Standard Operating Procedure 2 (SOP 2)
Anti Virus and Patching
Why we have a procedure?
Viruses can infect IT systems by a wide variety of methods including email messages,
the Internet and through accessing infecting files contained on USB drives, floppy disks
and CDs.
Viruses can propagate very quickly as they are easily spread to other PCs connected
to a computer network, be it the Trust network, LAN (1) or the Internet.
It is vitally important therefore that IT System connected to the network has anti-virus
software installed and that this protective software is kept current.
Viruses can also attack vulnerabilities in applications such as Microsoft Office and
operating systems such as Windows and this software must also be made secure by
the application of critical patches and updates as and when required.
In order to combat viruses on the email gateway, servers and personal computing
systems, the Trust has adopted a suite of system protection products from McAfee.
This software is site licensed.
For more information on viruses see: http://www.mcafee.com/uk
This Standard operating Procedure sets out the procedure for the protection of the
networked environment and for the continued provision of the ICT services that the
Trust ICT provides to our end users against the threat of malware. It provides guidance
and direction on minimising the risk of a malware infection(s) and what to do if a virus is
detected. This SOP also outlines the responsibilities of the ICT department and you,
the Customer. Only by everyone recognising their responsibilities will the risks to our
networked infrastructure be minimised.
ICT has a responsibility to ensure that appropriate technical measures are
implemented to protect against malware and to ensure that appropriate controls are
in place to rapidly detect, isolate and remove any instances. A single technical
solution cannot be relied upon and therefore a ‘layered approach’ will be
implemented in order to provide the best overall protection against the omnipresent
threat of malware from whichever vector it may appear.
This procedure should be read in conjunction with other relevant Information Security
Policies and procedures.
What overarching policy the procedure links to?
ICT Security Policy
Which services of the trust does this apply to?
Corporate Services and ICT services
Anti Virus and Patching
Page 1 of 9
Version 1.0 October 2016
Where is it in operation?
Any location containing Trust computers
Group
Mental Health Services
Learning Disabilities Services
Children and Young People Services
Inpatients



