Академический Документы
Профессиональный Документы
Культура Документы
Audit/Assurance Program
VMware® Server Virtualization Audit/Assurance Program
ISACA®
With 95,000 constituents in 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge,
certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise
governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent
ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and
control standards, which help its constituents ensure trust in, and value from, information systems. It also advances
and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®),
Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and
Certified in Risk and Information Systems Control™ (CRISC™) designations. ISACA continually updates COBIT®,
which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities,
particularly in the areas of assurance, security, risk and control, and deliver value to the business.
Disclaimer
ISACA has designed and created VMware® Server Virtualization Audit/Assurance Program (the “Work”) primarily
as an educational resource for audit and assurance professionals. ISACA makes no claim that use of any of the Work
will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures
and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same
results. In determining the propriety of any specific information, procedure or test, audit and assurance professionals
should apply their own professional judgment to the specific circumstances presented by the particular systems or IT
environment.
Reservation of Rights
© 2011 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified,
distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical,
photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of
all or portions of this publication are permitted solely for academic, internal and noncommercial use and for
consulting/advisory engagements and must include full attribution of the material’s source. No other right or
permission is granted with respect to this work.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
E-mail: info@isaca.org
Web site: www.isaca.org
ISBN 978-1-60420-179-6
VMware ®Server Virtualization Audit/Assurance Program
CRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in countries throughout
the world.
ISACA wishes to recognize:
Author
Jeff Kalwerisky, CISA, CA (SA), HISP, CPEinteractive, Inc., USA
Expert Reviewers
Madhav Chablani, CISA, CISM, TippingPoint Consulting, India
Curt Hartinger, CISA, CISM, CPA, GSNA, MSIA, Office of the State Treasurer, USA
Aurelio Jaimes, CISA, Mexico
Prashant A. Khopkar, CISA, CA, Grant Thornton, LLP, USA
K. K. Mookhey, CISA, CISM, CISSP, Network Intelligence India Pvt. Ltd., India
Philippe Rivest, CISA, CEH, CISSP, TransForce, Canada
Vipin Sehgal, CISA, Sun Life Financial, Canada
Vinoth Sivasubramanian, ABRCCI, CEH, ISO 27001 LA, ITIL V3, UAE Exchange Center LLC, UAE
Knowledge Board
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Chair
Michael Berardi Jr., CISA, CGEIT, Nestle USA, USA
John Ho Chi, CISA, CISM, CBCP, CFE, Ernst & Young LLP, Singapore
Jose Angel Pena Ibarra, CGEIT, Alintec S.A., Mexico
Jo Stewart-Rattray, CISA, CISM, CGEIT, CSEPS, RSM Bird Cameron, Australia
Jon Singleton, CISA, FCA, Auditor General of Manitoba (retired), Canada
Patrick Stachtchenko, CISA, CGEIT, CA, Stachtchenko & Associates SAS, France
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA
ASIS International
The Center for Internet Security
Commonwealth Association for Corporate Governance Inc.
FIDA Inform
Information Security Forum
Information Systems Security Association
Institut de la Gouvernance des Systèmes d’Information
Institute of Management Accountants Inc.
ISACA chapters
ITGI Japan
Norwich University
Solvay Brussels School of Economics and Management
University of Antwerp Management School
ASI System Integration
Hewlett-Packard
IBM
SOAProjects Inc.
Symantec Corp.
TruArx Inc.
Table of Contents
ISACA wishes to recognize:.......................................................................................................................3
I. Introduction.............................................................................................................................................4
II. Using This Document............................................................................................................................5
III. Controls Maturity Analysis...................................................................................................................8
IV. Assurance and Control Framework .....................................................................................................9
V. Executive Summary of Audit/Assurance Focus...................................................................................11
VI. Audit/Assurance Program...................................................................................................................14
1. Planning and Scoping the Audit...........................................................................................................14
2. Governance of the virtualized environment...........................................................................................15
3. PreFieldwork Preparation.....................................................................................................................19
4. VMware virtualized environment..........................................................................................................20
5. compliance.............................................................................................................................................26
VII. Maturity Assessment.........................................................................................................................27
VIII. Assessment Maturity vs. Target Maturity........................................................................................34
Appendix A. Virtualization Architecture..................................................................................................35
Appendix B. VMware Performance Metrics............................................................................................36
I. Introduction
Overview
ISACA has developed the IT Assurance Framework (ITAF) as a comprehensive and good-practice-
setting model. ITAF provides standards that are designed to be mandatory and that are the guiding
principles under which the IT audit and assurance profession operates. The guidelines provide
information and direction for the practice of IT audit and assurance. The tools and techniques provide
methodologies, tools and templates to provide direction in the application of IT audit and assurance
processes.
Purpose
The audit/assurance program is a tool and template to be used as a road map for the completion of a
specific assurance process. ISACA has commissioned audit/assurance programs to be developed for use
by IT audit and assurance practitioners. This audit/assurance program is intended to be utilized by IT
audit and assurance professionals with the requisite knowledge of the subject matter under review, as
described in ITAF section 2200—General Standards. The audit/assurance programs are part of ITAF
section 4000—IT Assurance Tools and Techniques.
Control Framework
The audit/assurance programs have been developed in alignment with the ISACA COBIT framework—
specifically COBIT 4.1—using generally applicable and accepted good practices. They reflect ITAF
sections 3400—IT Management Processes, 3600—IT Audit and Assurance Processes, and 3800—IT
Audit and Assurance Management.
