Information Technology Standard 05.4.0

Virus & Malicious Code Protection Standard

Date of Current Revision or Creation: November 1, 2021

The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

Purpose

The purpose of this standard is to define the requirements to protect and defend the Old Dominion University network from the spread of a computer virus or other unintended or malicious destruction.

Definitions

Endpoint Protection - Software intended for the protection of laptop and desktop resources both on and off-campus that is licensed by ODU for use by faculty and staff computers.

Data Users/Users - Individuals and organizations that access institutional data and information in order to perform their assigned duties or to fulfill their role in the University community.

Malicious Code - the term used for any code in any part of a software system or script that is intended to cause undesired effects, security breaches, or damage to a system. Malicious code can include attack scripts, viruses, worms, Trojan horses, backdoors, and malicious active content.

Standards Statement

Malicious Code Protection

Users will not willfully introduce virus-infected media or other foreign materials into any University systems without proper authorization and without using up-to-date, approved virus-scanning software.

Advanced endpoint protection will be used on ITS-managed desktops, laptops, and servers. All devices connected to the network, including off-campus computers, should have some form of anti-virus, endpoint protection, or be configured according to best practice for the operating system. Personally owned devices are also subject to compliance when connected to the ODU network.

Information Technology Services will monitor network activity and take appropriate action to control infection. Any server or client known to be an infecting agent will be disconnected and the user notified immediately. The user or department will be responsible for bringing the device into compliance.

Malicious Code Protection

Users will not intentionally develop or experiment with malicious programs and are prohibited from knowingly propagating malicious programs including opening attachments from unknown sources.

ODU will provide malicious program detection, protection, eradication, logging, and reporting capabilities for IT systems and users. Malicious program protection should remove or quarantine malicious programs that it detects; provide alert notifications; protect memory and storage devices; protect against files retrieved through a network connection or from an input storage device; allow only authorized personnel to modify program settings; monitor activity, maintain logs of protection activities, or some combination of these.

Disciplinary Action

Users who willfully disregard this Standard are subject to disciplinary actions as provided for in other organizational employment and human resources policies.

Procedures, Guidelines & Other Related Information

• Federal and State Law
• University Policy 3500 Policy on the Use of Computing Resources
• IT Standard 05.1.0 IT Security Incident Handling Standard
• IT Standard 09.1.0 Acceptable Use Standard

History