Running head: Asset Protection Policy 1

Asset Protection Policy

Justin R. Cook

University of San Diego, CSOL-540

Asset Protection Policy 2

Purpose

This document establishes a policy for addressing and preventing malware, ransomware,

spyware, and any types of malicious programs from entering HIC’s network.

Background

This document was developed because HIC’s mission is to provide quality service to our

customers and ensure the protection of their confidential information. Malware and other types

of malicious programs continue to plague organizations around the globe and the average cost of

a malware attack on a company is $2.6 million (Sobers, 2021). Running anti-virus software on

all devices, improving user security awareness, limiting network access, and securing

communication channels are some of the actions that must be taken to reduce the overall risk to

HIC’s computing environment.

Scope

This policy applies to any user or system that operates on HIC’s network or stores/processes HIC

documents or emails.

Objectives

Systems

All systems operating on HIC’s network must be running an up-to-date version of the corporate

standard antivirus software (Trend Micro Apex One). The AV software is pushed out to all

domain-joined computers via group policy and uninstallation or unlocking the software requires

a password. Scans are scheduled to run automatically, and the antivirus definition updates are

pushed out via an internal server regularly.

All VPN users who connect remotely to the corporate network must authenticate with their

credentials and the device must pass the posture check before being allowed access. For
Asset Protection Policy 3

example, if a device is missing the company standard AV software or is not a domain-joined

computer, they would not be allowed access. This posture check ensures that devices on the

network meet the baseline specifications that are defined by HIC.

Systems operating on the corporate network can only reach the public internet via a proxy server.

This proxy server controls the websites that employees access and secures internet activity by

blocking access to malicious sites.

Email

Email remains a common target for attackers as over 94% of malware is distributed via email

(Fruhlinger, 2020). HIC aims to address this in several ways, the first of which is flagging all

mail that originates from outside the organization with a header that informs the recipient that the

email is external. Flagging all external emails will reduce the likelihood of success if an attacker

tries to impersonate an internal user.

Additionally, all email passes through a security filter before reaching the inbox of any internal

user. This security filter analyzes incoming emails for various red flags that indicate a high

likelihood of spam or phishing content and quarantines those emails for review. All attachments

are scanned for malware and certain file extensions are not allowed to pass through. Any links

located in the email’s body or embedded in documents are scanned to ensure they are not

malicious.

User Security Awareness Training

Users under the scope of this policy are required to complete an annual cybersecurity training

program. This program includes a section on the different types of malware and some strategies

to avoid falling victim to attack. One area of the training shows how to spot malicious email

attempts and provides instructions for how to report suspicious emails to the security team.
Asset Protection Policy 4

Responsibilities

 The Chief Information Officer (CIO) is the approval authority for the Anti-Malware

policy.

 The VP of IT Operations is responsible for the development, implementation, and

maintenance of the Anti-Malware policy and all associated guidelines and standards.

 The IT Operations team is responsible for implementing and monitoring the security

controls to ensure that this policy is properly enforced.

 The individuals, external entities, or groups who fall under the scope defined for this

policy are accountable for reading and agreeing to this policy.

Policy Enforcement and Exception Handling

Failure to comply with HIC’s Anti-Malware policy will result in disciplinary actions which can

include termination of employment or termination of contracts/agreements. Serious offenses that

violate legal regulations may also result in lawsuits. Exceptions to the HIC Inc. security program

are granted under extremely rare circumstances. Any potential exception will be documented,

approved, and signed by the CEO of HIC Inc.

Review and Revision

The Anti-Malware policy will be reviewed and revised in accordance with the HIC Inc.

Information Security Program Charter.

Approved: __________________________________________
Signature
<Typed Name>
Chief Information Officer
Asset Protection Policy 5

References

Fruhlinger, J. (2020, March 09). Top cybersecurity facts, figures and statistics. Retrieved from

https://www.csoonline.com/article/3153707/top-cybersecurity-facts-figures-and-

statistics.html

Sobers, R. (2021, March 16). 134 Cybersecurity Statistics and Trends for 2021. Retrieved from

https://www.varonis.com/blog/cybersecurity-statistics/