5.2.3 Any system components that are not at risk for malware are evaluated periodically to include the following:

Defined Approach Requirements

5.2.3 Any system components that are not at risk for malware are evaluated periodically to include the following:

• A documented list of all system components not at risk for malware.
• Identification and evaluation of evolving malware threats for those system components.
• Confirmation whether such system components continue to not require anti-malware protection.

Customized Approach Objective

The entity maintains awareness of evolving malware threats to ensure that any systems not protected from malware are not at risk of infection.

Applicability Notes

System components covered by this requirement are those for which there is no anti-malware solution deployed per Requirement 5.2.1.

Defined Approach Testing Procedures

5.2.3.a Examine documented policies and procedures to verify that a process is defined for periodic evaluations of any system components that are not at risk for malware that includes all elements specified in this requirement.

5.2.3.b Interview personnel to verify that the evaluations include all elements specified in this requirement.

5.2.3.c Examine the list of system components identified as not at risk of malware and compare to the system components without an anti-malware solution deployed per Requirement 5.2.1 to verify that the system components match for both requirements.

Purpose

Certain systems, at a given point in time, may not currently be commonly targeted or affected by malware. However, industry trends for malware can change quickly, so it is important for organizations to be aware of new malware that might affect their systems—for example, by monitoring vendor security notices and anti-malware forums to determine whether its systems might be coming under threat from new and evolving malware.

Good Practice

If an entity determines that a particular system is not susceptible to any malware, the determination should be supported by industry evidence, vendor resources, and best practices.

The following steps can help entities during their periodic evaluations:

• Identification of all system types previously determined to not require malware protection.
• Review of industry vulnerability alerts and notices to determine if new threats exist for any identified system.
• A documented conclusion about whether the system types remain not susceptible to malware.
• A strategy to add malware protection for any system types for which malware protection has become necessary.

Trends in malware should be included in the identification of new security vulnerabilities at Requirement 6.3.1, and methods to address new trends should be incorporated into the entity's configuration standards and protection mechanisms as needed.

Sub Requirements

• 5.2.3.1 The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.