Raise a bug

4. Malware Protection

The goal of this control is to protect devices from malware by employing at least one of the following controls.

Anti-malware software

Devices are protected from malware with installed anti-malware software with the following configurations:

  • Installed anti-malware software and its signature files must be kept up-to-date through either automatic updates or centrally managed deployment.

  • The software must be configured to scan files automatically upon opening. This includes downloaded files and files accessed from network folders.

  • The software must automatically scan web pages when accessed through a browser.

  • The software must prevent access to malicious websites unless there is a clear, documented business case for doing so and the user understands any associated risks.

Application allow listing

Only applications that are approved and featured on an application whitelist may be installed on devices. The following conditions must be followed:

  • Applications must be actively approved before they are allowed to be installed by users.

  • An allow list of applications must be actively maintained.

  • Users must not be allowed to install applications that are unsigned or with an invalid signature on devices.

Application sandboxing

All applications must be run in a sandbox without access to other device resources, unless explicitly granted by the user, including:

  • Other sandboxed applications

  • Data stores, such as those holding documents and photos

  • Sensitive peripherals, such as the camera, microphone and GPS

  • Local network access

Previous3. User Access ControlNext5. Security Update Management

Last updated