Community



Locations
all
all
all
Who does the procedure apply to?
This SOP applies to ICT resources and to all staff authorised to use/access those
computer systems and communications networks whether they are employed directly
by the Trust, contractors, NHS Professionals, bank staff, voluntary organisations or
suppliers granted access for support purposes.
Systems developed and managed centrally by the NHS Connecting for Health
programme, e.g. NHSMail are not owned or under the direct control and are, therefore,
considered outside the scope of this guidance
When should the procedure be applied?
Whenever logged on to a Trust computer.
How to carry out this procedure
Definitions
Term
Anti-Virus (AV)
Virus
Worm
Anti Virus and Patching
Definition
A specific software application that
provides an electronic a defence
mechanism mitigating the risk of a
computing device being infected with or
affected by malware.
A computer program that can copy itself
without permission or knowledge of the
user. A virus can only spread from one
computer to another when its host is
taken to the uninfected computer; for
instance, by a user sending it over a
network or carrying it on a removable
media.
A self-replicating computer program. It
uses a network to send copies of itself to
other PCs on the network and it may do
so without any user intervention. Unlike a
virus, it does not need to attach itself to
an existing program. Worms always
harm the network (if only by consuming
bandwidth), whereas viruses always
infect or corrupt files on a targeted
computer.
Page 2 of 9
Version 1.0 October 2016
Term
End points
Malicious
software
Malware
Ransomware
Social
Engineering
Spyware
Spam
Trojan Horse
Rootkits
Adware
Anti Virus and Patching
Definition
All devices (from servers to clients to
networked equipment) with an operating
system that is capable of being affected
or infected by malware.
Software designed to infiltrate or damage
a computer system without the owner's
informed consent.
A term derived from the words
"malicious" and "software". The
expression is a general term used to
refer to a variety of forms of hostile,
intrusive, or annoying software or
program code.
A type of malicious software designed to
block access to a computer system and
or data until a sum of money is paid.
A technique used by attackers to attempt
to subvert security controls, by
attempting to convince a legitimate user
to divulge sensitive information such as
passwords, IP Addresses or details of
security mechanisms in use or to enable
others to do likewise, or to run
inappropriate malware.
A type of malware designed to collect
information from the target system and
transmit that data to external parties for
unauthorised use. Most commonly
packaged with legitimate (or seemingly
legitimate) software, spyware installs
itself without the user’s knowledge.
Unsolicited email, is email received from
an unrequested source, which attempts
to convince the user to perform an action
(usually to purchase goods or services or
click on a link.
A program that contains or installs a
malicious program (the 'Trojan'). The
term is derived from the classical myth of
the Trojan horse. Trojan horses may
appear to be useful or interesting
programs (or at the very least harmless)
to an unsuspecting user, but are actually
harmful when executed.
A stealthy type of software, designed to
hide the existence of certain processes
or programs from normal methods of
detection and enable continued
privileged access to a computer.
A software package which automatically
renders advertisements.
Page 3 of 9
Version 1.0 October 2016
Anti-Virus Protection
All ‘end points’ and network ‘entry’ points should be protected from, and provide
protection to the resources they host or provide access to from malware and its effects.
Generally an Anti-Virus solution will be deployed on all assets and will mediate all traffic
that may be processed on that end point. In the case of ‘boundaries’ the point of access
to the environment is to provide protection from malware to any traffic it allows into and
out of the environment. For example email and web traffic is to be scanned for malware
at the point of entry/exit to/from the environment.
Layered Security, Reducing the Scope for Malware
a.
Widespread use of AV software on all Endpoints
Wherever possible Anti-Virus software is to be installed on all suitable endpoints
including all forms of clients and servers regardless of whether they are
networked or standalone. This will ensure that any risks of cross infection
between disparate systems are minimised. The aim is that we will have no less
than 99% coverage of installed, functional and update to date Anti-Virus
software. Anti-Virus signatures and updates will be no older than 5 days for all
devices on or connecting to the BCPFT network.
b.
Patch Management
All systems that are fully patched are significantly less likely to be affected by
malicious software. Malware targets known weaknesses or vulnerabilities in
target operating systems or applications and uses these to attack the target
system. For known weaknesses vendors quickly distribute software
updates/patches to prevent exploitation via that particular mechanism, it is
therefore important to follow up on these newly release patches to ensure any
newly identified vulnerability is mitigated as quickly as possible. Regular review,
assessment and installation of the latest patches should are to be completed as
close to regular release cycles.
The exact process for patch management is contained within the IT Security
Policy but should aim to ensure that relevant devices are:
 routinely patched with security patches (patches which have failed
testing may be excluded on a host by host basis):
 Servers: should be no more than 2 months behind available and tested
security patches;
 Desktops and Laptops: should be no more than 1 month behind available
and tested security patches. This should apply to no less than 70% of
systems on or connected to the BCPFT network;
 Networks/Other: should be no more than 1 month behind available and
tested security patches
c.
Restricted Download rights
Software programs or executable files are not to be downloaded from the
Internet and installed onto endpoints without permission from the ICT
department. Technical controls are in place to restrict the ability of the majority
of users to download files from the Internet. A limited number of operations staff
have greater flexibility to download however; all users should take appropriate
