PROPOSED REVISION TO: REG 08-00-10: Antivirus Software Requirements

PROPOSED REVISION TO: REG 08-00-10: Antivirus Software Requirements

Rationale:

Immediate change needed to remove references to the University providing site-licensed antivirus software. NC State’s campus license for Kaspersky antivirus is expiring on February 28, 2017, and will not be renewed. Site licenses are no longer being issued, and all links to Kaspersky downloads have been removed from the OIT site and/or replaced with this notice, above.

This Antivirus Software Requirements regulation will soon be removed and replaced by a new Endpoint Security Standard (in final approval). We request that REG 08-00-10 be temporarily updated with the edited version we are providing, in the interim. This version contains additional edits, for clarity.

Consultation Process:

1/17/17OIT S&C Cybersecurity Documentation Specialist authorizes transmittal of PRR for review

N/AGeneral Counsel preliminary review

1/17/17 OIT S&C and OCC review

1/17/17CITD review

1/26/17 General Counsel final review

1/27/17 Vice Chancellor for Information Technology & CIO approval

2/14/17 Chancellor’s Cabinet Meeting, or official with delegated authority to review PRR

3/13/17 University Council (recommendation/notification), if applicable (OGC will complete)

N/ABoard of Trustees (approval/notification), if applicable (OGC will complete)

PRR #08.00.10

AntivirusAnti-VirusSoftware Requirements

Authority: [KH1]Issued by the Vice Chancellor for Information Technology. Changes or exceptions to administrative regulations issued by the ______may only be made by the ______.Issued by Provost and Executive Vice Chancellor; Vice Chancellor for Finance and Administration

History: First Issued: July 13, 2004. Last Revised: ______.

Related Policies:

NCSU REG 08.00.02 - Computer Use Regulation

Additional References:

ResNet Terms of Use

NC State AntivirusAnti-Virus Resources

Antivirus Exemption Request form[KH2]

Request for Exemption form
Request Alternate Product

Contact Info:Vice Chancellor for Information Technology (919-515-0141)

1. Introduction

NC State faculty, staff and students have access to site-licensed commercial anti-virus software for use on all University-owned as well as personal computers. The software and associated information are available from the NC State Anti-Virus web site.

Viruses, worms, and other malicious software can destroy critical or confidential data, compromise security, and generate a large volume of network traffic. A small number of infected computers can have a catastrophic effect on NC State's networked systems and on the campus'sUniversity's ability to perform core business and instructional functions. Therefore, in order to protect the campus computing infrastructure, the University is implementinghas implemented a requirement for the use of anti-virusantivirus software.

NC State faculty, staff and students are required to have up-to-date antivirus software installed and operational on all personally-owned or University-owned computers connected to the campus network. The antivirus protection may be provided by the operating system vendor or be an approved alternative. Approved antivirus software recommendations and requirements are available from the NC State Antivirus Resources web site.

1. Requirement and Responsibilities
2. All computers (, including those that are personally owned) connecting , that connect to the campus network (including computers connecting via the NC State wireless network (Nomad), NC State VPN, or NC State modem pool) that are running one of the listed operating systems for which the University has site-licensed an anti-virus software package are required to install and enable the University site-licensed anti-virus software. If a user desires to run an alternate anti-virus product, itEduroam) or connecting via NC State’s VPN service, must be on the run up-to-date, approved NC Stateoperating system antivirus list or the user must request approval with justification according instructions available on the NC State University Anti-Virus web site.protection as defined on the NC State Antivirus Resources website. All students, including residence hall occupants, are subject to this regulation. Students who are residence hall occupants should note that ResNet also has an anti-virus requirement that covers residence hall occupants.
3. Installation, troubleshooting, and maintenance of the anti-virusantivirus software are the responsibility of all persons having administrative privileges on computer(s) connecting to the campus network.
4. Computers running operating systems for which the University has not site-licensed an antivirus software package are exempt from this requirement. If a specific computer or group of computers requires an exemption to this requirement, an Antivirus Exemption Request form must be submitted for approval. However, administrators should be aware of the risk to their systems and data should a virus infection occur. It is recommended they acquire and install anti-virusantivirus software as they deem appropriate to mitigate these risks. If needed, users should consult with other local computer administrators or the OIT Security & Compliance Group for guidance in making this decision.
5. Individuals and groups may receive an exemption from the University mandated anti-virusantivirus software requirement if the need for an exemption is supported by both the unit IT Director and approved by the Security Technology Working Group of the Security & Compliance Governance Subcommittee. Individuals or groups requesting an exemption must submit justification to the Chair of the University IT Security Subcommittee. Security Technology Working Group via the Antivirus Exemption Request form. The request must describe the necessity for an exemption and specify what alternate protections are in place. This exemption only applies to users who are required to install the anti-virus software.computer(s) specified in the exemption request. Computer Usersusers receiving an exemption are still subject to all other aspects of the Computer Use Regulation.
6. This regulation does not preclude units from implementing a more stringent requirement.
7. Non-compliance and Violations

Violations of this anti-virusantivirus regulation will be handled in accordance with the Computer Use Regulation. ThisViolations may result in the computer being blocked from the network if it is causing a security or performance impact on the campus network. Computers will not be unblocked until the machine is cleaned and brought into compliance. In addition, users may be disciplined as allowed in accordance with Section V5 of the Computer Use Regulation.

[KH1]Copied from another regulation; may not need changing

[KH2]Forms below point to the same page, with this new title