topic Re: In which policy to place company anti-malware requirements in Governance, Risk, Compliance https://community.isc2.org/t5/Governance-Risk-Compliance/In-which-policy-to-place-company-anti-malware-requirements/m-p/40409#M169 <P>It can be referenced from several place as anti malware controls aren't necessarily just a software product on endpoints.&nbsp; So at a policy level you'd have a statement that the standard antimalware product had to be part of every build and that it mustn't be disabled or uninstalled.&nbsp; At a standards level you'd define how the product must be configured in terms of its features and their management.&nbsp;</P><P>&nbsp;</P><P>You may also have other malware controls in place around ingress of data e.g. email and web filtering, deep pack inspection for malware, restrictions on removable media etc.&nbsp; You may also want to restrict what programs can download and/or execute, so you're only running known good software.&nbsp; Some of those you'd need to put in your AUP to set expectations on staff behaviour.</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 30 Oct 2020 12:10:54 GMT Steve-Wilme 2020-10-30T12:10:54Z In which policy to place company anti-malware requirements https://community.isc2.org/t5/Governance-Risk-Compliance/In-which-policy-to-place-company-anti-malware-requirements/m-p/40405#M168 <P>Hi,</P><P>&nbsp;</P><P>I am currently refreshing our policies, however I am not sure what is the best place to place requirements for the antimalware client.</P><P>&nbsp;</P><P>Would you place these in an independent policy (e.g. Antimalware policy) or as part of another one?</P><P>&nbsp;</P><P>Thanks</P> Mon, 09 Oct 2023 09:40:41 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/In-which-policy-to-place-company-anti-malware-requirements/m-p/40405#M168 JulienB 2023-10-09T09:40:41Z Re: In which policy to place company anti-malware requirements https://community.isc2.org/t5/Governance-Risk-Compliance/In-which-policy-to-place-company-anti-malware-requirements/m-p/40409#M169 <P>It can be referenced from several place as anti malware controls aren't necessarily just a software product on endpoints.&nbsp; So at a policy level you'd have a statement that the standard antimalware product had to be part of every build and that it mustn't be disabled or uninstalled.&nbsp; At a standards level you'd define how the product must be configured in terms of its features and their management.&nbsp;</P><P>&nbsp;</P><P>You may also have other malware controls in place around ingress of data e.g. email and web filtering, deep pack inspection for malware, restrictions on removable media etc.&nbsp; You may also want to restrict what programs can download and/or execute, so you're only running known good software.&nbsp; Some of those you'd need to put in your AUP to set expectations on staff behaviour.</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 30 Oct 2020 12:10:54 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/In-which-policy-to-place-company-anti-malware-requirements/m-p/40409#M169 Steve-Wilme 2020-10-30T12:10:54Z