Security Awareness, Training, and Tools — Protection from Malicious Software

§164.308(a)(5)(ii)(B): Procedures for guarding against, detecting, and reporting malicious software.

Audit Inquiry

Does the entity have policies and procedures in place regarding a process to incorporate its procedures to guard against, detect, and report malicious software into its security awareness and training program?

Obtain and review documentation demonstrating that the procedures for guarding against, detecting, and reporting malicious software are incorporated in the security awareness and training program.

Elements to review may include but are not limited to:
• The malicious software protection mechanism that has been implemented
• Information system protection capabilities
• Workforce members’ roles and responsibilities in malicious software protection procedures
• Steps to protect against malicious software
• Steps to detect malicious software
• Action(s) to be taken in response to malicious software detection

Obtain and review documentation demonstrating that procedures are in place to guard against, detect, and report malicious software. Evaluate and determine whether such procedures are in accordance with malicious software protection procedures included in the training material.

Obtain and review documentation of the workforce members who should be trained on the procedures to guard against, detect, and report malicious software.
Obtain and review documentation of the workforce members who were trained on the procedures to guard against, detect, and report malicious software. Evaluate and determine if appropriate workforce members are being trained on the procedures to guard against, detect, and report malicious software.

Has the entity chosen to implement an alternative measure?
If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead.
Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification.

Required/Addressable

Addressable