Objectivity in Risk Management

THE ANTI-VIRUS REALITY CHECK

As companies increasingly rely on the data contained on their computer systems, threats to the data are also growing. Threats to data, or to information, can come in the form of a breach of confidentiality, a violation of integrity, or a denial of availability. These threats can come from various sources including computer hackers with malicious intent, natural or unnatural disasters, the lack of security policies, the failure to enforce security policies and computer viruses. Computer viruses pose as serious a threat to data as can a malicious hacker. In order to thoroughly protect a company’s information, one must focus on protecting against all possible threats, including computer viruses. Although infection of computer systems by a virus is generally unintentional, the possibility of infection is real and without the proper protection, imminent. Computer viruses are designed to spread from one file to another, from one program to another, from one machine to another, and even from one network to another. Viruses threaten the integrity and availability of data. Data have become the backbone of most companies today, and therefore any threat to a company’s data cannot be tolerated. Time, resources and money must be invested to protect a company against the harmful and destructive intrusion of computer viruses. At first glance it would appear that protecting computers from viruses is a relatively simple task. On the surface this task involves selecting an anti-virus software package, installing it, and running the virus scan, rendering the computer virus-free. Unfortunately the process can be quite intricate, and require as much time and effort spent planning as on implementation. An enterprise wide anti-virus initiative involves numerous tasks, which at a high level can be broken into the following phases: planning, implementation and maintenance. Other phases may be identified for any given project and should be included as appropriate. These three phases however are the minimum for the success of an anti-virus campaign.
Planning
The planning phase is the first phase in protecting a company from computer viruses. Generally, planning is treated as a step in the implementation process, with the focus on implementation. For example, product selection is treated as the preliminary step in the software implementation, as opposed to a stand alone process in which greater attention is given to choosing the right product. This is the wrong approach to planning an anti-virus strategy. Planning is crucial to the success of an anti-virus effort. Planning involves product selection, project strategy, task and resource identification, and delegation, as well as other activities. The goal of the planning phase is to develop an anti-virus solution for the enterprise. A solution is not limited to the selection of an anti-virus product, or to the development of a strategy. Rather a solution answers the question “How will a company protect itself from computer viruses?” To arrive at the most efficient and reliable anti-virus solution, many questions must be answered.
First, is the organization trying to protect against a particular type of virus? Perhaps macro viruses have been causing problems, or maybe managers know little about computer viruses but have seen enough movies to scare them.
Second, what is the major source of viruses that is infecting the company? Are users bringing in infected disks, or maybe e-mail attachments are spreading a virus.
Third, how secure does the company want to be? What trade-off will be allowed between protection and performance? After all, the more secure they are, the slower computers will be.
Fourth, should the virus protection be behind the scenes, or should users know it is there and actively use it? These are just a sample of the questions that should be answered when choosing an anti-virus solution. Perhaps no one product meets all needs; in that case requirements must be prioritized to select a product that meets priorities. Alternatively, one can choose to use more than one product which will overlap and meet all needs. A product overlap also offers an additional layer of protection that one product alone cannot offer. It is possible that a new virus may be on the loose that cannot be identified by one of the anti-virus programs chosen. A second program may catch it and prevent an infection that otherwise may have created a threat. Obviously, selecting an anti-virus product, or more specifically an anti-virus solution is not a simple task. When all of the relevant questions have been answered, the solution will begin to take shape and eventually a final solution will emerge. FEATURE