Standards and Guidelines Pro/Con Anti Malware programs

2018-04-10 10:30:59

For a whitepaper about anti-malware products used in combination with (server side) applications and infrastructure components (database server) I am looking for standards, guidelines and codified best-practices which recommend, demand or forbid anti malware programs (virus scanners).

I am also looking for published guidelines or interpretations on how are the terms interpreted by auditors.

(I added an self-answer with my findings so far, they should serve as an example and prove of effort)

The things I found so far:

PCI DSS is very specific in requiring an active malware program. There is an interpretation which says this applies to Linux servers as well (and only excepts midrange or host systems)

The European General Data Protection Regulation does not directly mention anti-malware, it does how ever require state of the art technical and organizational controls to protect integrity, availability and privacy for data. Most interpretations include anti malware b

  • The things I found so far:

    PCI DSS is very specific in requiring an active malware program. There is an interpretation which says this applies to Linux servers as well (and only excepts midrange or host systems)

    The European General Data Protection Regulation does not directly mention anti-malware, it does how ever require state of the art technical and organizational controls to protect integrity, availability and privacy for data. Most interpretations include anti malware by that definition (especially given the prevalence of direct mentioning in audit and security standards below)

    SOX Act also emphasizes on needed controls for protecting integrity of finance reporting systems (as well as cybersecurity). Control frameworks mandated by the SEC like COBIT also mention anti-malware procedures.

    ISO 27001 features an Appendix of controls including anti-malware procedures and controls (A.12.2 Protection from malware)

    -BSI (german) IT Grundschutz Katalog M.4.3 Einsatz von Viren-Schutzpr

    2018-04-10 11:05:22