WAPVM VMware Virtualization Research 20feb2017 G1

VMware Server Virtualization
Audit/Assurance Program
VMware Server Virtualization Audit/Assurance Program
ISACA
With 95,000 constituents in 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge,
certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise
governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent
ISACA hosts international conferences, publishes the ISACA Journal, and develops international IS auditing and
control standards, which help its constituents ensure trust in, and value from, information systems. It also advances
and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor (CISA),
Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and
Certified in Risk and Information Systems Control (CRISC) designations. ISACA continually updates COBIT ,
which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities,
particularly in the areas of assurance, security, risk and control, and deliver value to the business.
Disclaimer
ISACA has designed and created VMware Server Virtualization Audit/Assurance Program (the Work) primarily
as an educational resource for audit and assurance professionals. ISACA makes no claim that use of any of the Work
will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures
and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same
results. In determining the propriety of any specific information, procedure or test, audit and assurance professionals
should apply their own professional judgment to the specific circumstances presented by the particular systems or IT
environment.
Reservation of Rights
2011 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified,
distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical,
photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of
all or portions of this publication are permitted solely for academic, internal and noncommercial use and for
consulting/advisory engagements and must include full attribution of the materials source. No other right or
permission is granted with respect to this work.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
E-mail: info@isaca.org
Web site: www.isaca.org
ISBN 978-1-60420-179-6
CRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in countries throughout
2011 ISACA. All rights reserved. Page 2

the world.
ISACA wishes to recognize:
Author
Jeff Kalwerisky, CISA, CA (SA), HISP, CPEinteractive, Inc., USA
Expert Reviewers
Madhav Chablani, CISA, CISM, TippingPoint Consulting, India
Curt Hartinger, CISA, CISM, CPA, GSNA, MSIA, Office of the State Treasurer, USA
Aurelio Jaimes, CISA, Mexico
Prashant A. Khopkar, CISA, CA, Grant Thornton, LLP, USA
K. K. Mookhey, CISA, CISM, CISSP, Network Intelligence India Pvt. Ltd., India
Philippe Rivest, CISA, CEH, CISSP, TransForce, Canada
Vipin Sehgal, CISA, Sun Life Financial, Canada
Vinoth Sivasubramanian, ABRCCI, CEH, ISO 27001 LA, ITIL V3, UAE Exchange Center LLC, UAE
ISACA Board of Directors

Emil DAngelo, CISA, CISM, Bank of Tokyo-Mitsubishi UFJ Ltd., USA, International President
Christos K. Dimitriadis, Ph.D., CISA, CISM, INTRALOT S.A., Greece, Vice President
Ria Lucas, CISA, CGEIT, Telstra Corp. Ltd., Australia, Vice President
Hitoshi Ota, CISA, CISM, CGEIT, CIA, Mizuho Corporate Bank Ltd., Japan, Vice President
Jose Angel Pena Ibarra, CGEIT, Alintec S.A., Mexico, Vice President
Robert E. Stroud, CGEIT, CA Technologies, USA, Vice President
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Vice President
Rolf M. von Roessing, CISA, CISM, CGEIT, KPMG Germany, Germany, Vice President
Lynn C. Lawton, CISA, FBCS CITP, FCA, FIIA, KPMG Ltd., Russian Federation, Past International President
Everett C. Johnson Jr., CPA, Deloitte & Touche LLP (retired), USA, Past International President
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Director
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Director
Howard Nicholson, CISA, CGEIT, CRISC, City of Salisbury, Australia, Director
Jeff Spivey, CPP, PSP, Security Risk Management, USA, ITGI Trustee
Knowledge Board
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Chair
Michael Berardi Jr., CISA, CGEIT, Nestle USA, USA
John Ho Chi, CISA, CISM, CBCP, CFE, Ernst & Young LLP, Singapore
Jose Angel Pena Ibarra, CGEIT, Alintec S.A., Mexico
Jo Stewart-Rattray, CISA, CISM, CGEIT, CSEPS, RSM Bird Cameron, Australia
Jon Singleton, CISA, FCA, Auditor General of Manitoba (retired), Canada
Patrick Stachtchenko, CISA, CGEIT, CA, Stachtchenko & Associates SAS, France
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA
Guidance and Practices Committee

Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Chair
Kamal N. Dave, CISA, CISM, CGEIT, Hewlett-Packard, USA
Urs Fischer, CISA, CRISC, CIA, CPA (Swiss), Switzerland
Ramses Gallego, CISM, CGEIT, CISSP, Entel IT Consulting, Spain
Phillip J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Ravi Muthukrishnan, CISA, CISM, FCA, ISCA, Capco IT Service India Pvt. Ltd., India
Anthony P. Noble, CISA, CCP, Viacom Inc., USA
Salomon Rico, CISA, CISM, CGEIT, Deloitte, Mexico
Frank Van Der Zwaag, CISA, Westpac New Zealand, New Zealand
ISACA and IT Governance Institute Affiliates and Sponsors

American Institute of Certified Public Accountants

ASIS International
The Center for Internet Security
Commonwealth Association for Corporate Governance Inc.
FIDA Inform
Information Security Forum
Information Systems Security Association
Institut de la Gouvernance des Systmes dInformation
Institute of Management Accountants Inc.
ISACA chapters
ITGI Japan
Norwich University
Solvay Brussels School of Economics and Management
University of Antwerp Management School
ASI System Integration
Hewlett-Packard
IBM
SOAProjects Inc.
Symantec Corp.
TruArx Inc.
Table of Contents
I. Introduction.......................................................................................................................................5
II. Using This Document........................................................................................................................6
III. Controls Maturity Analysis................................................................................................................8
IV. Assurance and Control Framework..................................................................................................10
V. Executive Summary of Audit/Assurance Focus...............................................................................11
VI. Audit/Assurance Program................................................................................................................14
1. Planning and Scoping the Audit...................................................................................................14
2. Governance of the virtualized environment.................................................................................15
3. PreFieldwork Preparation............................................................................................................19
4. VMware virtualized environment................................................................................................20
5. compliance...................................................................................................................................25
VII. Maturity Assessment........................................................................................................................27
VIII. Assessment Maturity vs. Target Maturity........................................................................................34
Appendix A. Virtualization Architecture....................................................................................................35
Appendix B. VMware Performance Metrics..............................................................................................36
I. Introduction
Overview
ISACA has developed the IT Assurance Framework (ITAF) as a comprehensive and good-practice-setting
model. ITAF provides standards that are designed to be mandatory and that are the guiding principles
under which the IT audit and assurance profession operates. The guidelines provide information and
direction for the practice of IT audit and assurance. The tools and techniques provide methodologies, tools
and templates to provide direction in the application of IT audit and assurance processes.
Purpose
The audit/assurance program is a tool and template to be used as a road map for the completion of a
specific assurance process. ISACA has commissioned audit/assurance programs to be developed for use
by IT audit and assurance practitioners. This audit/assurance program is intended to be utilized by IT
audit and assurance professionals with the requisite knowledge of the subject matter under review, as

described in ITAF section 2200General Standards. The audit/assurance programs are part of ITAF
section 4000IT Assurance Tools and Techniques.
Control Framework
The audit/assurance programs have been developed in alignment with the ISACA COBIT framework
specifically COBIT 4.1using generally applicable and accepted good practices. They reflect ITAF
sections 3400IT Management Processes, 3600IT Audit and Assurance Processes, and 3800IT
Audit and Assurance Management.
Many organizations have embraced several frameworks at an enterprise level, including the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. The
importance of the control framework has been enhanced due to regulatory requirements by the US
Securities and Exchange Commission (SEC) as directed by the US Sarbanes-Oxley Act of 2002 and
similar legislation in other countries. Enterprises seek to integrate control framework elements used by
the general audit/assurance team into the IT audit and assurance framework. Since COSO is widely used,
it has been selected for inclusion in this audit/assurance program. The reviewer may delete or rename
these columns to align with the enterprises control framework.
Governance, Risk and Control of IT

