HIC, Inc.

Asset Protection Anti-Malware Policy

I. Scope
All full-time, part-time, and temporary employees and contractors, health care providers,
health care clearinghouses, and health plans with authorized access to HIC, Inc. information
systems and data contained within, are covered by this policy.

II. Objectives
Information assets must be protected from destructive software elements such as viruses and
malicious code that impair normal operations. HIC approved virus detection programs must
be installed, enabled, and updated on all systems susceptible to viruses and malicious code
(Palmer, Robinson, Patilla, & Moser, 2000, p. 27).

a. Endpoint Protection
i. All workstations must have anti-malware software installed as part of the corporate
build process and maintained using a central management platform.
ii. Anti-malware software policies shall be developed and distributed to all
workstations without requiring user interaction. Policies shall specify definition
update frequency, scan intervals, and detection actions.
iii. User interaction with anti-malware software shall be restricted to prevent disabling
or any kind of reduction in protection.
iv. Workstations and applications shall be updated with the most recent security
patches to mitigate potential vulnerabilities not addressable by existing anti-
malware software (Verger, 2017).
b. Endpoint Detection and Response (EDR)
i. HIC, Inc. shall utilize a managed detection and response (MDR) for endpoints
service to improve endpoint visibility, threat detection, and incident response
(Oltsik, 2016).
c. Content Filtering Protection (Barry, 2014)
i. All email to and from HIC, Inc. email addresses shall be scanned for malicious
content. Detections shall be blocked or flagged for further review.
 ii. All SSL traffic passing through the HIC, Inc. proxy shall be decrypted and scanned
for malicious content.
iii. The proxy shall block attempts to communicate with any entities of a dynamically
updated list of malicious URLs and/or IP addresses. This list shall be updated daily
by subscribing to a compatible threat intelligence service.

III. Responsibilities
The Chief Information Security Officer (CISO) is responsible for the development,
implementation, and maintenance of the Anti-Malware Policy (Palmer et al., 2000, p. 28).

Users are responsible for using the information only for its intended purposes, and for
maintaining the confidentiality, integrity, and availability of information accessed consistent
with HIC approved safeguards while under the user’s control (Palmer et al., 2000, p. 28).

IV. Policy Enforcement and Exception Handling

Failure to comply with the Anti-Malware Policy can result in disciplinary actions up to and
including termination of employment for employees or termination of contracts for
contractors, health care providers, health care clearinghouses, and health plans. Legal actions
also may be taken for violations of applicable regulations and laws (Palmer et al., 2000, p.
28).

V. Review and Revision

The Asset Protection Policy will be reviewed and revised in accordance with the HIC, Inc.
Information Security Program Charter.

Approved: _________________________________________________________
Signature
Edward R. Locke
Chief Information Security Officer
References
Palmer, M., Robinson, C., Patilla, J., and Moser, E. (2000) META Security Group Information
Security Policy Framework: Best Practices for Security Policy in the Internet and
e-Commerce Age.

Oltsik, J. (2016) Endpoint detection and response: What’s important? Retrieved from
https://www.csoonline.com/article/3081482/security/endpoint-detection-and-response-edr-
what-s-important.html
Verger, R. (2017) Your anti-virus software is not enough. Retrieved from
https://www.popsci.com/antivirus-software-protect-your-computer

Barry, P. (2014) 5 Ways to Supplement Antivirus Software for Better Security. Retrieved from
https://www.csiweb.com/resources/blog/post/2014/05/21/5-ways-to-supplement-antivirus-
software-for-better-security