Many organizations have embraced several frameworks at an enterprise level, including the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. The
importance of the control framework has been enhanced due to regulatory requirements by the US
Securities and Exchange Commission (SEC) as directed by the US Sarbanes-Oxley Act of 2002 and
similar legislation in other countries. Enterprises seek to integrate control framework elements used by
the general audit/assurance team into the IT audit and assurance framework. Since COSO is widely used,
it has been selected for inclusion in this audit/assurance program. The reviewer may delete or rename
these columns to align with the enterprise’s control framework.
Step 1 is part of the fact-gathering and prefieldwork preparation. Because the prefieldwork is essential to
a successful and professional review, the steps have been itemized in this plan. The first level steps, e.g.,
1.1, are shown in bold type and provide the reviewer with a scope or high-level explanation of the
purpose for the substeps.
Beginning in step 2, the steps associated with the work program are itemized. To simplify the use of the
program, the audit/assurance program describes the audit/assurance objective—the reason for performing
the steps in the topic area; the specific controls follow. Each review step is listed below the control. These
steps may include assessing the control design by walking through a process, interviewing, observing or
otherwise verifying the process and the controls that address that process. In many cases, once the control
design has been verified, specific tests need to be performed to provide assurance that the process
associated with the control is being followed.
The maturity assessment, which is described in more detail later in this document, makes up the last
section of the program.
The audit/assurance plan wrap-up—those processes associated with the completion and review of work
papers, preparation of issues and recommendations, report writing, and report clearing—has been
excluded from this document because it is standard for the audit/assurance function and should be
identified elsewhere in the enterprise’s standards.
COBIT Cross-reference
The COBIT cross-reference provides the audit and assurance professional with the ability to refer to the
specific COBIT control objective that supports the audit/assurance step. The COBIT control objective
should be identified for each audit/assurance step in the section. Multiple cross-references are not
uncommon. Processes at lower levels in the work program are too granular to be cross-referenced to
COBIT. The audit/assurance program is organized in a manner to facilitate an evaluation through a
structure parallel to the development process. COBIT provides in-depth control objectives and suggested
control practices at each level. As professionals review each control, they should refer to COBIT® 4.1 or
the IT Assurance Guide: Using COBIT® for good-practice control guidance.
COSO Components
As noted in the introduction, COSO and similar frameworks have become increasingly popular among
audit/assurance professionals. This ties the assurance work to the enterprise’s control framework. While
the IT audit and assurance function uses COBIT as a framework, operational audit and assurance
professionals use the framework established by the enterprise. Since COSO is the most prevalent internal
control framework, it has been included in this document and is a bridge to align IT audit and assurance
with the rest of the audit/assurance function. Many audit/assurance organizations include the COSO
control components within their reports and summarize assurance activities to the audit committee of the
board of directors.
For each control, the audit and assurance professional should indicate the COSO component(s) addressed.
It is possible, but generally not necessary, to extend this analysis to the specific audit step level.
The original COSO internal control framework contained five components. In 2004, COSO was revised
as the Enterprise Risk Management (ERM) Integrated Framework and extended to eight components. The
primary difference between the two frameworks is the additional focus on ERM and integration into the
business decision model. ERM is in the process of being adopted by large enterprises. The two
frameworks are compared in Figure 1.
The original COSO internal control framework addresses the needs of the IT audit and assurance
professional: control environment, risk assessment, control activities, information and communication,
and monitoring. As such, ISACA has elected to utilize the five-component model for these audit/
assurance programs. As more enterprises implement the ERM model, the additional three columns can be
added, if relevant. When completing the COSO component columns, consider the definitions of the
components as described in figure 1.
Reference/Hyperlink
Good practices require the audit and assurance professional to create a work paper that describes the work
performed, issues identified and conclusions for each line item. The reference/hyperlink is to be used to
cross-reference the audit/assurance step to the work paper that supports it. The numbering system of this
document provides a ready numbering scheme for the work papers. If desired, a link to the work paper
can be pasted into this column.
Issue Cross-reference
This column can be used to flag a finding/issue that the IT audit and assurance professional wants to
further investigate or establish as a potential finding. The potential findings should be documented in a
work paper that indicates the disposition of the findings (formally reported, reported as a memo or verbal
finding, or waived).
Comments
The comments column can be used to indicate the waiving of a step or other notations. It is not to be used
in place of a work paper that describes the work performed.
IT Assurance Guide Using COBIT Appendix VII—Maturity Model for Internal Control, shown in figure
2, provides a generic maturity model that shows the status of the internal control environment and the
establishment of internal controls in an enterprise. It shows how the management of internal control, and
an awareness of the need to establish better internal controls, typically develops from an ad hoc to an
optimized level. The model provides a high-level guide to help COBIT users appreciate what is required
for effective internal controls in IT and to help position their enterprise on the maturity scale.
4 Managed and There is an effective internal control and risk management IT process criticality is regularly defined with full support
Measurable environment. A formal, documented evaluation of controls and agreement from the relevant business process owners.
occurs frequently. Many controls are automated and regularly Assessment of control requirements is based on policy and
reviewed. Management is likely to detect most control issues, the actual maturity of these processes, following a thorough
but not all issues are routinely identified. There is consistent and measured analysis involving key stakeholders.
follow-up to address identified control weaknesses. A Accountability for these assessments is clear and enforced.
limited, tactical use of technology is applied to automate Improvement strategies are supported by business cases.
controls. Performance in achieving the desired outcomes is
consistently monitored. External control reviews are
organized occasionally.