Governance, risk and control of IT are critical in the performance of any assurance management process.
Governance of the process under review will be evaluated as part of the policies and management
oversight controls. Risk plays an important role in evaluating what to audit and how management
approaches and manages risk. Both issues are evaluated as steps in the audit/assurance program. Controls
are the primary evaluation point in the process. The audit/assurance program identifies the control
objectives and the steps to determine control design and effectiveness.
Responsibilities of IT Audit and Assurance Professionals

IT audit and assurance professionals are expected to customize this document to the environment in
which they are performing an assurance process. This document is to be used as a review tool and starting
point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or
questionnaire. It is assumed that the IT audit and assurance professional has the necessary subject matter
expertise required to conduct the work and is supervised by a professional with the Certified Information
Systems Auditor (CISA) designation and/or necessary subject matter expertise to adequately review the
work performed.
II. Using This Document

This audit/assurance program was developed to assist the audit and assurance professional in designing
and executing a review. Details regarding the format and use of the document follow.
Work Program Steps

The first column of the program describes the steps to be performed. The numbering scheme used
provides built-in work paper numbering for ease of cross-reference to the specific work paper for that
section. The physical document was designed in Microsoft Word. The IT audit and assurance
professional is encouraged to make modifications to this document to reflect the specific environment
under review.
Step 1 is part of the fact-gathering and prefieldwork preparation. Because the prefieldwork is essential to
a successful and professional review, the steps have been itemized in this plan. The first level steps, e.g.,
1.1, are shown in bold type and provide the reviewer with a scope or high-level explanation of the

purpose for the substeps.
Beginning in step 2, the steps associated with the work program are itemized. To simplify the use of the
program, the audit/assurance program describes the audit/assurance objectivethe reason for performing
the steps in the topic area; the specific controls follow. Each review step is listed below the control. These
steps may include assessing the control design by walking through a process, interviewing, observing or
otherwise verifying the process and the controls that address that process. In many cases, once the control
design has been verified, specific tests need to be performed to provide assurance that the process
associated with the control is being followed.
The maturity assessment, which is described in more detail later in this document, makes up the last
section of the program.
The audit/assurance plan wrap-upthose processes associated with the completion and review of work
papers, preparation of issues and recommendations, report writing, and report clearinghas been
excluded from this document because it is standard for the audit/assurance function and should be
identified elsewhere in the enterprises standards.
COBIT Cross-reference
The COBIT cross-reference provides the audit and assurance professional with the ability to refer to the
specific COBIT control objective that supports the audit/assurance step. The COBIT control objective
should be identified for each audit/assurance step in the section. Multiple cross-references are not
uncommon. Processes at lower levels in the work program are too granular to be cross-referenced to
COBIT. The audit/assurance program is organized in a manner to facilitate an evaluation through a
structure parallel to the development process. COBIT provides in-depth control objectives and suggested
control practices at each level. As professionals review each control, they should refer to COBIT 4.1 or
the IT Assurance Guide: Using COBIT for good-practice control guidance.
COSO Components
As noted in the introduction, COSO and similar frameworks have become increasingly popular among
audit/assurance professionals. This ties the assurance work to the enterprises control framework. While
the IT audit and assurance function uses COBIT as a framework, operational audit and assurance
professionals use the framework established by the enterprise. Since COSO is the most prevalent internal
control framework, it has been included in this document and is a bridge to align IT audit and assurance
with the rest of the audit/assurance function. Many audit/assurance organizations include the COSO
control components within their reports and summarize assurance activities to the audit committee of the
board of directors.
For each control, the audit and assurance professional should indicate the COSO component(s) addressed.
It is possible, but generally not necessary, to extend this analysis to the specific audit step level.
The original COSO internal control framework contained five components. In 2004, COSO was revised
as the Enterprise Risk Management (ERM) Integrated Framework and extended to eight components. The
primary difference between the two frameworks is the additional focus on ERM and integration into the
business decision model. ERM is in the process of being adopted by large enterprises. The two
frameworks are compared in Figure 1.

