Skip Navigation
  • Text Size: A A A
  • Print
  • Email
  • Facebook
  • Tweet
  • Share
  • Print
  • Email
  • Facebook
  • Tweet
  • Share

HHS IRM Policy for the Prevention, Detection, Removal and Reporting of Malicious Software

January 8, 2001


Table of Contents

1. Purpose
2. Background
3. Scope
4. Policy
5. Roles and Responsibilities
6. Applicable Laws/Guidance
7. Information and Assistance
8. Effective Date
9. Approved

1. Purpose

This document provides the policies for preventing, detecting, removing, and the reporting of malicious computer software, such as computer viruses. The purpose is to assure that pro-active security measures are taken to prevent malicious software from occurring; to raise awareness for recognizing and immediately reporting the occurrence of malicious software; and to ensure that appropriate action is taken to minimize the consequences of a malicious software attack.

2. Background

The Department of Health and Human Services’ (HHS) security program complies with Federal laws, regulations, and directives and communicates uniform policies for the protection and control of information technology (IT) resources directly or indirectly relating to the activities of the Department. Computer systems and communication networks are subject to a variety of threats, many of which have emerged with the enormous growth in the use of personal computers, Local Area Networks (LAN), Wide Area Networks (WAN), and the Internet. Non-malicious threats can be through human error, hardware/software failures, and natural disasters. Malicious threats can range from rational (e.g., obtaining something of value at no cost) to irrational (e.g., destroying information or causing embarrassment). These threats must be adequately addressed through proper controls. In addition, HHS has an obligation to protect the privacy and security of personal data.

Malicious software has the potential to cause harm to an organization through the modification, destruction, or release of information or processing resources, and the denial of critical services. Traditional computer safeguards and malware detection efforts play important roles in the implementation of an organization’s malicious software prevention strategy.

Originally the most common "carrier" of viruses was the diskette, since "sneaker net" was the most common means of transferring software and data between computers. However, all organizations with Internet access are now more vulnerable to viruses. Since e-mail is widely used as a business communication tool, e-mail is a favorite infection vehicle for virus writers. As information systems grow in complexity, effective security safeguards must evolve. Security is enforced through a combination of technical and traditional management methods.

3. Scope

The policy contained in this circular is applicable to all HHS information and infrastructure computing resources, at all levels of sensitivity, whether owned and operated by HHS or operated on behalf of HHS. This policy is mandatory for all Operating Divisions (OPDIVs), employees, contractors, and others who process, store, transmit, or have access to IT information and infrastructure computing resources in the Department. This policy applies to all existing automated systems and to any new systems technology acquired after the effective date of this policy. This policy applies to all operating system environments.

4. Policy

4.1. Protection against unauthorized access

HHS will assure that its systems and data are safe and secure from unauthorized access that might lead to the alteration, damage, or destruction of automated resources and data, unintended release of data, and denial of service.

4.2. Reasonable measures

Each OPDIV shall ensure that all reasonable measures are taken to prevent, detect, remove, and report viruses.

4.3. Prevention

Each OPDIV shall establish access controls that limit or detect access to critical resources (e.g., data, files, application programs, and computer-related facilities and hardware), that helps to prevent unauthorized modification, disclosure, loss, or impairment of data.

Each OPDIV shall have change controls, life cycle management procedures, and controls to prevent implementation of unauthorized or risk-inducing programs or modifications to existing programs and thus possible interruption of critical processes.

  1. As specified in the "HHS Automated Information Systems Security Program Handbook," users shall be trained about the policy of permitting only authorized software on computers, the possibility of receiving viruses and other malicious software from the Internet. Users shall be trained about the possibility of viruses and other malicious code, on the use of virus scanning tools, about their responsibilities for regularly using these scanning tools, and how to handle and report suspected or actual viral infections. Users shall be informed about the procedures for detecting viruses and limiting the spread of infection.
  2. All software and data imported onto computers through physical (e.g., floppy disks, tapes) or electronic means (e.g., e-mail, file transfer protocol [FTP], downloading from the web) shall be scanned before the file is opened and read by the user. All Files shall be scanned prior to opening.
  3. Through the use of enterprise infrastructure management tools, software configurations shall be scanned by OPDIVs on a daily basis to validate that no unauthorized software has been added to any computer or server, further reducing the likelihood of malicious software or virus introduction to the network. OPDIVs shall implement the enterprise infrastructure management asset management program registry.
  4. Each OPDIV shall employ the prevention technique of isolating or segmenting the network with firewalls to block unauthorized incoming traffic, direct incoming traffic, and protect vulnerable systems.
  5. Anti-virus software shall be installed at the network perimeters (e.g., entrances to the OPDIV, at the junctions between OPDIV and Internet, and at other locations if the sensitivity of data and risk of spreading a virus between sections of a network warrant it) and deployed to file servers, e-mail servers, and Internet gateways to limit the spread of viruses within the network. This virus checking shall allow centralized and/or localized virus scanning for an entire organization and reduce overhead by simultaneously scanning incoming messages that have multiple destinations. It also allows for centralized administration of the virus scanning software, thus limiting the locations at which the latest virus scanning software needs to be maintained and updated.