5 Optimized An enterprise-wide risk and control program provides Business changes consider the criticality of IT processes and
continuous and effective control and risk issues resolution. cover any need to reassess process control capability. IT
Internal control and risk management are integrated with process owners regularly perform self-assessments to confirm
enterprise practices, supported with automated real-time that controls are at the right level of maturity to meet business
monitoring with full accountability for control monitoring, needs and they consider maturity attributes to find ways to
risk management and compliance enforcement. Control make controls more efficient and effective. The organization
evaluation is continuous, based on self-assessments and gap benchmarks to external best practices and seeks external
and root cause analyses. Employees are proactively involved advice on internal control effectiveness. For critical
in control improvements. processes, independent reviews take place to provide
assurance that the controls are at the desired level of maturity
and working as planned.
The maturity model evaluation is one of the final steps in the evaluation process. The IT audit and
assurance professional can address the key controls within the scope of the work program and formulate
an objective assessment of the maturity levels of the control practices. The maturity assessment can be a
part of the audit/assurance report and can be used as a metric from year to year to document progression
in the enhancement of controls. However, it must be noted that the perception of the maturity level may
vary between the process/IT asset owner and the auditor. Therefore, an auditor should obtain the
concerned stakeholder’s concurrence before submitting the final report to management.
At the conclusion of the review, once all findings and recommendations are completed, the professional
assesses the current state of the COBIT control framework and assigns it a maturity level using the six-
level scale. Some practitioners utilize decimals (x.25, x.5, x.75) to indicate gradations in the maturity
model. As a further reference, COBIT provides a definition of the maturity designations by control
objective. While this approach is not mandatory, the process is provided as a separate section at the end of
the audit/assurance program for those enterprises that wish to implement it. It is suggested that a maturity
assessment be made at the COBIT control level. To provide further value to the client/customer, the
professional can also obtain maturity targets from the client/customer. Using the assessed and target
maturity levels, the professional can create an effective graphic presentation that describes the
achievement or gaps between the actual and targeted maturity goals. A graphic is provided as the last
page of the document (section VIII), based on sample assessments.
Utilizing COBIT as the control framework from which IT audit and assurance activities are based aligns
IT audit and assurance with good practices as developed by the enterprise.
Refer to ISACA publication COBIT® Control Practices: Guidance to Achieve Control Objectives for
Successful IT Governance, 2nd Edition, published in 2007, for the related control practice value and risk
drivers.
Each such “guest” OS, called a virtual machine (VM), appears to have access to and control of the
host’s resources—the central processor, memory, disk storage, network, etc.—to itself. In fact, the
hypervisor is actually in control of the host processor and its resources, allocating these limited resources
to each VM, as needed. Resources not needed by a VM at a point in time can be allocated to another
running VM. In this way, multiple VMs coexist simultaneously on a single hardware platform. The
hypervisor also ensures that these VMs can neither “see” nor disrupt one other. A more detailed
description of the VMware ESX® virtualization architecture is included as Appendix A. Virtualization
Architecture.
As such, virtualization is used to streamline insourced IT operations and to reduce costs. Outsourced IT
servicers utilize virtualization to maximum operational efficiencies for their customers. In fact, cloud
computing is almost exclusively a virtualized environment.
However, deploying a virtualized environment also exposes the enterprise to a series of new business and
technology risks. These include:
• Reduction in security if information security specialists are not involved in planning and deployment
• A successful compromise of the virtualization layer can result in compromise of all hosted virtual
machines and applications
• Guest machines of different (higher and lower) trust levels may be hosted on a single physical server
with insufficient separation
• Inadequate controls over administrative access to the hypervisor can allow unauthorized access to
applications running on virtual hosts
• Ease of creating VMs may result in reduction in controls over deployment, such as deviations from
baseline configurations and security
• Administrators may not be knowledgeable about exploits which specifically target VM environments
• Inadequate or insufficient tools available for proper monitoring of the virtualized environment
• Inadequate training of administrators in virtualization technologies and problems
• Compromised system security and confidentiality
• Invalid transactions or transactions processed incorrectly
• Costly compensating controls
• Reduced system availability and questionable integrity of information
• Failure to respond to relationship issues with optimal and approved decisions
• Insufficient allocation of resources
• Unclear responsibilities and accountabilities
• Inaccurate billings for use of IT resources
• Inability to satisfy the audit/assurance charter and requirements of regulators or external auditors
resulting in noncompliance with regulatory requirements and security breaches leading to lost
productivity, reputation loss and remediation costs
Scope—The review will focus on the governance, configuration and management of the relevant
VMware virtualized servers in the enterprise, with emphasis on control issues specific to virtualized
environments.
The selection of specific applications, functions and servers will be based on the risks introduced to the
enterprise by these systems.
The VMware server virtualization audit/assurance review is not designed to replace or focus on audits
that provide assurance of specific application processes and excludes assurance of an application’s
functionality and suitability.
Since the areas under review rely heavily on the effectiveness of core IT general controls, it is
recommended that audit/assurance reviews of the following areas be performed prior to the execution of
the VMware server virtualization review so that appropriate reliance can be placed on these assessments:
• Identity management as it applies to the VMware environment, i.e., privileged VMware users, user
access to VMs, etc.
• Security incident management
• Secure architecture, including virtualized servers and server farms and network security
• Systems development—Test environments are typically hosted on virtualized servers for ease of
testing and recovery after crashes.
• Risk management
• Vulnerability management and testing
• Cryptographic controls and associated key management
The audit and assurance professional should be cautioned not to attempt to conduct an audit/assurance
review of VMware environments utilizing this program as a checklist.
It should not be assumed that an audit and assurance professional holding the CISA designation alone has
the requisite skills to perform this review.
