This Control addresses the requirements for malicious code protection both university-wide and the unit level.


  • This Control applies to all Texas A&M information resources.

  • The intended audience for this Control includes all information resource owners, custodians, and users of information resources.


  • 1

    For each computer connected to the Texas A&M network, security updates from the manufacturer of the appropriate operating system, and/or application software, must be kept current (e.g., patched and updated).

    • 1.1

      Security obsolesced software (e.g., no longer supported by the manufacturer) is not permitted on the campus network unless an exception is granted by the CISO and mitigating controls are in place.

  • 2

    Where feasible, personal firewall software or hardware shall be installed to aid in the prevention of malicious code attacks or infections.

  • 3

    E-mail attachments and shared files of unknown integrity shall be scanned for malicious code before they are opened or accessed.

  • 4

    Software to safeguard against malicious code (e.g., anti-virus, anti-spyware) shall be installed, enabled and functioning on susceptible information resources that store or process university data. Where possible, the automatic update feature of the software that safeguards against malicious code shall be enabled.

    • 4.1

      Software safeguarding information resources against malicious code shall not be disabled or bypassed.

    • 4.2

      The settings for software that protect information resources against malicious code should not be altered in a manner that will reduce the effectiveness of the software.

    • 4.3

      The automatic update frequency of software that safeguards against malicious code shall not be altered to reduce the frequency of updates.

    • 4.4

      Use of the anti-virus software designated by the CISO shall be required unless an exception is granted by the CISO.

    • 4.5

      If operation of the information resource does not allow for user-installed software (e.g., network devices, virtual appliances, vendor-restricted systems), the resource shall only be required to run the anti-virus software that is supported by the vendor.