Navigate

CCI-001245

CCI-001245 Definition

Address the receipt of false positives during malicious code detection and eradication, and the resulting potential impact on the availability of the system.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.

Validation Procedures

Examine: [SELECT FROM: System and information integrity policy; system and information integrity procedures; configuration management policy and procedures; procedures addressing malicious code protection; malicious code protection mechanisms; records of malicious code protection updates; system design documentation; system configuration settings and associated documentation; scan results from malicious code protection mechanisms; record of actions initiated by malicious code protection mechanisms in response to malicious code detection; system audit records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for malicious code protection; organizational personnel with configuration management responsibilities]. Test: [SELECT FROM: Organizational processes for employing, updating, and configuring malicious code protection mechanisms; organizational processes for addressing false positives and resulting potential impacts; mechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms; mechanisms supporting and/or implementing malicious code scanning and subsequent actions].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001245.

Control	Description
SI-3	a: Implement [one or more of "signature-based"/"non-signature-based"] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b: Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c: Configure malicious code protection mechanisms to: 1: Perform periodic scans of the system [the frequency at which malicious code protection mechanisms perform scans is defined;] and real-time scans of files from external sources at [one or more of "endpoint"/"network entry and exit points"] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2: [one or more of "block malicious code"/"quarantine malicious code"/"take {{ insert: param, si-03_odp.05 }} "] ; and send alert to [personnel or roles to be alerted when malicious code is detected is/are defined;] in response to malicious code detection; and d: Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

Control

Description

SI-3

a: Implement [one or more of "signature-based"/"non-signature-based"] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;

b: Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;

c: Configure malicious code protection mechanisms to:
- 1: Perform periodic scans of the system [the frequency at which malicious code protection mechanisms perform scans is defined;] and real-time scans of files from external sources at [one or more of "endpoint"/"network entry and exit points"] as the files are downloaded, opened, or executed in accordance with organizational policy; and
- 2: [one or more of "block malicious code"/"quarantine malicious code"/"take {{ insert: param, si-03_odp.05 }} "] ; and send alert to [personnel or roles to be alerted when malicious code is detected is/are defined;] in response to malicious code detection; and

d: Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.