SI.L1-B.1.XV
System & File Scanning

FCI Data

Security Requirement

Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

USU Policy, Procedures, and Standards

University Policy 5200: Information Security and Appropriate Use

Requires all devices to meet security standards, including endpoint protection against unauthorized access, malware, and other threats. IT staff are responsible for implementing endpoint protections and keeping them updated, which encompasses scheduled and real-time scanning functionality.

NIST Cybersecurity Framework v2

  • Protect (PR): PR.PT-03 - Malicious code is detected and addressed.
  • Detect (DE): DE.CM-04 - Monitoring is performed to detect malicious code.
  • Detect (DE): DE.CM-02 - Detection processes are tested and validated regularly.

Implementation Details

Documentation should include details to meet the Security Requirement for this control. Complete this list for each system or systems that process or access FCI data:

  • List how and where periodic scanning for malicious code is performed.
  • List how real-time scanning is configured for files downloaded from external sources (e.g., email, websites, USB devices).
  • List how scanning results are monitored, logged, and responded to.
  • List any additional processes to ensure malicious code scanning remains current and effective.

Document How

  • the frequency for malicious code scans is defined
  • malicious code scans are performed with the defined frequency
  • real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed

Example

quote block

USU's EDR performs real-time scanning of all file downloads, email attachments, and executable files. Full system scans are scheduled via the EDR console as needed. Alerts are integrated into the SIEM platform for continuous monitoring. Remediation steps and user notifications are automated based on severity, and all incidents are tracked via the ticketing system.

quote block

Endpoint Detection and Response (EDR) Platform

What it does:
  • Provides advanced threat detection and response capabilities for endpoints.
How it helps a researcher:
  • Ensures that all devices accessing research data are protected against malware and other threats.
  • Automatically scans for and mitigates threats.
Example:
  • A researcher’s laptop is protected by EDR, which automatically scans for and mitigates threats, ensuring the research systems are secure.

USU Email Filtering Services

What it does:
  • Scans inbound and outbound email messages for malicious content using threat intelligence and heuristics.
How it helps a researcher:
  • Protects researchers from phishing emails and malicious attachments that could compromise accounts or introduce malware to FCI systems.
Example:
  • A researcher receives a spoofed email from a known funding agency. The filtering service detects a malicious link and quarantines the message before it reaches the inbox.

Endpoint Management Tools (e.g., Intune, Jamf)

What it does:
  • Allows USU IT to remotely configure, secure, and manage university-owned endpoints.
  • Enforces security policies, deploys updates, ensures disk encryption, and maintains compliance reporting.
How it helps a researcher:
  • Ensures that research devices are secured and compliant with institutional requirements, preventing unauthorized access or vulnerabilities.
Example:
  • A macOS laptop in a research lab is managed through Jamf. It receives regular updates, enforces FileVault encryption, and restricts unapproved software. Non-compliant devices are flagged and restricted from accessing sensitive systems.

USU SIEM Platform for Monitoring and Alerting

What it does:
  • Aggregates and analyzes security logs from endpoints, servers, firewalls, and cloud services.
  • Detects anomalies, correlates events, and generates alerts for potential threats or policy violations.
How it helps a researcher:
  • Provides real-time visibility into security events that could impact research systems, supporting incident detection and response.
Example:
  • A researcher’s laptop attempts to connect to a known malicious domain. The SIEM correlates the event with threat indicators, generates an alert, and enables security staff to isolate the device and remediate the issue before data is compromised.

USU Services that could be leveraged to meet control requirements include*:

*List of services may not be complete or applicable for a given configuration. The use of a given service does not necessarily satisfy control requirements or may require specific configuration to meet control requirements. Documentation should include how the service is implemented to meet the control requirements.
Back to content

How might an auditor assess this control?

Method

  • Examine:
    • Review update policies, EDR platform settings, and update compliance logs.
  • Interview:
    • Ask administrators how updates are applied, monitored, and responded to.
  • Test:
    • Verify current update version on a sample endpoint and compare against latest available definition.

Objects (examples of items you could present to the auditor)

  • Update Policy: Documentation describing how updates are managed and enforced.
  • Update Logs: Showing successful application of malicious code protection updates.
  • Alerting Records: Notifications for failed or missing updates.
  • Support Tickets: Showing follow-up actions for systems that failed to update.
  • Training Records: Staff knowledge of update requirements and procedures.