PURPOSE
_______________________________________________________________

To establish an antivirus security policy for the protection of all County information technology resources.

REFERENCE
_______________________________________________________________

July 10, 2004, Board Order 10 - Board of Supervisors Policy – Information Technology and Security Policy.

POLICY
_______________________________________________________________

Each department shall provide County-approved real-time virus protection for all County hardware/software environments to mitigate risk to County data, devices, and networks. Antivirus software shall be configured to actively scan all files received by the computing device. Each department shall ensure that antivirus software is updated when a new antivirus definition/software release is available and when hardware/software compatibility is confirmed. Each department that maintains direct Internet access shall implement an antivirus system to scan Internet web pages, Internet e-mails, and File Transfer Protocol (FTP) downloads. Each department must comply with the requirements of the CCERT policy in the notification of credible computer threat events. Only authorized personnel shall make changes to the antivirus software configurations as required. Any employee or authorized user who telecommutes or is granted remote access shall utilize equipment that contains current County-approved anti-virus software and shall adhere to County hardware/software protection standards and procedures that are defined for the County and the authorizing department. County employees or authorized personnel are prohibited from intentionally introducing a virus or other malicious code into any device or the County’s network or to deactivate or interfere with the operation of the antivirus software. Each user is responsible for notifying the department’s Help Desk or the Department Security Contact as soon as a device is suspected of being compromised by a virus. Each department shall adhere to the standards and procedures set forth by this policy. Compliance Employees who violate this policy may be subject to appropriate disciplinary action up to and including discharge as well as civil and criminal penalties. Non-employees including contractors may be subject to termination of contractual agreements, denial of access and/or penalties both criminal and civil. Policy Exceptions Requests for exceptions to this Board policy must be reviewed by the CIO and approved by the Board of Supervisors. Departments requesting exceptions should provide such requests to the CIO. The request should specifically state the scope of the exception along with justification for granting the exception, the potential impact or risk attendant upon granting the exception, risk mitigation measures to be undertaken by the department, initiatives, actions and a time frame for achieving the minimum compliance level with the policies set forth herein. The CIO will review such requests, confer with the requesting department and place the matter on the Board's agenda along with a recommendation for Board action.

RESPONSIBLE DEPARTMENT
_______________________________________________________________

Chief Information Office (CIO)

DATE ISSUED/SUNSET DATE
_______________________________________________________________

Issue Date: July 13, 2004	Sunset Date: July 13, 2008
Review Date: August 21, 2008	Sunset Date: July 13, 2012
Review Date: July 19, 2012	Sunset Date: January 13, 2013
Review date: February 28, 2013	Sunset Date: July 13, 2013