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
Control Activities
COBIT e Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- Hyper- reference
reference link
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
Control Activities
COBIT e Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- Hyper- reference
reference link
will result.
1.4.1 Identify the senior IT assurance resource responsible for the review.
1.4.2 Establish the process for suggesting and implementing changes to the audit/assurance
program and the authorizations required.
1.5 Define assignment success.
The success factors need to be identified. Communication among the IT audit/assurance team, other
assurance teams and the enterprise is essential.
1.5.1 Identify the drivers for a successful review (this should exist in the assurance function’s
standards and procedures).
1.5.2 Communicate success attributes to the process owner or stakeholder, and obtain agreement.
1.6 Define the audit/assurance resources required.
The resources required are defined in the introduction to this audit/assurance program.
1.6.1 Determine the audit/assurance skills necessary for the review.
1.6.2 Estimate the total resources (hours) and time frame (start and end dates) required for the
review.
1.7 Define deliverables.
The deliverable is not limited to the final report. Communication between the audit/assurance teams
and the process owner is essential to assignment success.
1.7.1 Determine the interim deliverables, including initial findings, status reports, draft reports, due
dates for responses or meetings, and the final report.
1.8 Communicate.
The audit/assurance process must be clearly communicated to the customer/client.
1.8.1 Conduct an opening conference to discuss:
• Review objectives with the stakeholders
• Documents and information security resources required to perform an effective review
• Timelines and deliverables
2. GOVERNANCE OF THE VIRTUALIZED ENVIRONMENT
2.1 Governance and Enterprise Risk Management (ERM)
Governance
Audit/Assurance Objective: Governance functions are established to ensure effective and sustainable
© 2011 ISACA. All rights reserved. Page 15
VMware® Server Virtualization Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
Control Activities
COBIT e Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- Hyper- reference
reference link
management processes that result in transparency of business decisions, clear lines of responsibility,
information security in alignment with regulatory and customer organization standards, and
accountability.
Governance Model DS5.1
ME1.5
Control: The organization has mechanisms in place to identify all providers and brokers of
ME4.1
virtualization technologies currently used across the enterprise. The organization ensures that IT X X X X
ME4.2
architecture, network and information security units actively participate in the governance and
policy activities to align business objectives and information security capabilities of
virtualization technology/ies with those of the organization.
1.1.1.1 Determine if IT management and information security have deployed a formal
governance framework related to virtualization including appropriate monitoring
processes.
1.1.1.2 Determine if the IT and information security functions are actively involved in the
decision-making process associated with the virtualized environment.
1.1.1.3 Determine if the enterprise has identified control objectives for the virtualized
environment.
1.1.1.4 Determine if the organization maintains a properly labeled inventory of all
virtualized servers and OSs.
Information Security Collaboration PO4.5
PO4.6
Control: Both parties define the reporting relationship and responsibilities.
AI3.2
X X X X
DS2.2
DS5.1
ME2.1\
1.1.1.5 Determine if the responsibilities for governance are documented and approved by
relevant enterprise or IT management.
1.1.1.6 Determine if the information security function has performed a risk assessment of
the use of virtualization technology against the organization’s information
security policies and the threats, vulnerabilities and IT risks associated with the
transition to a virtualized environment.
ERM
Audit/Assurance Objective: Risk management practices are implemented to evaluate inherent risks
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
Control Activities
COBIT e Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- Hyper- reference
reference link
within the virtualized environment, identify appropriate control mechanisms and ensure that residual
risk is within acceptable levels.
Identification of Risks PO9.3
PO9.5
Control: The risk management process provides a thorough assessment of the risks to the
AI6.2 X X X
business from implementing a virtualized environment and is aligned to ERM, if applicable.
ME4.2
ME4.5
1.1.1.7 Determine if the organization has an ERM model.
1.1.1.8 If an ERM model has been implemented, determine if the risk assessment of the use
of virtualization technology is aligned with the enterprise’s ERM.
1.1.1.9 Determine whether the decision to use virtualization technology will limit the
availability or execution of required information security activities, such as:
• Vulnerability assessments and penetration testing
• Availability of audit logs
• Access to activity monitoring reports
• Segregation of duties (SoD)
1.1.1.10 Determine if the risk management approach includes the following:
• Identification and valuation of virtualized assets and applications
• Identification and analysis of threats and vulnerabilities to the virtualized
environment with their potential impact on assets
• Analysis of the likelihood of adverse events using a scenario approach
• Documented management approval of risk acceptance levels and criteria
• Risk action plans (control, avoid, transfer, accept)
1.1.1.11 Determine if the assets identified in the risk assessment included all virtualized
assets and if the information security classifications used in the risk assessments
are aligned with the ERM.
1.1.1.12 Determine if the risk assessment includes the capabilities and financial condition
of the (or each) vendor involved in providing virtualization capabilities to the
enterprise.
Acceptance of Risk PO9.4 X X
PO9.5
Control: Risk acceptance is approved by a member of management with the authority to accept
AI1.3
© 2011 ISACA. All rights reserved. Page 17
VMware® Server Virtualization Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
Control Activities
COBIT e Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- Hyper- reference
reference link
the risk on behalf of the organization and who understands the implications of the decision. ME4.5
1.1.1.13 Determine if management has performed an analysis of its quantification and
acceptance of residual risk prior to implementing a VMware environment.
1.1.1.14 Determine if the individual accepting such risk has the authority to make this
decision.
Information Risk Management
Audit/Assurance Objective: A process to manage information risk exists and is integrated into the
organization’s overall ERM framework. Information risk management information and metrics are
available for the information security function to manage risks within the risk tolerance of the data
owner.
Risk Management Framework and Maturity Model PO9.1
PO9.2
Control: A risk management framework and a maturity model have been implemented to
PO9.4 X X X
quantify risk and assess the effectiveness of the risk model.
DS5.1
ME4.5
1.1.1.15 Determine if a risk framework has been identified and approved.
1.1.1.16 Determine if a maturity model is used to assess the effectiveness.
1.1.1.17 Review the maturity model results, and determine if the lack of maturity
materially affects the audit objectives.
Risk Management Controls PO9.4
PO9.5 X X X
Control: Risk management controls are in effect to manage risk-based decisions.
PO9.6
1.1.1.18 Identify the technology controls and contractual requirements necessary to make
fact-based information risk decisions. Consider:
• Use of information
• Access controls
• Security controls
• Physical security controls
• Privacy and data leak protection (DLP) controls
1.1.1.19 Ensure that the organization has clearly defined service levels for performance,
security and availability for the virtualized environment.
© 2011 ISACA. All rights reserved. Page 18
VMware® Server Virtualization Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
Control Activities
COBIT e Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- Hyper- reference
reference link
1.1.1.20 Obtain the analytical data requirements, and determine whether the organization
routinely monitors and evaluates them against expectations.
1.1.1.21 Determine whether the organization has identified the information available and
the control practices necessary to manage the virtualized environment that
address availability, confidentiality, data ownership, e-discovery, privacy and
legal issues.
1.1.1.22 Determine whether the organization has established suitable monitoring practices
to identify risk issues.
1.1.1.23 Determine whether the organization has identified and monitors the control and
security processes in a virtualized environment necessary to provide for secure
operations.
1.1.1.24 Determine if the VMware server virtualized environment provides appropriate
metrics and controls to assist in implementing information risk management
requirements.
3. PREFIELDWORK PREPARATION
3.1 Obtain and review the current organizational chart for the management and security
functions of the VMware ESX/ESXi™ operating environment.
Determine whether an audit of the VMware ESX environment has been performed.
3.1.1 If an audit had been performed, obtain the work papers for the previous audit.
Review the security configuration, and determine if identified issues have been corrected.
Determine the specific version of the VMware hypervisor(s) installed, namely, VMware ESX,
VMware ESXi, or VMware Server.1
In the case of VMware Server, determine the host OS(s) and version(s), e.g., Windows®, Linux, or
UNIX® versions.
Determine and document the type of storage array available to VMware. Examples include:
• Internet Small Computer Systems Interface (iSCSI)
• Storage Attached Network (SAN)
• Network File System (NFS), on UNIX or Linux systems
1
Note: ESX and ESXi run directly on the hardware without an intervening OS, while VMware Server runs as a process under an existing OS. Security with ESXi needs more
(manual) attention than ESX.
© 2011 ISACA. All rights reserved. Page 19
VMware® Server Virtualization Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
Control Activities
COBIT e Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- Hyper- reference
reference link
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
Control Activities
COBIT e Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- Hyper- reference
reference link
iase.disa.mil/stigs/stig/esx_server_stig_v1r1_final.pdf
4.1.1.2 Using the ESXi console, press F2 to enter the Configuration screen and then choose the
appropriate menu option in each of the following cases.
Root Password
DS5.3 X
Control: The root password has been changed from the default value.
4.1.1.3 Select Configure Root Password, and verify that the root password is not set to any
default value, such as “root” or “admin.”
4.1.1.4 Determine that at least two suitable senior individuals in IT know the root password
and that they have been granted the privileged access on a “need to know” basis.
4.1.1.5 Determine that all such privileged users have their own individual local accounts.
4.1.1.6 Determine that a copy of the root password is securely stored under the control of a
suitable nonoperations management individual for use in an emergency.
Lockdown Mode AI3.2
Control: ESX is configured for maximum security. DS5.1 X
DS5.7
4.1.1.7 Select Configure Lockdown Mode, and determine if ESX is configured in Lockdown
Mode, which disables direct root access.
The ESXi shell is protected. AI3.2
Control: SSH access to the Busybox shell is not enabled.2 DS5.7 X
DS9.1
4.1.1.8 Determine that SSH access into the ESXi management console has NOT been enabled
(which compromises the security shell around the console tool.)
Adequate audit trails exist. AI6.4
X
Control: Remote logging is configured to log actions by privileged users. DS5.5
4.1.1.9 Determine that Remote Logging has been configured to capture events from the
following: (1) the VC, Lab, Site, LifeCycle and Update Manager hosts, and (2) the MS
Windows workstation from which the VIC, RCLI, and VI SDK applications are
launched.
2
When VMware ESXi boots, it starts Busybox, a Linux-like (more accurately POSIX) environment that provides a management appliance VM with several useful Linux tools.
© 2011 ISACA. All rights reserved. Page 21
VMware® Server Virtualization Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
Control Activities
COBIT e Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- Hyper- reference
reference link
4.1.1.10 Determine that log files are protected against unauthorized changes: review security
policies, determine ownership of log files and access permissions, and which users
have access to the log files.
4.1.1.11 Determine that IT security regularly reviews log files for security anomalies,
preferably using a good practices software tool.
4.1.1.12 Determine that all log files are included in the normal backup and restore functions.
4.1.1.13 Determine that access is restricted to backup copies of log files, both onsite and
offsite.
The VMware ESX or ESXi hypervisor is regularly updated. AI6.1
Control: Appropriate patching procedures are in place and regularly activated. AI6.4 X
DS9.2
4.1.1.14 Examine documentary evidence that the enterprise monitors VMware security status
for current patches and regularly applies necessary patches using VMware Update
Manager (VUM).
4.1.1.15 Determine that VMware patching is included with the enterprise strategy for
deploying other patches in a safely tested and orderly fashion.
4.1.1.16 Obtain explanations for any recent VMware patches that have not been installed.
Separation of Management and Regular Functions DS5.10
Control: VMware ESX is configured with at least two networks: one for VMs and one for DS9.1 X
system management. DS9.2
4.1.1.17 Determine that a separate network is configured for VMware management by
reviewing the most current architecture diagram and capturing the relevant IP
addresses and network masks (to confirm that VMs are multi-homed.)
4.1.1.18 Determine that access to the management network is restricted to a limited number of
individuals strictly on a “need to know” basis.
The password database is protected. DS5.3
Control: Shadow passwords are implemented to prevent nonroot users from accessing user DS5.4
X
passwords. DS9.1
DS9.2
4.1.1.19 Determine that shadow passwords are enabled (this is a system default but may have
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
Control Activities
COBIT e Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- Hyper- reference
reference link
been disabled).
4.1.1.20 Determine that access to the shadow password database is highly restricted as
required by the enterprise’s security policies.
The hardened status of the VMware ESX or ESXi environment is maintained. AI3.2
Control: IT security regularly assesses the current hardening status of the ESX/ESXi AI3.3
hypervisor, using good practices software tools. DS5.5 X
DS9.3
4.1.1.21 Determine that IT security regularly runs an assessment tool to identify anomalies
from the enterprise’s hardening standards.3
4.1.1.22 Determine that previously detected anomalies were documented, remediated, reported
to management and formally closed out.
4.2 Secure Storage
Audit/Assurance Objective: The virtualized environment is protected against unauthorized access to the
VMs’ disk files.
Disk storage is properly isolated. DS9.1
Control: The VM repository or datastore cannot be accessed directly by any VM. DS9.2 X
DS9.3
4.2.1.1 Determine, from architecture diagrams, that only virtualization hosts and VMware
Consolidated Backup (VCB) proxy servers can access VM repositories and datastores.
4.2.1.2 Determine that all network traffic to and from storage repositories is isolated from
nonstorage traffic.
4.2.1.3 If a VCB proxy server is in use, determine whether the communication from the VCB
server to the storage array is secure; suitable techniques include IPsec4 and CHAP5
authentication.
3
Examples of such tools include Bastille, Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) and Tripwire® ConfigCheck™.
4
Internet Protocol Security (Ipsec) is an end-to-end security protocol, operating in the Internet layer of the IP suite, which encrypts all packets of a communication session.
5
Challenge Handshake Authentication Protocol (CHAP) is used to validate the identity of remote clients by using a cryptographically strong three-way handshake.
© 2011 ISACA. All rights reserved. Page 23
VMware® Server Virtualization Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
Control Activities
COBIT e Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- Hyper- reference
reference link
4.2.1.4 In the case of NFS, determine that appropriate security architecture exists:
• NFS traffic is isolated on its own set of physical switches.
• Access to the NFS server is restricted by specifying the actual IP addresses of the
ESX/ESXi kernel device dedicated to handling NFS traffic.
4.2.1.5 Determine that SSH is disabled on ESX and ESXi environments.
4.2.1.6 Determine from the latest architectural diagram that VMotion traffic is isolated from all
other traffic, e.g., on its own virtual LAN (VLAN).
4.2.1.7 Determine that VMs in a less trusted security zone (e.g., the demilitarized zone
[DMZ]) are not on the same hosts as VMs in more trusted security zones (e.g.,
production, test, quality assurance [QA], management)
4.3 Creation of VMs is controlled.
Audit/Assurance Objective: Appropriate procedural controls exist to ensure that all operating VMs are
properly authorized and configured.
VM Maintenance AI3.2
Control: Creation, modification and removal of VMs are reviewed and monitored and require AI3.3 X
appropriate authorizations. AI6.4
4.3.1.1 Determine that a formal review process is in place and operating to create, modify or
remove VMs. Gain a copy of the written policy and corresponding standard operating
procedure (SOP).
1.1.1.25 Gather a sample of documented VM changes, and compare to the documented
policy/SOP.
1.1.1.26 Determine whether one or more standard templates is used to configure new VMs
to enterprise standards for each class of server (Web, email, application,
database, etc.).
4.4 Propagation of VMs into production is adequately controlled.
Audit/Assurance Objective: Change control procedures are in place to provide assurance that VMs are
promoted into production only after being inspected for quality or security defects.
VM Change Management and Promotion to Production
AI3.3
Control: VM changes are subject to appropriate review and authorization prior to introduction into X
AI6.4
the production environment.
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
Control Activities
COBIT e Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- Hyper- reference
reference link
4.4.1.1 Obtain a copy of the documented policy and procedures for promoting VMs into
production. Determine that relevant approvals are required and documented from
development, test and QA
4.4.1.2 Select a representative sample of VM promotions to production. Determine that
policies and procedures have been followed.
Promotions to production maintain required security. AI3.3
Control: VM changes/additions to production maintain appropriate security. AI6.4 X
DS5.7
4.4.1.3 Determine that no connectivity exists between VMs of different trust levels.
4.4.1.4 Determine that third-party tools (if any), such as performance monitors or intrusion
detection software, do not bridge trust zones in the virtualized environment.
4.4.1.5 Determine that the remote restart network is segmented from other networks.
4.4.1.6 Determine that remote-based domain controllers are installed with a dedicated modem
and telephone line that includes a password and dial-back feature to a specific
telephone number.
Capacity Planning
Audit/Assurance Objective: The enterprise regularly reviews the VMware virtualized environment
to identify current ant anticipated performance and capacity bottlenecks in a proactive manner.
A capacity planning tool, such as VMware Capacity Planner, is in use to monitor the VMware
environment’s current performance.
ME4.6 X X X
Control: Use of a software tool to monitor actual performance and capacity of the VMware
environment will alert the enterprise to potential bottlenecks before they occur.
4.4.1.7 Determine from IT management whether and how often capacity planning statistics are
gathered and documented for the VMware environment.
4.4.1.8 Determine whether IT management uses a formal software tool, such as VMware
Capacity Planner, to gather operational performance statistics, such as CPU cycles,
number of servers, disk storage, network throughput, etc.
4.4.1.9 Suggested capacity metrics are described in Appendix B.
4.4.1.10 Determine whether and how these statistics are used to model future capacity in a
proactive manner.
© 2011 ISACA. All rights reserved. Page 25
VMware® Server Virtualization Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
Control Activities
COBIT e Cross- Comments
Monitoring
Audit/Assurance Program Step Cross- Hyper- reference
reference link
4.4.1.11 Determine whether the capacity planning model includes nontechnical (business)
issues that may impact performance, e.g., planned growth, business cycles, etc.
5. COMPLIANCE
VMware is included in compliance controls and assessments.
Audit/Assurance Objective: The VMware virtualization environment is included in processes to
ensure continuing compliance with regulations, such as the US Sarbanes-Oxley Act, the US Gramm-
Leach Bliley Act (GLBA), Processing Card Industry—Data Security Standards (PCI-DSS) and other
local and global regulations.
The VMware virtualization environment is included in compliance assessments.
Control: The various processes to assess compliance with necessary regulations include the ME3.1 X X X X
VMware virtualization environment.
5.1.1.1 Select a sample of recent, documented compliance assessments, and determine that the
VMware environment was reviewed.
5.1.1.2 Select a sample of compliance issues related to the VMware virtualization
environment, and determine that they were appropriately documented, tracked,
remediated, reported to management and closed out.
Referenc
Assessed Target e
Comments
Maturity Maturity Hyper-
COBIT Control Objectives
link
PO4 Define the IT processes, organisation and relationships—An IT organisation is
defined by considering requirements for staff, skills, functions, accountability,
authority, roles and responsibilities, and supervision. This organisation is embedded
into an IT process framework that ensures transparency and control as well as the
involvement of senior executives and business management. A strategy committee
ensures board oversight of IT, and one or more steering committees in which business
and IT participate determine the prioritisation of IT resources in line with business
needs. Processes, administrative policies and procedures are in place for all functions,
with specific attention to control, quality assurance, risk management, information
security, data and systems ownership, and segregation of duties. To ensure timely
support of business requirements, IT is to be involved in relevant decision processes.
Referenc
Assessed Target e
Comments
Maturity Maturity Hyper-
COBIT Control Objectives
link
financial terms, to enable stakeholders to align risk to an acceptable level of tolerance.
PO 9.4 Risk assessment—Assess on a recurrent basis the likelihood and impact of all
identified risks, using qualitative and quantitative methods. The likelihood and impact
associated with inherent and residual risk should be determined individually, by
category and on a portfolio basis.
PO9.6 Maintenance and monitoring of a risk action plan—Prioritise and plan the
control activities at all levels to implement the risk responses identified as necessary,
including identification of costs, benefits and responsibility for execution. Obtain
approval for recommended actions and acceptance of any residual risks, and ensure
that committed actions are owned by the affected process owner(s). Monitor execution
of the plans, and report on any deviations to senior management.
AI3 Acquire and maintain technology infrastructure—Organisations have
processes for the acquisition, implementation and upgrade of the technology
infrastructure. This requires a planned approach to acquisition, maintenance and
protection of infrastructure in line with agreed-upon technology strategies and the
provision of development and test environments. This ensures that there is ongoing
technological support for business applications.
Referenc
Assessed Target e
Comments
Maturity Maturity Hyper-
COBIT Control Objectives
link
AI3.2 Infrastructure resource protection and availability—Implement internal control,
security and auditability measures during configuration, integration and maintenance
of hardware and infrastructural software to protect resources and ensure availability
and integrity. Responsibilities for using sensitive infrastructure components should be
clearly defined and understood by those who develop and integrate infrastructure
components. Their use should be monitored and evaluated.
AI6.4 Change status tracking and reporting—Establish a tracking and reporting system
to document rejected changes, communicate the status of approved and in-process
changes, and complete changes. Make certain that approved changes are implemented
as planned.
Referenc
Assessed Target e
Comments
Maturity Maturity Hyper-
COBIT Control Objectives
link
DS5 Ensure systems security—The need to maintain the integrity of information and
protect IT assets requires a security management process. This process includes
establishing and maintaining IT security roles and responsibilities, policies, standards,
and procedures. Security management also includes performing security monitoring
and periodic testing and implementing corrective actions for identified security
weaknesses or incidents.
DS5.3 Identity management—Ensure that all users (internal, external and temporary)
and their activity on IT systems (business application, IT environment, system
operations, development and maintenance) are uniquely identifiable. Enable user
identities via authentication mechanisms. Confirm that user access rights to systems
and data are in line with defined and documented business needs and that job
requirements are attached to user identities. Ensure that user access rights are requested
by user management, approved by system owners and implemented by the security-
responsible person. Maintain user identities and access rights in a central repository.
Deploy cost-effective technical and procedural measures, and keep them current to
establish user identification, implement authentication and enforce access rights.