Figure 1Comparison of COSO Internal Control and ERM Integrated Frameworks

Internal Control Framework ERM Integrated Framework
Control Environment: The control environment sets the tone of an Internal Environment: The internal environment encompasses the
organization, influencing the control consciousness of its people. It is tone of an organization, and sets the basis for how risk is viewed and
the foundation for all other components of internal control, providing addressed by an entitys people, including risk management
discipline and structure. Control environment factors include the philosophy and risk appetite, integrity and ethical values, and the
integrity, ethical values, managements operating style, delegation of environment in which they operate.
authority systems, as well as the processes for managing and
developing people in the organization.
Objective Setting: Objectives must exist before management can
identify potential events affecting their achievement. Enterprise risk
management ensures that management has in place a process to set
objectives and that the chosen objectives support and align with the
entitys mission and are consistent with its risk appetite.
Event Identification: Internal and external events affecting
achievement of an entitys objectives must be identified, distinguishing
between risks and opportunities. Opportunities are channeled back to
managements strategy or objective-setting processes.
Risk Assessment: Every entity faces a variety of risks from external Risk Assessment: Risks are analyzed, considering the likelihood and
and internal sources that must be assessed. A precondition to risk impact, as a basis for determining how they could be managed. Risk
assessment is establishment of objectives, and, thus, risk assessment is areas are assessed on an inherent and residual basis.
the identification and analysis of relevant risks to achievement of
assigned objectives. Risk assessment is a prerequisite for determining
how the risks should be managed.
Risk Response: Management selects risk responsesavoiding,
accepting, reducing or sharing riskdeveloping a set of actions to
align risks with the entitys risk tolerances and risk appetite.
Control Activities: Control activities are the policies and procedures Control Activities: Policies and procedures are established and
that help ensure management directives are carried out. They help implemented to help ensure the risk responses are effectively carried
ensure that necessary actions are taken to address risks to achievement out.
of the entity's objectives. Control activities occur throughout the
organization, at all levels and in all functions. They include a range of
activities as diverse as approvals, authorizations, verifications,
reconciliations, reviews of operating performance, security of assets
and segregation of duties.
Information and Communication: Information systems play a key Information and Communication: Relevant information is
role in internal control systems as they produce reports, including identified, captured and communicated in a form and time frame that
operational, financial and compliance-related information that make it enable people to carry out their responsibilities. Effective
possible to run and control the business. In a broader sense, effective communication also occurs in a broader sense, flowing down, across
communication must ensure information flows down, across and up and up the entity.
the organization. Effective communication should also be ensured with
external parties, such as customers, suppliers, regulators and
shareholders.
Monitoring: Internal control systems need to be monitoreda Monitoring: The entirety of enterprise risk management is monitored
process that assesses the quality of the systems performance over and modifications are made as necessary. Monitoring is accomplished
time. This is accomplished through ongoing monitoring activities or through ongoing management activities, separate evaluations or both.
separate evaluations. Internal control deficiencies detected through
these monitoring activities should be reported upstream and corrective
actions should be taken to ensure continuous improvement of the
system.
Information for figure 1 was obtained from the COSO web site, www.coso.org/aboutus.htm.
The original COSO internal control framework addresses the needs of the IT audit and assurance
professional: control environment, risk assessment, control activities, information and communication,
and monitoring. As such, ISACA has elected to utilize the five-component model for these audit/
assurance programs. As more enterprises implement the ERM model, the additional three columns can be
added, if relevant. When completing the COSO component columns, consider the definitions of the
components as described in figure 1.
Reference/Hyperlink
Good practices require the audit and assurance professional to create a work paper that describes the work
performed, issues identified and conclusions for each line item. The reference/hyperlink is to be used to

