home || catalog: SP800-53rev3 / class: Operational / family: (SI) System and Information Integrity ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI

SI-01
SI-02
SI-03 *
SI-04
SI-05
SI-06
SI-07
SI-08
SI-09
SI-10
SI-11
SI-12
SI-13
MMMMM

  SI-03: Malicious Code Protection  

base control objective:
The organization:
a. Employs malicious code protection mechanisms at information system entry and exit points and at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code: - Transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; or - Inserted through the exploitation of information system vulnerabilities.
b. Updates malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with organizational configuration management policy and procedures;
c. Configures malicious code protection mechanisms to: (i) perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources as the files are downloaded, opened, or executed in accordance with organizational security policy; and (ii) [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action] in response to malicious code detection; and
d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.

supplemental objective information:
Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, and remote-access servers. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode) or contained within a compressed file. Removable media includes, for example, USB devices, diskettes, or compact disks. A variety of technologies exist to limit or eliminate the effects of malicious code attacks. Pervasive configuration management and strong software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions and business functions. Traditional malicious code protection mechanisms are not built to detect such code. In these situations, organizations must rely instead on other risk mitigation measures to include, for example, secure coding practices, trusted procurement processes, configuration management and control, and monitoring practices to help ensure software does not perform functions other than those intended.

enhancements to the base objective:

(1) The organization centrally manages malicious code protection mechanisms.

(2) The information system automatically updates malicious code protection mechanisms (including signature definitions).

(3) The information system prevents non-privileged users from circumventing malicious code protection capabilities.

(4) The information system updates malicious code protection mechanisms only when directed by a privileged user.

(5) The organization does not allow users to introduce removable media into the information system.

(6) The organization tests malicious code protection mechanisms [Assignment: organization-defined frequency] by introducing a known benign, non-spreading test case into the information system and subsequently verifying that both detection of the test case and associated incident reporting occur, as required.

mapping to FIPS199 baseline:

  LOW: base     MOD: base (1) (2) (3)     HIGH: base (1) (2) (3)  

related (regimented) controls:

SA-04   Acquisitions
SA-12   Supply Chain Protection
SA-13   Trustworthiness
SI-04   Information System Monitoring
SI-07   Software and Information Integrity

documents referenced in SP800-53rev3 for SI-03:

Document Date Status Title
NIST SP800-115 September, 2008 current   Technical Guide to Information Security Testing and Assessment
NIST SP800-19 October, 1999 current   Mobile Agent Security
NIST SP800-36 October, 2003 current   Guide to Selecting Information Technology Security Products
NIST SP800-45 August, 2006 DRAFT   Guidelines on Electronic Mail Security
NIST SP800-83 September, 2006 current   Guide to Malware Incident Prevention and Handling
NIST SP800-94 August, 2006 DRAFT   Guide to Intrusion Detection and Prevention Systems (IDPS)

Search SP800-53rev3 catalog: