Virus scanning and backup standards

I'm with the United Way and we are currently developing virus protection and critical data backup guidelines for member agencies to comply with. I'm having a little trouble finding specific guidelines online to use as a template so here are the topics I decided to address.
Virus Protection: What programs are acceptable, update frequency, real-time scanning options, scanning frequency, and user training.
Data Backup: Frequency, media, dating procedures, how long they should be stored, and restoration procedures.
I just wanted to check with other IT professional in the nonprofit field and see if you felt any other things should be addressed, especially on data backup. Please let me know what you think.

User training is key -- it's important for users to know the "why" of virus protection and data backup, instead of just assuming that the computer guys will take care of it.

At the very least, it can save you questions from people who don't realize that their home computers are nowhere near as protected as their work ones. :cwm11;

I think you may be looking for a more coporate policy document and I don't have one, but I can give you my opinion and it may help you or some others:

Virus software
===============
Most major brands are good Norton's, McAfee, and we like AVG since they have a free version. When the software is installed, the system should be scanned, then it should be set to scan things introducted to the PC from the outside. It's a good idea to do a complete scan once a month, since something might have been picked up that was not covered until a later update and the live scanner missed it.
If you have a lot of PCs, I think it is a good idea to use 2-3 different AV programs. One may miss something new and the others may pick it up. The SW should update itself every week or so. This kind of program should cover you pretty well. Oh yeah, user training... if there is any doubt about an attachment or the way the computer is working, call for help. Repeat...

Backups
=======
The simple guideline is, "What is your pain threshold?". What will be the impact if you lose a day's worth of data? 2 days? A week? How about 6 months?
Then you know if you should back up once a day, twice a day, once a week, or once a month.
I like to have about 30 tapes in rotation, one for every day. Then I have 6-18 tapes and every month or every week, one tape goes into long term rotation so I have 6 months to a year or more of archive tapes. It sometimes happens that someone needs a file that was deleted months ago and was just discovered. It should be noted that with 1 tape a month, it may be possible that the window is too large and a file could be created and deleted between backups. Once the monthly rotation is erased, it's gone.

Media type depends on budget and the amount you have to back up.

Some backups should be stored off-site. Fireproof safes are great, if they work, and if you don't mind digging them out of the sub-basement after a fire...
Home storage is common, but a big security risk. Consider a safty deposit box at a bank. It's cheap and pretty safe.

And most important: plan on taking a tape and doing a test restore every month or so. I have seen a couple of situations where the backups were bad and there was no indication from the backup logs. Restoring a few files will confirm that it's working. And do check the backup logs every week or two. It's easy to think that everything is getting backed up when it turns out that users or servers have files open and locked that they are being skipped.

Whew! I hope some of this is useful...

Thanks,
Christian

I have only one thing to add to what's already been suggested regarding anti-virus software: the software should be set up to automatically update virus definitions AT LEAST weekly.

This is what I recommend for backups, assuming you're backing up to a tape drive or other rewritable media:

Backup tapes should be stored in an off-site facility or a fireproof safe until they are needed.

I recommend an annual backup rotation using tapes with these labels:

Monday
Tuesday
Wednesday
Thursday
Friday-1
Friday-2
Friday-3
Friday-4
Month-1
Month-2
Month-3
Month-4
Month-5
Month-6
Month-7
Month-8
Month-9
Month-10
Month-11
Yearly

Tapes labeled Monday through Thursday are used each week on the appropriate day. Tapes labeled Friday-1 through Friday-4 are used each Friday based on the week of the month. Tapes labeled Month-1 through Month-11 are used on the last Friday of each month, January through November (in a month with four Fridays, the Friday-4 tape would not be used – the monthly tape would be used instead). The Yearly tape should be used in December, labeled for the year of use, and retained for at least five years. A different Yearly tape would be used the following year.

-- Robert

If you are pulling definiions across your lan I would be updating daily..

Protecting against viruses, especially if you are running Microsoft Windows as your Operating System can feel like a job unto itself sometimes. Here are some guidelines that I received from a seminar I just attended:

Make sure that you have the most recent patches installed - many worms and viruses take advantage of vulnerabilities in Windows

If you are connected to the Internet, consider closing TCP/UDP ports that are NOT being used

As others have emphasised, keep your anti-virus software and it's virus definations files up to date - update them at least once a week.

Keep a reasonably password policy > 4 characters, mix in at least a number of a special character (ex. $%!@, etc)

Depending upon business need, you might want to consider having your email server block certain types of attached files

Train your users NOT to open unexpected attachments

Keep up on what's going on with viruses - your anti-virus software vendor usually has that info on their website.

Whew....that's a-lot, I know. But, it's better than the pain of a Blaster virus taking your productivity for a week.... or more....

Backups, as another has said, it's a matter of what's your business need or level of pain. How much information can you afford to lose? We do daily backups of mission critical information and weekly backups of the rest of the files. We also take one set of tapes off-site a week, rotating them so just in case something should happen....

Hope some of this helps....

[font face='Arial' size='2' color='Black']The information provided in this post has been wonderfully informative. Thanks! Now I have a couple of questions - [/font]
[*]where do you store your original software/manuals, etc.?[/*][*]do most software vendors replace software if it is destroyed in a fire/tornado/etc.? (assuming you have a current maintenance/support agreement)[/*]
[font face='Arial' size='2' color='Black']We are currently in a building that was damaged in a tornado approx. 3 years ago (we were not here when it was hit). If another tornado damages this building (or fire or whatever) what are some steps to take to start the recovery process?
Thanks in advance for sharing your expertise![/font]

If you are in tornado alley having local remote copies of any docs/sfotware may not help as the bank and safe storage places can get whacked too..
I would look to have the docs in digital form burned on a CD with copies and all the software used and store it in a remote location which is not tornado prone..
the problem you will run into is after a tornado cut it's swathe of destruction. The lack of infrastructure in generalr create the bigeest issue ..
Even if you got the network up in 5 minutes it means nothing if the power and phones are knocked out..
Maybe ask the local red cross if they know if any local tornado (proof) facilites where you can store a recover box of stuff..

where do you store your original software/manuals, etc.?

I have them in html on a remote virtual server on the web .. but no passwords etc..
Passwords are soted in another of site lcoation..
Also a CD rom with all the docs etc is stored with the passwords..
my smaller client have a crash box with all the cdroms and stuff stored in the CFO home and in one case it stored in another office location in a secure area..


do most software vendors replace software if it is destroyed in a fire/tornado/etc.? (assuming you have a current maintenance/support agreement
yes but you may have pay a media fee for the replaced CD