cross-reference the audit/assurance step to the work paper that supports it. The numbering system of this
document provides a ready numbering scheme for the work papers. If desired, a link to the work paper
can be pasted into this column.
Issue Cross-reference
This column can be used to flag a finding/issue that the IT audit and assurance professional wants to
further investigate or establish as a potential finding. The potential findings should be documented in a
work paper that indicates the disposition of the findings (formally reported, reported as a memo or verbal
finding, or waived).
Comments
The comments column can be used to indicate the waiving of a step or other notations. It is not to be used
in place of a work paper that describes the work performed.
III. Controls Maturity Analysis

One of the consistent requests of stakeholders who have undergone IT audit/assurance reviews is a desire
to understand how their performance compares to good practices. Audit and assurance professionals must
provide an objective basis for the review conclusions. Maturity modeling for management and control
over IT processes is based on a method of evaluating the enterprise so that it can be rated from a maturity
level of nonexistent (0) to optimized (5). This approach is derived from the maturity model that the
Software Engineering Institute (SEI) of Carnegie Mellon University defined for the maturity of software
development.
IT Assurance Guide Using COBIT Appendix VIIMaturity Model for Internal Control, shown in figure
2, provides a generic maturity model that shows the status of the internal control environment and the
establishment of internal controls in an enterprise. It shows how the management of internal control, and
an awareness of the need to establish better internal controls, typically develops from an ad hoc to an
optimized level. The model provides a high-level guide to help COBIT users appreciate what is required
for effective internal controls in IT and to help position their enterprise on the maturity scale.
Figure 2Maturity Model for Internal Control

Maturity Level Status of the Internal Control Environment Establishment of Internal Controls
0 Non-existent There is no recognition of the need for internal control. There is no intent to assess the need for internal control.
Control is not part of the organizations culture or mission. Incidents are dealt with as they arise.
There is a high risk of control deficiencies and incidents.
1 Initial/ad hoc There is some recognition of the need for internal control. There is no awareness of the need for assessment of what is
The approach to risk and control requirements is ad hoc and needed in terms of IT controls. When performed, it is only on
disorganized, without communication or monitoring. an ad hoc basis, at a high level and in reaction to significant
Deficiencies are not identified. Employees are not aware of incidents. Assessment addresses only the actual incident.
their responsibilities.
2 Repeatable but Controls are in place but are not documented. Their operation Assessment of control needs occurs only when needed for
Intuitive is dependent on the knowledge and motivation of individuals. selected IT processes to determine the current level of control
Effectiveness is not adequately evaluated. Many control maturity, the target level that should be reached and the gaps
weaknesses exist and are not adequately addressed; the that exist. An informal workshop approach, involving IT
impact can be severe. Management actions to resolve control managers and the team involved in the process, is used to
issues are not prioritized or consistent. Employees may not define an adequate approach to controls for the process and to
be aware of their responsibilities. motivate an agreed-upon action plan.
3 Defined Controls are in place and adequately documented. Operating Critical IT processes are identified based on value and risk
effectiveness is evaluated on a periodic basis and there is an drivers. A detailed analysis is performed to identify control
average number of issues. However, the evaluation process is requirements and the root cause of gaps and to develop
not documented. While management is able to deal improvement opportunities. In addition to facilitated
predictably with most control issues, some control workshops, tools are used and interviews are performed to
weaknesses persist and impacts could still be severe. support the analysis and ensure that an IT process owner

