Virus Protection and Patch Management Policy

Date Established: November 1, 2004

I. Introduction

Overview

The purpose of this policy is to ensure the integrity, reliability and good performance of San Mateo County computing resources through the effective and efficient prevention of computer virus outbreaks and network security attacks involving computers and fileservers attached to the San Mateo County Network by the implementation of proactive, centrally administered virus protection and Operating System patch management.

Virus protection is most effective if every computer and fileserver on the San Mateo County network has anti-virus software installed and is configured to receive updates from a centrally located anti-virus server. Operating system updates are most effective if every computer and fileserver on the San Mateo County network is configured to receive tested and proven stable operating system updates from a centrally located patch-management server. In order to maintain full effectiveness of both anti-virus software and operating system patch management services it is essential that both systems be in place, kept current and centrally administered.

The policy applies to all Microsoft Windows and Linux based computers owned or operated by San Mateo County, to all Windows computers not owned or operated by the County but are present on San Mateo County premises, and to Windows based computers that remotely access the County’s internal network.

Definitions

The following terms have the meanings indicated below unless the context indicates otherwise:

County Network: As used here “County network” includes the County’s information network backbones, department Local Area Networks and all devices that attach, directly or indirectly, to the networks, including remote and wireless attachments.

Chief Information Officer (CIO): As used here “Chief Information Officer”, or his designee, is the County’s Information Technology Security Officer. In this capacity, the Chief Information Officer is responsible for implementing security policy, issuing security alerts, documenting security incidents, and reporting to executive management on the state of information security in the County.

Department Head: As used here “Department Head” is the Director of a County Department or Agency.

Department Information Technology staff: Staff assigned by departments to administer the departments’ Information Technology environment.

Server: A computer configured with the intention and purpose of regularly providing services including e-mail (SMTP), Web hosting (HTTP), file sharing, or other services to multiple users typically at a departmental or larger level.

Microsoft Windows Computer: A computer running a Microsoft Windows Operating system

Other County Policies

The County has other policies that may address specific areas of information security including policies on Security, Internet use, Email use and portable computing. Individual Departments may have additional policies that also address information security issues. These policies are cumulative and in the event of conflict, the policies providing the County with the greatest level of security apply.

II. Policy

ISD will provide and maintain anti-virus software that will be run on all computers and fileservers connected to the San Mateo County network. All computers and fileservers connected to the San Mateo County network must be configured to receive updates from centrally administered resources. ISD will provide and maintain Microsoft operating system patches and updates. All computers and fileservers connected to the San Mateo County network running a Microsoft Windows operating system must be configured to receive updates and patches from centrally administered resources. In the event a computer virus threatens San Mateo County computing resources or can exploit a Microsoft operating system vulnerability ISD will work with the County-Wide Computer Security Team (CWcST) to administer virus file updates and\or Microsoft operating system patches to all computers and fileservers attached to the county network.

III. Objectives

The principal purpose of this Countywide computer virus protection and patch management policy is the effective and efficient prevention of network virus outbreaks and network security attacks involving computers and fileservers attached to the San Mateo County network.

This policy is intended to ensure:

  1. The integrity, reliability, and good performance of San Mateo County computing resources;
  2. That the centrally provided anti-virus software is run on all San Mateo County computing resources attached to the County network and is configured in accordance with this policy;
  3. That all Microsoft operating systems are configured to receive updates from the centrally located patch management server;
  4. That appropriate measures are in place to reasonably assure compliance with this policy.

IV. Responsibilities

CIO/Director of Information Services

The CIO/Director of Information Services is responsible for monitoring network activity and initiating appropriate action to prevent and/or control computer virus infections. The CIO/Director of Information Services or his designee shall be the chairperson of the countywide County-wide Computer Security Team.

Department Heads

County Department Heads have the responsibility of insuring that all computers and fileservers under departmental control are configured in compliance with this policy and thereafter disconnecting any computer or fileserver from the San Mateo County network known to be out of compliance with this policy. Department Heads shall designate Countywide Computer Security Team members.

Countywide Computer Security Team (CWcST)

The Countywide Computer Security Team is responsible for the implementation of this policy.

V. Countywide Computer Security Team

A Countywide Computer Security Team will be created to implement this policy and to serve as a rapid reaction team to manage virus outbreaks and other Information Security threats.

The Countywide Computer Security Team shall consist of Department Information Technology staff. The Countywide Computer Security Team shall consist of one representative from each County department or agency. Respective department heads shall designate CWcST members. The CIO/Director of Information Services or his designee shall chair the CWcST.

The Countywide Computer Security Team is responsible for the following

  1. Coordinate the installation of the appropriate anti-virus software and the removal of any existing noncompliant anti-virus software.
  2. Coordinate the configuration of all Microsoft operating systems to receive updates from a centrally administered patch management system.
  3. Establish and maintain a communication mechanism for providing rapid and effective communication between Team members.
  4. Establish and maintain a formal virus alert system for notifying the County community of virus outbreaks and recommend measures to be taken.
  5. Serve as a rapid reaction team in the event of a virus outbreak.
  6. Analyze the County’s virus protection effectiveness and provide a formal report to the County Manager and Executive Council.