Navigate

CCI-004966

CCI-004966 Definition

Configure malicious code protection mechanisms to send alerts to organization-defined personnel in response to malicious code detection.

Status
Type	CheckType.technical

Master Assessment Datasheet

Implementation Guidance

Determine if: - malicious code protection mechanisms are configured to [SI-03_ODP[04]; one or more of the following PARAMETER VALUES is/are selected: {block malicious code; quarantine malicious code; take [SI-03_ODP[05]; action to be taken in response to malicious code detection are defined (if selected)}] in response to malicious code detection. - malicious code protection mechanisms are configured to send alerts to [SI-03_ODP[06]; personnel or roles to be alerted when malicious code is detected is/are defined] in response to malicious code detection.

Validation Procedures

Examine: [SELECT FROM: System and information integrity policy; system and information integrity procedures; configuration management policy and procedures; procedures addressing malicious code protection; malicious code protection mechanisms; records of malicious code protection updates; system design documentation; system configuration settings and associated documentation; scan results from malicious code protection mechanisms; record of actions initiated by malicious code protection mechanisms in response to malicious code detection; system audit records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel installing, configuring, and/or maintaining the system; organizational personnel responsible for malicious code protection; organizational personnel with configuration management responsibilities]. Test: [SELECT FROM: Organizational processes for employing, updating, and configuring malicious code protection mechanisms; organizational processes for addressing false positives and resulting potential impacts; mechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms; mechanisms supporting and/or implementing malicious code scanning and subsequent actions].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-004966.

Control	Description
SI-3	a: Implement [one or more of "signature-based"/"non-signature-based"] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; b: Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; c: Configure malicious code protection mechanisms to: 1: Perform periodic scans of the system [the frequency at which malicious code protection mechanisms perform scans is defined;] and real-time scans of files from external sources at [one or more of "endpoint"/"network entry and exit points"] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2: [one or more of "block malicious code"/"quarantine malicious code"/"take {{ insert: param, si-03_odp.05 }} "] ; and send alert to [personnel or roles to be alerted when malicious code is detected is/are defined;] in response to malicious code detection; and d: Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

Control

Description

SI-3

a: Implement [one or more of "signature-based"/"non-signature-based"] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;

b: Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;

c: Configure malicious code protection mechanisms to:
- 1: Perform periodic scans of the system [the frequency at which malicious code protection mechanisms perform scans is defined;] and real-time scans of files from external sources at [one or more of "endpoint"/"network entry and exit points"] as the files are downloaded, opened, or executed in accordance with organizational policy; and
- 2: [one or more of "block malicious code"/"quarantine malicious code"/"take {{ insert: param, si-03_odp.05 }} "] ; and send alert to [personnel or roles to be alerted when malicious code is detected is/are defined;] in response to malicious code detection; and

d: Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.