional requirements.
  • Prevents unauthorized access or vulnerabilities by automating critical security tasks like patching, antivirus enforcement, and encryption.
Example:
  • A macOS laptop used in a research lab is managed through Jamf. The device receives regular macOS security updates, enforces FileVault encryption, and restricts installation of unapproved software. If the system becomes non-compliant, it is flagged in the compliance dashboard and access to sensitive research systems is restricted until resolved.

USU Services that could be leveraged to meet control requirements include*:

*List of services may not be complete or applicable for a given configuration. The use of a given service does not necessarily satisfy control requirements or may require specific configuration to meet control requirements. Documentation should include how the service is implemented to meet the control requirements.
Back to content

How might an auditor assess this control?

Method

  • Examine:
    • Review update policies, EDR platform settings, and update compliance logs.
  • Interview:
    • Ask administrators how updates are applied, monitored, and responded to.
  • Test:
    • Verify current update version on a sample endpoint and compare against latest available definition.

Objects (examples of items you could present to the auditor)

  • Update Policy: Documentation describing how updates are managed and enforced.
  • Update Logs: Showing successful application of malicious code protection updates.
  • Alerting Records: Notifications for failed or missing updates.
  • Support Tickets: Showing follow-up actions for systems that failed to update.
  • Training Records: Staff knowledge of update requirements and procedures.