DS5.5 Security testing, surveillance and monitoring—Test and monitor the IT security
implementation in a proactive way. IT security should be reaccredited in a timely
manner to ensure that the approved enterprise’s information security baseline is
maintained.
© 2011 ISACA. All rights reserved. Page 30
VMware® Server Virtualization Audit/Assurance Program
Referenc
Assessed Target e
Comments
Maturity Maturity Hyper-
COBIT Control Objectives
link
Referenc
Assessed Target e
Comments
Maturity Maturity Hyper-
COBIT Control Objectives
link
compliance reporting with the rest of the business.
ME4.5 Risk management—Work with the board to define the enterprise’s appetite for
IT risk, and obtain reasonable assurance that IT risk management practices are
appropriate to ensure that the actual IT risk does not exceed the board’s risk appetite.
Embed risk management responsibilities into the organisation, ensuring that the
© 2011 ISACA. All rights reserved. Page 32
VMware® Server Virtualization Audit/Assurance Program
Referenc
Assessed Target e
Comments
Maturity Maturity Hyper-
COBIT Control Objectives
link
business and IT regularly assess and report IT-related risks and their impact and that
the enterprise’s IT risk position is transparent to all stakeholders.
4
PO9 Assess and Manage IT Risks AI6 Manage Changes
Assessment
ME3 Ensure Compliance with Target
External Requirements
A so-called bare-metal hypervisor installs directly on the hardware, with no intervening operating system,
such as Windows or Linux. As such, it is optimized for a particular type of hardware and provides high
utilization of the hardware, typically in the 90 percent range. The VMware ESX (and ESXi) hypervisor is a
successful example of a bare-metal hypervisor. In summary, the VMware virtualization model comprises a
three-level structure:
• VM layer—This houses the various hosted OSs and applications in separated VMs, each of
which “sees” itself as a physical machine with its own hardware.
• ESX layer—The VM ESX kernel, residing in this layer, schedules the physical hardware (local
CPUs, memory, hard disks, local network cables, local storage bus adapters) for the VMs, together with
the management interface.
• Shared resources layer—The physical hardware subsystems such as storage and physical
network, shared by many VMs.
The following three useful components are not standard with VI3 and can be purchased separately:
10. Virtual Center (VC)—The centralized management console for configuring hosts and VMs and
also for creating fault-tolerant clusters
11. Converter—Used to convert physical Windows machines into VMs and restore backup images
created by a VCB
12. Capacity Planner—An agentless, hosted application service that gathers data about the IT
infrastructure
An appropriate set of performance metrics provides the raw data to identify bottlenecks and also to model
future performance under the impact of expected changes in the business environment. The following table
shows a suggested set of VMware metrics that will assist in the tasks of performance evaluation and
capacity management. They are collected by VMware’s Virtual Center (VC) component.
CPU Metrics
Metric Details Good Practice
cpu.ready.summation Indicates whether a VM is having A CPU Ready bottleneck
CPU ready issues, resulting from occurs when more than 5
CPU over-utilization, e.g., if VMs percent of time involved in a
are contending for limited CPU CPU transaction by a VM is in
time wait time for the resource.
cpu.usagemhz.average Measures CPU utilization at the VMs with high values for this
VM level metric may be negatively
impacting other VMs.
disk.busResets.summation A value for this metric indicates a • Reallocate storage, e.g.,
possible disk overload issue due spread busy files across
to: multiple physical drives.
• Too many VMs accessing the • Move VMs to other
disk datastores with available
• Too many I/Os from the VMs capacity.
to the disk
• Hardware failure
disk.commandsAborted.summatio The number of times a request • Reallocate storage, e.g.,
n was sent to a disk and was spread busy files across
aborted. Similar reasons to above. multiple physical drives.
• Move VMs to other
datastores with available
capacity.
disk.totalLatency.avarage Measures a disk’s total latency, Balance workloads by
i.e., time taken to complete an rightsizing resources allocated
I/O. A value in this metric to the top consuming VMs to
indicates a bottleneck. reduce load on bottlenecked
disk(s) and/or by moving these
VMs to other datastores.
disk.queueLatency.average Shows the average time an I/O Balance workloads by
command waits in a queue to be rightsizing resources allocated
processed by the disk. A value in to the top consuming VMs to
this metric indicates a bottleneck. reduce load on bottlenecked
disk(s) and/or by moving these
VMs to other datastores.
disk.read.average These two metrics show real-time A graph of throughput over
disk.write.average traffic levels from and to a disk, time shows VM performance
© 2011 ISACA. All rights reserved. 36
VMware™ Server Virtualization Audit/Assurance Program
CPU Metrics
Metric Details Good Practice
respectively, at the VM level. The and problems that may be
average of the two metrics gives a impacting other VMs.
measure of disk throughput.
mem.consumed.average Measures the number of memory Add more memory, or move
pages a VM is using in real time. the offending VM(s) to a host
This statistic indicates whether a with more available memory.
memory bottleneck exists or
whether a VM is a “memory hog.”
mem.overhead.average Measures the amount of memory Rightsize VMs that have
used to manage allocated memory excessive memory allocations,
at the VM level, i.e., the memory or move them to hosts with
administration overhead more available memory.
mem.swapin.average Indicate bottlenecks are occurring Excessive VM swaps indicate
mem.swapout.average in memory swapping, i.e., virtual the need for additional
storage administration. If so, memory resources.
mem,swapped.average
performance may be severely
degraded.
mem.vmmemctl.average A value in this metric indicates Change memory allocation
that “ballooning” is occurring, parameters and/or move VMs
i.e., when VMs come close to to hosts with more available
system limits on memory use. memory.
This indicates a bottleneck.