precautions to ensure they limit the possibility of downloading malicious
software.
d.
Administrative/Privileged Access Rights
Accounts with elevated privileges are primarily only available to those in ICT
department and there is a slow but steady move to reduce the number of users
with such rights and the extent of such rights both outside of and within ICT.
Anti Virus and Patching
Page 4 of 9
Version 1.0 October 2016
Administrative groups should be used to ensure that where elevated rights are
granted users are granted the minimum level of privileges necessary for them to
carry out their work via groups rather than to have rights assigned individually.
For users that require elevated privileges they should have a secondary ‘admin’
accounts created and only use these rights when they are required, all other
work should be carried out using their standard network user account.
e.
Boundary Protection/Firewalls
The BCPFT network is protected by firewalls both on the boundary to the N3 and
Internet; they have also been implemented internally to segment any
‘unprotected’ VLAN(s). This perimeter around the network ensures that only
authorised traffic can pass in or out of the network, in the instance of a malware
outbreak internally on the network this can help to prevent the malware stealing
data by transferring it out of the network. It will also prevent additional malware
being brought into the network, for example further updates/instructions or
remote control of the malware.
f.
Internet Traffic
In addition to the boundary firewalls internet traffic is also be controlled by
passing through a web proxy filter which limits exposure of internal IP addresses
and what users can do and scans connected sessions for malware.
Traffic should always be directed through these proxy’s however, occasionally
applications will not work through a proxy and it is necessary to by-pass it. Every
effort is to be made to facilitate connections with the internet via the proxy’s and
only in exceptional cases are these to be by-passed.
Responsibilities
This SOP applies to all ‘supported’ assets used within the Black Country Partnership
NHS Foundation Trust regardless of who manages/operates them or whether they are
hosted on the ‘network’. Where departments manage/operate independent
standalone ICT systems the requirements below still apply although they may be
fulfilled differently as directed by individual Information Asset Owners. Advice and
guidance in the fulfilment of any conditions contained within this SOP will be provided
by the ICT department
The BCPFT ICT department has implemented an enterprise anti-virus strategy with
the deployment of Anti-Virus software throughout the computer network and on assets
they support. This software constantly scans networks and endpoints for virus attacks
whilst running in the background and is virtually transparent to the user. The use of
anti-virus software is a requirement of the CfH/N3 Code of Connection Statement of
Compliance (SOC) agreement, the NHS Information Governance Toolkit and also
ensures that trusts comply with their legal obligations outlined in the Data Protection
Action (1998) to protect personal data.
All end points must routinely have the trust standard Anti-Virus software installed with
on-access scanning enabled; the anti-virus detection engine and the virus library files
must be kept up to date automatically without user interaction. Compliance with this
will be regularly monitored by ICT department and prompt action should be taken to
resolve instance where devices are not complaint. For this purpose an Anti-Virus
compliance dashboards has been configured to provide an overview to relevant senior
managers within the ICT department.
The ICT department is aware that in some instances the enterprise software cannot
be installed on endpoints, for example some machines may not be able run the
software (i.e. legacy systems with unsupported operating systems or non-networked
devices. In circumstances where Anti-Virus software either cannot be installed or
Anti Virus and Patching
Page 5 of 9
Version 1.0 October 2016
cannot run in default mode then additional safeguards are to be implemented to limit
the risk of any potential infection or spread of malware within the environment.
In instance where the installation of Anti-Virus software adversely affects the
performance of the host or the installed software; every effort should be made to find a
solution other than removing the software. For example most Anti-Virus solutions can
be configured to prevent scanning of particular files/folders/processes or on access
scanning can be disabled and a scheduled scan used instead (outside of working
hours if necessary). Any changes are to be kept to the minimum required to address
the issue(s) and not be unduly excessive in relaxation of the default configuration.
Anti-Virus software must only be installed and configured by the Trust ICT
department and end users must not disable, uninstall, reconfigure or interfere with the
anti-virus software installed on any endpoint or attempt to install alternative solutions.
Users who operate their laptops on and off the network must regularly connect to the
network to ensure that the Anti-Virus software virus definitions remain up-to-date.
Failure to do so could result in unnecessary virus outbreaks.
Network file storage facilities (shared drive, home drive) should be used wherever
possible to store computer files. Files in these areas are backed-up each night. If a
virus infection does occur and the Anti-Virus software cannot repair any ensuing
damage, it may be possible to restore files to a clean state from the backup media.
(This is not possible for files stored on the C: drive or on removable media).
Although many threats can be combated using technology the key to robust protection
is empowering each user with the necessary knowledge to help prevent or limit virus
outbreaks. End users should are to be made aware of good practice guidance such
as, but not limited to, only opening emails from trusted sources or attempting to
download/install software on their device. Appropriate awareness campaigns/training
is to be run annually aimed at staff to raise awareness.
In the Event of an Outbreak (ICT responsibilities)
The ICT Department will require unhindered access (either remotely or locally) to any
ICT managed network-connected PC to apply updates to software to minimise the risk
of a virus outbreak or to repair critical security vulnerability. In the event of an outbreak
the ICT Department will ensure that:

