IT 09-104 – Managing Operating System – Security – Virus Updates

Page
1

of
4


DMS Policy No.
IT
-
09
-
104

Managing OS, Security, and Virus Updates



DEPARTMENT OF MANAGEMENT SERVICES

ADMINISTRATIVE POLICY

TITLE:
Managing Operating System
,

Security
, and Virus

Updates

POLICY
NUMBER



IT
-
09
-
104



EFFECTIVE:
November 1, 2009

REVISED:




PURPOSE


DMS recognizes the importance of ensuring our computers (servers, desktop
computers, laptops, etc.) are kept up to date with operating system patches, other
security patches, and virus recognition files and software updates
.

This policy covers
minimum ac
tivities and scheduling associated with this need.


SCOPE


This policy is applicable to all DMS employees
. Carrying out this policy is the
responsibility of the DMS LAN and Desktop Support Team
.

IT pertains to ensuring
the application of security updates

and virus detection files and software in a timely
manner.


AUTHORITY


Florida Statute 282.318


DISTRIBUTION


The following individuals
should be notified of this
policy


Method of notification

DMS IT, Division of
Retirement IT, Division of
Telecommunica
tions
Engineers, Print shop Mac
users



䑥Da楬ed⁲ v楥i⁢y⁉nfo牭a瑩tn⁓e捵物瑹⁍ nager

A汬⁄ S⁅mp汯lees



䥮fo牭a瑩tn⁓e捵物瑹⁁wa牥re獳⁔牡楮楮i



䑍S⁗eb⁳楴

䑍S⁅e捵瑩te⁌eade牳桩r



Executive Leadership meetings



Page
2

of
4


DMS Policy No.
IT
-
09
-
104

Managing OS, Security, and Virus Updates

DEFINITIONS


Word/Term

Definition

PC

A
computer used as a personal computer. This includes
desktop computers and laptops/notebooks.

Server

A computer with power, memory, and architecture that
sufficiently allows it to perform processes for many users and
applications.

Computer

Generically u
sed to refer to PCs and servers.

Network Devices

A device used to provide network communications. This
includes, switches, routers, hubs, mini
-
hubs, splitters, wireless
access points, firewalls, network security devices, network
appliances and modem pools
.

OS and Security
Updates

Any operating system
,

system utility
, or
network device

patch
or update that fixes flaws in the system or plugs security gaps
identified, or otherwise enhances security of the system.



POLICY


DMS is committed to
ensuring our
s
ecurity measures and
virus
protection is

adequate in protecting our systems

and data

from threat and abuse. To this end, all
desktop c
omputers, laptops/notebooks,

server

class

computers
, and network devices

connected to the DMS LAN or DMS e
-
mail system, o
r connected to the Florida
Retirement System LAN
will be updated regularly according to this policy with
operating system
, firewall,
and

other
security related updates
. All Windows
-
based
computers
will have
installed

and
active virus detection soft
ware th
at is updated
regularly
according to this policy.


The following are minimum requirements for frequency and steps to ensure
adequate protection for the different types of systems employed by DMS.


1.

The following shall be considered minimum requirements for
PCs and servers
that run
the
Microsoft Windows

OS

and connect to the DMS LAN or e
-
Mail
system
.

a.

OS and Security Updates
:

i.

The Microsoft Update site will be c
hecked once per day for OS
and s
ecurity
updates

and
any available will be
download
ed

to a
server.

ii.

PCs

and servers will be configured to check for these downloads
once per day, and download any available.

iii.

Windows PCs and servers will be configured to apply
downloaded OS and security updates once per week
.


Page
3

of
4


DMS Policy No.
IT
-
09
-
104

Managing OS, Security, and Virus Updates

iv.

Any OS and security updates deemed critical will be

downloaded
immediately, and scheduled to be applied to PCs and servers
within 24 hours if possible.

b.

Anti
-
Virus and Anti
-
Spyware:

i.

Availability of virus and spyware protection software updates and
signature files will be checked for
at the vendor site
once
per
day, and
any found will be
downloaded to all PCs and servers.

ii.

Windows PCs and servers will be configured to run Anti
-
virus
and anti
-
spyware scans once per week.

c.

A procedures document for accomplishing these requirements for OS,
security, anti
-
virus, an
d anti
-
spyware updates
for Windows
-
based
systems
must be maintained by IT management
.

d.

Virus protection software must be approved by the Information Security
Manager, and active on every Windows
-
based computer.

2.

The following shall be considered minimum requ
irements for
PCs and servers
that run Linux or UNIX and connect to the DMS LAN or e
-
Mail system
.

a.

Availability of
OS and security updates
by the vendor
will be
checked
once per month, and
applied to servers.

b.

