CIO-073 Anti-Virus Policy

Office of the Chief Information Officer Enterprise Policy

CIO-073: Anti-Virus Policy

Effective Date:  06/01/2002
Revision Date:  03/08/2017
Reviewed Date:  02/04/2019
Policy Statement:  This policy supports the best practices, standards, and guidelines for security that must be followed to protect the Commonwealth. The purpose of this policy is to help protect Commonwealth owned devices from malware.
Policy Maintenance:   The Commonwealth Office of Technology (COT), Office of the Chief Information Security Officer, has the responsibility for the maintenance of this policy.  Organizations may choose to add to this policy as appropriate, in order to enforce more restrictive internal policies as appropriate and necessary.  Therefore, staff members are to refer to their organization's internal policy, which may have additional information or clarification of this enterprise policy.
Authority:  KRS 42.726 authorizes the Commonwealth Office of Technology to develop policies that support and promote the effective application of information technology within the Executive Branch of state government, as well as information technology directions, standards, and necessary management processes to assure full compliance with those policies.
Applicability:  This policy is to be adhered to by all Executive Branch agencies and staff, including employees, contractors, consultants, temporaries, volunteers and other workers within state government.
Responsibility for Compliance:  Each Agency is responsible for assuring that appropriate staff within their organizational authority have been made aware of the provisions of this policy, that compliance by the staff is expected, and that unauthorized and/or neglectful actions in regard to this policy may result in disciplinary action pursuant to KRS 18A up to and including dismissal. It is each Executive Cabinet’s responsibility to enforce and manage the application of this policy.
Non-compliance to the policy may result in additional shared service charges to the Agency for COT’s remediation efforts pertaining to this policy.  Failure to comply may also result in termination of that Agency’s access to the network infrastructure.
Review Cycle:  This policy will be reviewed at least every two years.
Malware: Any type of malicious software including but not limited to viruses, trojans, etc.
Policy:   All Commonwealth owned computing devices (servers, desktops, laptops and tablets) must be scanned for malware.  Only IT products listed within the Kentucky Information Technology Standards (KITS) are approved for installation and use. For consolidated agencies, authorized COT individuals are responsible for supporting the agency and ensuring appropriate malware protection software has been installed and is functioning on devices.  For non-consolidated agencies, the authorized agency administrator is responsible for ensuring appropriate malware protection software has been installed and is functioning.
If a virus-scanning program detects malware and/or if a user suspects infection, the user must immediately stop using the involved computer and notify the Commonwealth Service Desk by calling (502) 564-7576. The machine will not be reconnected to the network until necessary disinfection procedures are taken and/or the device is re-imaged.  For security best practices, please view the Security Awareness Video located on the Cyber Security Training and Awareness web page.
This page was last modified 8/6/2019 5:44 PM
Return to CIO Policies Home Page.