A Priority 1 incident has been raised on the Service Desk

The incident is completed within the appropriate timescales

Appropriate measures are taken at the earliest opportunity to minimise the risk of
a virus outbreak

All affected users are notified of a virus outbreak at the earliest opportunity using
appropriate methods. This notification will offer advice to the user on how the virus
risk can be minimised and will outline any measures being taken by ICT in
response to the available information

In the event of a global virus outbreak affecting numerous endpoint devices at
multiple Trust locations All Trust users will be notified at the earliest opportunity
using appropriate methods. This notification will offer advice to the user on how
the virus risk can be minimised and will outline any measures being taken by ICT
in response to the available information

All infected device are unplugged from the network, with little or no notice, to
minimise the propagation of a virus or if the PC is deemed to be a security risk

All infected devices have been cleaned and all instances of the virus removed

All infected files have been deleted or cleaned

An investigation is undertaken to determine where the virus may have originated
Anti Virus and Patching
Page 6 of 9
Version 1.0 October 2016


A report will be generated from the results of the investigation this will determine
exactly what happened during the outbreak, how it happened, and why it
happened. The report will be used to implement any recommended changes
necessary in order to help prevent any similar outbreaks. The report will be
submitted to the ICT senior management, Information Governance Steering
Group and published on the Trust Intranet
In the event that a resource or network drive becomes infected with a virus the
ICT department will remove all access to the specified drive(s) to prevent the virus
from spreading and infecting other files and folders within the trust storage area
network. Once all access has been removed the ICT department will remove the
virus, clean or deleted any infected files and restore any files that cannot be
cleaned
In the Event of an Outbreak (ICT Service Desk responsibilities)
g.
Record the incident in-line with the agreed standards, as set out in the ICT
Standard Operating Procedures
h.
As with all incidents, determine the urgency and assign a priority level. Due to the
high risk of disruption that a virus outbreak can potentially cause the Trust, all
virus related Incidents are to have a priority of either P1 or P2
i.
Advise the user to shut down the affected endpoint (e.g.: Laptop, PC, or Tablet)
and remove the network lead
j.
Disable the endpoints computer account within Active Directory; this will prevent
the endpoint from access the Trusts network
k.
Depending of the type of virus inform the user that you may be required to disable
their Active Directory domain account
l.
Escalate the incident immediately to the following managers in the order specified
below as they will provide you with the necessary course of action to undertake:
i. Service Desk Co-Ordinator.
ii. Service Delivery Manager.
iii. Network Manager.
m. Arrange for the endpoint to be collected at the earliest convenience
n.
Once you have collected the endpoint log on to the endpoint in safe mode. This
will stop user-specific viruses from continuing to spread and further crippling the
endpoint
o.
Attempt to remove the virus from the endpoint with the ICT department’s standard
Trust-approved tools. These may include Trend, Symantec, AVG, Hit Man Pro,
McAfee, Bit locker or whatever the ICT department decides is the best fit for the
removal of the specific virus
p.
If the above actions appear to have removed the virus, reboot the endpoint, log on
as the user, and attempt to verify that the virus has been successfully removed. If
the virus has been removed re-enable any disabled accounts
q.
If the virus has not been successfully removed, attempt to reimage the endpoint;
Details on how to reimage the endpoint are located within the PC imaging folder
located on the ICT shared drive
In the Event of an Outbreak (User responsibilities)
If an end user observes any unusual activity leading them to suspect a virus has been
installed, the end user must:

Inform the ICT service desk immediately;

Switch off the machine (at the wall socket) and ensure no one else uses it;

Gather any media, such as USB memory stick(s), that was used for transporting
Anti Virus and Patching
Page 7 of 9
Version 1.0 October 2016

information in or out of the machine and make available to ICT;
Not use the PC (or suspected media) until it has been cleared as being safe to
use.
All potential security breaches must be reported to the ICT Service desk. Security
incidents and weaknesses must be reported in accordance with the requirements of the
organisation's incident reporting procedure (Datix). All Security incidents and
weaknesses - actual or potential – will be investigated and reported to the Information
Governance Steering Group.
Links to other Policies

ICT Change Control Policy

ICT E-mail and Internet Acceptable Use Policy

ICT Remote Access Policy

ICT Portable Devices and Portable Media Security Policy

ICT Telecommunications Policy

ICT Priority 1 Incident Handling Policy
Where do I go for further advice or information?
ICT Department, Delta House, Greets Green Road, West Bromwich, B70 9PL
Tel: 0121 612 8001. Self service portal: http://fusion.smhsct.local/staff/
Training
Staff may receive training in relation to this procedure, where it is identified in their
appraisal as part of the specific development needs for their role and responsibilities.
Please refer to the Trust’s Mandatory & Risk Management Training Needs Analysis for
Further details on training requirements, target audiences and update frequencies
Monitoring / Review of this Procedure
In the event of planned change in the process(es) described within this document or an
incident involving the described process(es) within the review cycle, this SOP will be
reviewed and revised as necessary to maintain its accuracy and effectiveness.
Equality Impact Assessment
Please refer to overarching policy
Data Protection Act and Freedom of Information Act
Please refer to overarching policy
Anti Virus and Patching
Page 8 of 9
Version 1.0 October 2016
Standard Operating Procedure Details
Unique Identifier for this SOP is
BCPFT-ICT-SOP-03-2
State if SOP is New or Revised
New
Policy Category
ICT
Executive Director
whose portfolio this SOP comes
under
Policy Lead/Author
Job titles only
Committee/Group Responsible for
Approval of this SOP
Month/year consultation process
completed
Director of Strategy, Estates and ICT
Month/year SOP was approved
February 2016
ICT Manager
Information Governance Steering Group
October 2019
Next review due
‘B’ can be disclosed to patients and the
public
Disclosure Status
Review and Amendment History
Version
Date
Description of Change
1.0
Oct
2016
New SOP for BCPFT to support ICT Security Policy
Anti Virus and Patching
Page 9 of 9
Version 1.0 October 2016