Updates deemed c
ritical will be
downloaded and
ap
plied imm
ediately
once this level of importance is identified.

c.

A procedures document for accomplishing server OS and security
updates must be maintained by IT management.

d.

The DMS standard PC operating system is Windows. However, some
areas within DMS have

found it beneficial to use Linux on the PC.
Using the non
-
standard OS requires CIO approval. OS and security
updates for PCs (workstations) running Linux are the responsibility of
the user of the PC. Users are required to apply OS and security
updates
once per month. Users are responsible for appl
ying updates
deemed critical im
mediately once this level of importance is identified.

e.

Adherence to these Linux/Unix system and security update
requirements
for PCs
will be monitored through semi
-
annual inspect
ion
of r
andomly selected PCs
.

3.

The following shall be considered minimum requirements for

PCs running the
MAC OS and connect to the DMS LAN or e
-
Mail system
.

a.

The DMS standard PC operating system is Windows. However, s
ome
areas within DMS utilize Mac

PCs

du
e to
the
type of work being
performed. Using the non
-
standard OS requires CIO approval. OS
and security updates for Mac computers are the responsibility of the
user of the PC. Users are required to apply OS and security updates

Page
4

of
4


DMS Policy No.
IT
-
09
-
104

Managing OS, Security, and Virus Updates

once per month. Users ar
e responsible for apply
ing updates deemed
critical imm
ediately once this level of importance is identified.

b.

Adherence to these Mac

OS system and security update requirements
will be monitored through semi
-
annual inspection of randomly selected
PCs
.


4.

The fo
llowing shall be considered minimum requirements for

network devices
connected to the DMS LAN.

a.

Availability of system and security updates will be checked once per
month for all network devices, and applied to the network devices
immediately.

b.

Updates deeme
d c
ritical will be downloaded and applied imm
ediately
once this level of importance is identified.

c.

A procedures document for accomplishing network device system and
security updates must be maintained by IT management.



RESPONSIBILITIES


Individual

or Gro
up

Responsibilities

DMS IT



En獵牥⁡dhe牥r捥⁴o⁴h楳⁰o汩捹⁦o爠偃猠rnd
獥牶e牳Ⱐr捥p琠
fo爠r楶楳ionf⁒ 瑩牥ten琠P䍳⁡nd⁳ 牶e牳Ⱐ䑩v楳ionf
Te汥捯mmun楣慴楯i猠sun捯m⁳ 牶e牳Ⱐrnd⁌楮i⽕/楸⁐䍳

䑩v楳ionf
剥R楲emen琠䑩牥捴o爠
and⁉T⁍ nagemen琠
Vendor



En獵牥⁡dhe牥r捥⁴o⁴h楳⁰o汩捹⁦o爠r楶楳ion⁐䍳ⰠCnd
獥牶e牳anaged⁢y⁴he⁉Tanagemen琠vendo爮



E獴sb汩獨⁐牯捥du牥猠fo爠r捣cmp汩獨楮i⁰o汩捹⁲ qu楲emen瑳t
a猠s楲e捴cd⁩ ⁴he⁰o汩捹.

䑩v楳ionf
Te汥捯mmun楣慴楯i猠
䑩牥捴or



En獵牥⁡dhe牥r捥⁴o⁴h楳⁰o汩c
y⁦o爠r楶楳ionanaged
獥牶e牳⁡nde瑷o牫⁤ev楣敳i



E獴sb汩獨⁰牯捥du牥猠fo爠r捣cmp汩獨楮i⁰o汩捹⁲ qu楲emen瑳t
a猠s楲e捴cd⁩ ⁴he⁰o汩捹.

L楮i⽕/楸⁐䌠C獥牳



啮Ue牳瑡nd⁡nd⁡dhe牥⁴o⁴h楳⁰o汩捹⁣ n捥牮楮g⁴he楲⁐䌮

Emp汯lee



䝥ne牡氠rwa牥re獳⁴h牯rgh⁉nf
o牭a瑩tn⁓e捵物瑹⁁wa牥re獳s
p牯r牡r
.

䥮fo牭a瑩tn⁓e捵物瑹
Manager



En獵牥⁡汬e捥獳s特⁰a牴re猠snde牳瑡nd⁴h楳⁰o汩捹



䍯汬散C⁡nd⁲ v楥i⁰牯捥du牥猠fo爠rmp汥len瑩tg⁰o汩捩敳c
f牯r⁴hee捥獳s特⁧牯rp献



Mon楴i爠rdhe牥r捥⁳ mi
-
annua汬yfon
-
W楮iow猠s䍳⁢y
牥r楥i楮i⁵pda瑥 g猠snd⽯爠ra瑥献