Detection and prevention of unauthorized or malicious software

Centrally select and install malware detection and repair programs and update them regularly for preventive or regular scanning of computers and media.

Programs should check at least the following:

• files received over the network or storage media are scanned for malware before use
• email attachments and downloaded files are scanned for malware before use
• websites are scanned for malware

There are separate instructions for staff to use mobile devices. The instructions cover:

• restrictions on installing software and using various services on your organization's devices
• procedures for the registration of new devices
• requirements for physical protection of equipment and installation of updates
• access control requirements
• protecting your organization’s data with encryption, malware protection, and backup
• the ability of the organization to remotely control the device

Malware protection systems automatically check for and install updates at desired intervals and also run the desired scans at the selected frequency without needed user actions.

In systematic cyber security work, the impact of significant changes must be assessed in advance and they must be executed in a controlled way. The consequences of unintentional changes must be assessed and efforts made to mitigate possible adverse effects.

Significant changes may include: changes in the organization, operating environment, business processes and data systems. Changes can be identified e.g. through management reviews and other cyber security work.

The data systems (and their content) that support critical business processes are regularly reviewed to locate malware. All unauthorized files and changes will be formally investigated.

Unmanaged installations of software on computers can lead to vulnerabilities and security breaches.

The organization should determine what types of software or updates each user can install. The instructions may include e.g. the following guidelines:

• only specially designated persons may install new software on the devices
• programs previously designated as secure may be installed by anyone
• use of certain software may be impossible for everyone
• existing software updates and security patches are allowed to be installed by anyone

The organization must identify the types of websites that staff should and should not have access to.

The organization must consider blocking access to the following types of sites (either automatically or by other means):

• websites with a file upload function, unless this is permitted for a specific business need
• known or suspected malicious websites (e.g. distributing malware or containing phishing content)
• command and control servers
• websites distributing illegal content

The organization regularly trains staff on the use of utilized malware protection, reporting malware attacks, and recovering from malware attacks.

Security systems are the data systems that are in place to protect the information we have, not so much to process it.

We regularly evaluate the operation of different security systems and the need for new systems.