4.4 Detection

  1. Each OPDIV shall use anti-virus software to scan all incoming and outgoing e-mail messages, attachments, and files for viruses and other malicious software. Each OPDIV shall scan in real time all network servers.
  2. The virus scanning software engine shall be updated when the next update is available to maintain currency. The virus software signature files shall be updated within twenty-four hours of manufacturer’s release (unless it is needed immediately for an emergency) with the latest viruses.
  3. Virus scanning results shall be logged, automatically collected, and audited by system administrator or security staff.
  4. If an unknown virus is discovered and no cleansing routine is available, the OPDIV system administrator shall isolate the virus and keep a copy for analysis.

4.5 Removal

  1. Any machine thought to be infected by an unknown virus with no known cleaning routine available, shall immediately be isolated and appropriate measures shall be taken to remove the virus. If necessary, the machine should be disconnected from all networks. If the virus cannot be removed, the machine shall remain unconnected from the network
  2. Off-the-shelf virus scanning tools shall be used to remove a virus from an infected file, program, or storage media. If scanning tools still do not remove the virus and the scanning tool manufacturer cannot provide an update in a satisfactory time-frame, all software on the device shall be deleted including boot records. The software shall then be reinstalled from uninfected sources and rescanned for viruses. All devices shall be carefully checked for suspected sources and locations of viruses, including any shared network services, programs, e-mail messages, and files. All devices shall be cleaned and rescanned promptly upon discovery of a virus.
  3. All the steps taken to recover from a virus infection incident shall be documented. These steps shall be useful as a future reference in updating procedures and educating personnel.

4.6 Reporting

  1. Employees shall inform the system administrator or other designated staff immediately of any different or out of the ordinary behavior that a computer or application exhibits, or any virus detected.
  2. When informed that a virus has been detected and is likely to be widespread, the system administrator or other designated personnel shall inform all users who may have been exposed to the same programs or data that a virus may have infected their systems.
  3. After the confirmation of the existence of a widespread virus, the system administrator shall notify a predetermined list of agency management and security personnel and potentially infected users of the steps necessary to determine if their system is infected and the steps to take to remove the virus.
  4. The OPDIV Senior Information Systems Security Officer shall report any incidents to the Department’s Senior Information Systems Security Officer and directly, when appropriate, to the General Services Administration’s Federal Computer Incident Response Capability (FEDCIRC).
  5. OPDIV system administrators shall report to the OPDIV Senior Information Systems Security Officer the quantity and location of machines that bypass the virus scanning. The OPDIV Senior Information Systems Security Officer shall report this information to the HHS Senior Information Systems Security Officer.

5. Roles and Responsibilities

Information systems security responsibilities and accountability shall be explicit. The responsibilities and accountability of owners, providers of information services, and users of computer systems and other parties concerned with the security of information systems shall be documented.

5.1 The HHS Chief Information Officer (CIO)

The HHS Chief Information Officer (CIO) is responsible for establishing and implementing the information security policies to assure that pro-active security measures are taken to prevent malicious software and to ensure that appropriate action is taken to minimize the consequences of an attack.

5.2 The Deputy Assistant Secretary for Information Resources Management

The Deputy Assistant Secretary for Information Resources Management (DASIRM) is responsible for monitoring and updating Department’s security policies, procedures, standards, and architecture to enable better detection and response capability. The DASIRM is responsible for notifying OPDIV CIOs and coordinating responses for incidents that span more than one OPDIV.

5.3 HHS Senior Information Systems Security Officer

The HHS Senior Information Systems Security Officer is responsible for developing and disseminating information concerning the potential dangers from malicious software, guidelines for its control, and serving as a central point for incident reporting, handling, prevention, and recognition. In addition, the HHS Senior Information Systems Security Officer shall promptly notify the HHS CIO, DASIRM, and OPDIV Security Officers of computer security incidents including the presence of viruses.


OPDIV CIOs are responsible for:

  • establishing and implementing policy, procedures, and practices to assure that OPDIV systems, programs, and data are secure and protected from unauthorized access that might lead to the alteration, damage, or destruction of automated resources; unintended release of data and denial of service;
  • ensuring that all OPDIV employees and other users of HHS IT resources comply with this policy;
  • ensuring that IT security requirements, procedures, and practices are provided in computer security training materials; and
  • ensuring that security awareness and training is mandatory for all personnel who use, operate, supervise, or manage computer systems; that new employees receive orientation outlining their security responsibilities; and that program mangers are providing periodic security training (minimum of once a year) to their employees.

