University Policies and Procedures Manual (previously Business Policies and Procedures Manual)

Anti-Malware

UPPM 87.42

For more information contact:
Information Technology Services

1.0 Overview and Purpose
- 1.1 Information Assurance Policies Generally
- 1.2 Specific Policy Overview and Purpose
2.0 Applicability
3.0 Roles and Responsibilities
4.0 Requirements
5.0 Training

1.0 Overview and Purpose

1.1 Information Assurance Policies Generally

The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:

Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;
Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and
Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.

The policies in this chapter comply with Federal Information Processing Standards (FIPS 199), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability. To determine the potential consequence of a loss event, the Federal Information Processing Standards:

Define WSU Information Owners’ impact categorization rating (Low, Moderate, or High);
Dictate which security controls are mandatory based upon the categorization level;
Define the strength, frequency, and formalization of those controls; and
Influence audit burden and continuous monitoring rigor.

See UPPM 87.01 for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.

1.2 Specific Policy Overview and Purpose

To protect the integrity and reliability of WSU’s IT systems, WSU maintains and enforces a comprehensive anti-malware strategy requiring updated protection, centralized monitoring, and automated threat response, with additional controls for high-impact systems. This policy sets forth requirements for the effective implementation and oversight of WSU’s anti-malware program.

2.0 Applicability

This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.

Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with UPPM 87.23.

3.0 Roles and Responsibilities

3.1 Chief Information Officer

The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.

3.2 Information System Owners

WSU Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy’s implementation.

3.3 Office of Information Security and Assurance (OISA)

WSU’s Office of Information Security and Assurance (OISA) shall maintain the standard (PDF) associated with this policy and provide guidance for the associated procedures for the implementation of this policy (see examples (PDF)).

Note: While all units are required to adhere to the standard established by OISA (NIST SP 800-53), procedural examples for implementation are optional.

4.0 Requirements

4.1 General Requirements

WSU maintains an enterprise anti-malware management console, and all anti-malware software agents must automatically report to this centralized console in accordance with UPPM 87.40.

All computer systems, including servers, workstations, laptops, and personally owned computers used to access, store, process, or otherwise use WSU data, must run updated anti-malware/endpoint protection software in accordance with UPPM 87.40.

All anti-malware software must log malicious code activities in accordance with UPPM 87.10 and 87.40.

All internet connections, emails, and removable media connected to a WSU system are to be scanned for malicious and unauthorized mobile code in accordance with UPPM 87.07.

When malicious code is suspected on a system, WSU Security Operation Center (SOC) personnel must attempt to quarantine the system. Quarantined systems with false positive alerts are to be promptly released from quarantine after the false positive is confirmed in accordance with UPPM 87.40.

When malicious code is detected, it must be automatically deleted or quarantined and reported to the enterprise anti-malware management console in accordance with UPPM 87.40.

SOC must receive and implement security alerts, advisories, and directives from trusted entities such as the United States Computer Emergency Readiness Team (US-CERT) and the OISA in accordance with UPPM 87.40.

Security alerts, advisories and directives are to be disseminated to WSU System Area Technical Officers (ATOs) and others as deemed necessary.

All software on WSU computer systems, including the operating system, is to be kept up to date with the latest software release in accordance with UPPM 87.10.

Both host-based and network-based anti-malware detection must be performed to identify and combat malware. Network-based anti-malware monitoring is to be performed in accordance with UPPM 87.10, 87.12, and 87.40.

WSU responds to all malicious code outbreaks in accordance with UPPM 87.55.

4.2 Moderate- and High-Impact Systems

In addition to the above, the following requirements apply to all moderate- and high-impact systems.

For moderate- and high-impact systems, Information System Owners, or their delegates, must deploy software allow listing tools to WSU computer endpoints (servers, workstations, laptops, and mobile devices) that allow only authorized software execution in accordance with UPPM 87.32, 87.10, and 87.40.

4.3 High-Impact Systems

In addition to the above, the following requirements apply to all high-impact systems.

Automated methods are to be used when disseminating security alerts, advisories, and directives pertaining to high-impact systems, in accordance with UPPM 87.40.

5.0 Training

See UPPM 87.21 for training requirements related to UPPM Chapter 87.

In addition to the requirements in UPPM 87.21, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner’s authority.

_______________________
Revisions: Feb. 2026 (Rev. 651 – NEW).