Tarleton Office of Innovative Technology Solutions (OITS)
Malicious Code Standard

Effective: February 11, 2020

Revised: April 28, 2025

Procedure Summary

Tarleton State University’s (Tarleton or university) information resources are strategic assets which, as property of the State of Texas, must be managed as valuable state resources in accordance with Texas Government Code Chapter 2054. This standard applies to Tarleton State University information resources that store, process, or transmit mission critical and/or confidential information.

The purpose of this standard is to provide a set of measures that will mitigate information security risks associated with malicious code. There may be other or additional measures that will provide appropriate mitigation of the risks. The assessment of potential risks and the application of appropriate mitigation measures will be determined by the information resource owner or their designee. In accordance with Texas Administrative Code (TAC) Chapter 202 ‐ Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this standard based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated information security officer (ISO). The intended audience for this standard includes, but is not limited to, all information resources data owners, management personnel, system administrators, and users of Tarleton information resources.

Please see the Tarleton Security Controls Catalog, specifically SI-3, Malicious Code Protection, for additional information and requirements.

Procedures and Responsibilities

Prevention and Detection
- For each computer connected to the university network, security updates from the manufacturer of the appropriate operating system, and/or application software, must be kept current (e.g. patched and updated).
- Where feasible, firewall software or hardware shall be installed to aid in the prevention of malicious code attacks/infections.
- Email attachments and shared files of unknown integrity shall be scanned for malicious code before they are opened or accessed.
- Storage devices will be scanned for malicious code before accessing any data on the media.
- Software to safeguard against malicious code shall be installed and functioning on susceptible information resources that have access to the university network.
- Software safeguarding information resources against malicious code shall not be disabled or bypassed.
- The settings for software that protect information resources against malicious code should not be altered in a manner that will reduce the effectiveness of the software.
- The automatic update frequency of software that safeguards against malicious code shall not be altered to reduce the frequency of updates.
Response and Recovery
- All reasonable efforts shall be made to contain the effects of any system that is infected with a virus or other malicious code.
- If malicious code is discovered, or believed to exist, the user will report the issue to Office of Innovative Technology (OITS) staff for remediation at either helpdesk@tarleton.edu or at itsecurity@tarleton.edu.
- The infected system shall be disconnected from the network (or malicious email disabled, if applicable) to prevent further possible propagation of the malicious code or other harmful impact.
- Personnel responding to the incident should have the necessary system access privileges and authority to implement any necessary measures to contain/remove the infection.
- Due to the risk of possible backdoor code that could escape detection, OITS staff will determine the remediation steps necessary to recover from the incident in accordance with the Tarleton Security Controls Catalog, Incident Response Plan and family of controls, as applicable.
- Any removable writeable media recently used on an infected machine shall be scanned prior to opening and/or executing any files contained therein.
- OITS staff should thoroughly document the incident noting the source of the malicious code (if possible), resources impacted, and damage or disruption to information resources in accordance with the Tarleton Security Controls Catalog, Incident Response Plan and family of controls, as applicable.

Definitions

Information Resources (IR): the standards, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.

Information Security Officer (ISO) / Chief Information Security Officer (CISO): responsible for administering the information security functions within the university and reports to the information resources manager (IRM).

Malicious code: Software that is designed to operate in a manner that is inconsistent with the intentions of the user and which typically results in annoyance or damage to the user’s information resources. Examples of such software include:

Viruses: Pieces of code that attach to host programs and propagate when an infected program is executed.

Worms: Particular to networked computers to carry out pre-programmed attacks that jump across the network.

Trojan Horses: Hidden malicious code inside a host program that appears to do something harmful.

Attack scripts: These may be written in common languages such as Java or ActiveX to exploit weaknesses in programs; usually intended to cross network platforms.
Spyware: Software planted on a system to capture and reveal information to someone outside an individual’s system. It can do such things as capture keystrokes while typing passwords, read and track e-mail, record the sites visited, pass along credit card numbers, and so on. It can be planted by Trojan horses or viruses, installed as part of freeware or shareware programs that are downloaded and executed, installed by an employer to track computer usage, or even planted by advertising agencies to assist in feeding targeted ads.

Owner of an Information Resource: an entity responsible for a business function and for determining controls and access to information resources supporting that business function.