Navigate

CCI-004963

CCI-004963 Definition

Implement signature based and/or non-signature based malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code.

Status
Type	CheckType.technical

Master Assessment Datasheet

Implementation Guidance

Determine if: - [SI-03_ODP[01]; one or more of the following PARAMETER VALUES is/are selected: {signature-based; non-signature-based}] malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code. - [SI-03_ODP[01]; one or more of the following PARAMETER VALUES is/are selected: {signature-based; non-signature-based}] malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code.

Validation Procedures

Examine: [SELECT FROM: System and information integrity policy; system and information integrity procedures; configuration management policy and procedures; procedures addressing malicious code protection; malicious code protection mechanisms; records of malicious code protection updates; system design documentation; system configuration settings and associated documentation; scan results from malicious code protection mechanisms; record of actions initiated by malicious code protection mechanisms in response to malicious code detection; system audit records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for malicious code protection; organizational personnel with configuration management responsibilities]. Test: [SELECT FROM: Organizational processes for employing, updating, and configuring malicious code protection mechanisms; organizational processes for addressing false positives and resulting potential impacts; mechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms; mechanisms supporting and/or implementing malicious code scanning and subsequent actions].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-004963.

Control	Description
SI-3	a: Implement [one or more of "signature-based"/"non-signature-based"] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b: Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c: Configure malicious code protection mechanisms to: 1: Perform periodic scans of the system [the frequency at which malicious code protection mechanisms perform scans is defined;] and real-time scans of files from external sources at [one or more of "endpoint"/"network entry and exit points"] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2: [one or more of "block malicious code"/"quarantine malicious code"/"take {{ insert: param, si-03_odp.05 }} "] ; and send alert to [personnel or roles to be alerted when malicious code is detected is/are defined;] in response to malicious code detection; and d: Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

Control

Description

SI-3

a: Implement [one or more of "signature-based"/"non-signature-based"] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;

b: Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;

c: Configure malicious code protection mechanisms to:
- 1: Perform periodic scans of the system [the frequency at which malicious code protection mechanisms perform scans is defined;] and real-time scans of files from external sources at [one or more of "endpoint"/"network entry and exit points"] as the files are downloaded, opened, or executed in accordance with organizational policy; and
- 2: [one or more of "block malicious code"/"quarantine malicious code"/"take {{ insert: param, si-03_odp.05 }} "] ; and send alert to [personnel or roles to be alerted when malicious code is detected is/are defined;] in response to malicious code detection; and

d: Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.