17.3.24 Mitigation of threats to IT Services

OIST is under constant attack from external parties seeking to access and exploit its IT Resources. In protecting OIST and its users, IT Division and systems administrators shall conform to the following requirements.

17.3.24.1 Software vulnerability management
System administrators shall ensure patches or workarounds are in place for any published vulnerabilities prior to production use of any software. Once a system has moved to production operation, system administrators shall remain appraised of updates and patches to systems, and apply them in a timely fashion, accounting for potential impact to the system and its users. Where a vulnerability which may result in the compromise of OIST information assets is detected, the system administrator shall immediately contact the CIO and CISO and take appropriate action to protect OIST information assets.

17.3.24.2 Measures to limit malicious software
System administrators shall install anti-malware software into servers or other devices that supports such software. The system administrator shall monitor status of anti-malware software and take any action necessary. The system administrator shall keep anti-malware software and its definition files up to date. Only system administrators shall have the escalated privileges required to change the configuration of anti-malware software, and shall not grant such privilege to other users. The system administrator shall configure anti-malware software to scan to the system periodically.