Compliance: The use of malware falls under SFU General Policy GP24: Fair Use of Information and Communications Technology, specifically "Section 2.6 Protective Measures". SFU IT staff are duty bound to prevent malware from entering SFU networks and have the authority to take immediate action to prevent damage from malware. The following content provides a guideline for the safe handling of malware. Please note, it is only a guideline and anyone anticipating the need to intentionally handle malware should consult their IT representatives to discuss their particular situation. Once a plan to safely handle the malware has be determined it should thenbe reviewed by the SFU Chief Information Security Officer.
Permission: The SFU Chief Information Security Officer will give permission for the use of malware at SFU once the proposed plan has been reviewed.
Consequences: SFU network security staff will "shoot first and ask questions later" in their approach to responding to threats from malware. Any hint that something has gone wrong will result in blocked access and locked accounts. Reinstatement of accounts will be pending further investigation.
- Malware handling plan to be reviewed with the Chief Information Security Officer before malware is brought onto campus systems.
- All people who will have access to the malware must be identified.
- All users of the malware are to be trained on the safe handling before they are granted access.
- No additional copies of the malware are to be made except as described in the safe handling plan
- Malware must be deleted by the specified date unless an updated plan is submitted
Use of Malware Plan:
A Plan must be put in place before acquiring malware that addresses all of the following points:
- Purpose: Explain why the Malware is needed and how it will be used.
- Containment: The primary objective for safely handling malware is to ensure it is contained to prevent it from becoming active on SFU systems. The Malware should be stored so that it is isolated from other SFU systems and only the people that need to access it are able to access it.
- Security: Malware should only be stored on devices that require authenticated access, restrict access to authorized people and are not exposed directly to the rest of SFU networks. For example, on a server that only allows certain people to login and only allows them to login from known machines.
- Identify all people who will have access to the malware.
- Schedule for removal: An end date for the removal and disposal of the malware must be specified.
- Responsibility: The person responsible for the malware and following the submitted plan must be identified.