5.5 The OPDIV Senior IT Security Officers

The OPDIV Senior Information Systems Security Officers are responsible for:

  • promptly notifying the HHS IT Security Officer of computer viruses;
  • ensuring that appropriate procedures are implemented and instructions issued for the detection and removal of viruses;
  • ensuring that all OPDIV personnel are aware of this policy and incorporate it into computer security briefings and training programs;
  • ensuring that anti-virus scanning software engine shall be updated when the next update is available to maintain currency. The virus software signature files shall be updated within twenty-four hours of manufacturer’s release (unless it is needed immediately for an emergency) with the latest viruses for the detection and removal of malicious software;
  • ensuring that when a virus infection is confirmed the extent of contamination is determined; and
  • serving as a focal point for incident reporting and subsequent resolution.

5.6 Supervisors and Managers

Supervisors and managers shall ensure that their staffs (Federal and contractor ) are aware of their security responsibilities for preventing and reporting viruses, and receive periodic security training.

5.7 Employees

Employees shall not disable or otherwise change anti-virus software on their workstation or other systems without specific authorization, shall comply with virus prevention activities, and report any suspected or actual viruses immediately to their help desk, system administrator, or other designated personnel. In recent years, there has been a proliferation of hoaxes disguised as virus warnings. These hoaxes are usually transmitted through e-mail and contain messages to send the alert to as many others as possible. They are NOT viruses, but may cause work disruption through false scares or represent a denial of service attack through their proliferation by overloading the e-mail system. All such "virus warnings" should be immediately reported to the system administrator or other designated personnel but not forwarded to others.

6. Applicable Laws/Guidance

The following public laws and Federal regulations are applicable to this policy circular:

  • Computer Fraud and Abuse Act of 1986 (P.L. 99-474);
  • Computer Security Act of 1987 (P.L. 100-235);
  • Privacy Act of 1974 (P.L. 93-579);
  • Clinger-Cohen Act (Information Technology Management Reform Act of 1996 - Division E of P.L. 104-106);
  • Office of Management and Budget (OMB) Circular No. A-130, Management of Federal Resources, Appendix III, Security of Federal Automated Information Resources;
  • Presidential Decision Directive 63 (PDD-63), Critical Infrastructure Protection, May 22, 1998;
  • HHS Automated Information Systems Security Program Handbook, May 1994; and
  • IRM Policy for Establishing an Incident Response Capability, HHS-IRM-2000-0007.

7. Information and Assistance

Direct questions, comments, suggestions or requests for further information to the Deputy Assistant Secretary for Information Resources Management at (202) 690-6162.

8. Effective Date and Implementation

The effective date of this policy is the date the policy is approved.

OPDIVs shall have six months from the date of implementation of the EIM tools to fully comply with this policy.

These policies and procedures will not be implemented in any recognized bargaining unit until the union has been provided notice of the proposed changes and given an opportunity to fully exercise its representational rights.

The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary's policy statement dated August 7, 1997, as amended, titled "Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations." It is HHS' policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department's plans, projects, programs and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.

9. Approved


_____/s/_____________________________ _01/08/01__

John J. Callahan
Assistant Secretary for Management and Budget


Computer Security Incident - an event that may result in, or has resulted in the unauthorized access to, or disclosure of, sensitive or classified information; unauthorized modification or destruction of systems data; reduced, interrupted, or terminated processing capability; malicious logic or virus activity; or the loss, theft, damage, or destruction of any IT resource. Examples of incidents include the insertion of malicious code (e.g., viruses, Trojan horses, back doors); unauthorized scans or probes; successful and unsuccessful intrusions; and insider attacks.

Computer Virus - an executable or self-replicating program spread from executables, boot records, and macros as a set of instructions, and attaches itself to programs, files, diskettes, or other storage media. This set of instructions can then be spread to other programs, files, disks, systems, or networks. The instructions can display a message, erase or alter files, stored data, or potentially render a workstation or network inoperable. Sometimes, instead of disruptive instructions, a virus can cause damage by replicating itself and depleting resources, such as disk space, memory or network connections. Non-virus threats to user systems include worms, Trojan Horses, and logic bombs. Worms infiltrate programs and alter or destroy data. A Trojan Horse is a destructive program that comes concealed in software that not only appears harmless but attractive to an unsuspecting user (such as a game or graphic application). Logic bombs are usually timed or event triggered to do damage.

Detection - determining that a record, data file, or storage media is contaminated with a virus.

Malicious software - any code that is intentionally included in software or firmware for an unauthorized purpose.

Unauthorized Software - any software that does not have a certificate of authority to operate.