Figure 2Maturity Model for Internal Control

Maturity Level Status of the Internal Control Environment Establishment of Internal Controls
Employees are aware of their responsibilities for control. owns and drives the assessment and improvement process.
4 Managed and There is an effective internal control and risk management IT process criticality is regularly defined with full support
Measurable environment. A formal, documented evaluation of controls and agreement from the relevant business process owners.
occurs frequently. Many controls are automated and regularly Assessment of control requirements is based on policy and
reviewed. Management is likely to detect most control issues, the actual maturity of these processes, following a thorough
but not all issues are routinely identified. There is consistent and measured analysis involving key stakeholders.
follow-up to address identified control weaknesses. A limited, Accountability for these assessments is clear and enforced.
tactical use of technology is applied to automate controls. Improvement strategies are supported by business cases.
Performance in achieving the desired outcomes is
consistently monitored. External control reviews are
organized occasionally.
5 Optimized An enterprise-wide risk and control program provides Business changes consider the criticality of IT processes and
continuous and effective control and risk issues resolution. cover any need to reassess process control capability. IT
Internal control and risk management are integrated with process owners regularly perform self-assessments to confirm
enterprise practices, supported with automated real-time that controls are at the right level of maturity to meet business
monitoring with full accountability for control monitoring, needs and they consider maturity attributes to find ways to
risk management and compliance enforcement. Control make controls more efficient and effective. The organization
evaluation is continuous, based on self-assessments and gap benchmarks to external best practices and seeks external
and root cause analyses. Employees are proactively involved advice on internal control effectiveness. For critical
in control improvements. processes, independent reviews take place to provide
assurance that the controls are at the desired level of maturity
and working as planned.
The maturity model evaluation is one of the final steps in the evaluation process. The IT audit and
assurance professional can address the key controls within the scope of the work program and formulate
an objective assessment of the maturity levels of the control practices. The maturity assessment can be a
part of the audit/assurance report and can be used as a metric from year to year to document progression
in the enhancement of controls. However, it must be noted that the perception of the maturity level may
vary between the process/IT asset owner and the auditor. Therefore, an auditor should obtain the
concerned stakeholders concurrence before submitting the final report to management.
At the conclusion of the review, once all findings and recommendations are completed, the professional
assesses the current state of the COBIT control framework and assigns it a maturity level using the six-
level scale. Some practitioners utilize decimals (x.25, x.5, x.75) to indicate gradations in the maturity
model. As a further reference, COBIT provides a definition of the maturity designations by control
objective. While this approach is not mandatory, the process is provided as a separate section at the end of
the audit/assurance program for those enterprises that wish to implement it. It is suggested that a maturity
assessment be made at the COBIT control level. To provide further value to the client/customer, the
professional can also obtain maturity targets from the client/customer. Using the assessed and target
maturity levels, the professional can create an effective graphic presentation that describes the
achievement or gaps between the actual and targeted maturity goals. A graphic is provided as the last page
of the document (section VIII), based on sample assessments.
IV. Assurance and Control Framework
ISACA IT Assurance Framework and Standards

ITAF section 3630.14Operating System (OS) Management and Controlsis relevant to VMware
Server.
ISACA Control Framework

COBIT is a framework for the governance of IT and is a supporting tool set that allows managers to
bridge the gap among control requirements, technical issues and business risks. COBIT enables clear
policy development and good practice for IT control throughout enterprises.

Utilizing COBIT as the control framework from which IT audit and assurance activities are based aligns
IT audit and assurance with good practices as developed by the enterprise.
Virtualization addresses several COBIT IT control processes:

PO4 Define the IT processes, organisation and relationships.
- PO4.5 IT organisational structure
- PO4.6 Establishment of roles and responsibilities
PO9 Assess and manage IT risks.
- PO9.1 IT risk management framework
- PO9.2 Establishment of risk context
- PO9.4 Risk assessment
- PO9.5 Risk response
- PO9.6 Maintenance and monitoring of a risk action plan
AI3 Acquire and maintain technology infrastructure.
- AI3.2 Infrastructure resource protection and availability
- AI3.3 Infrastructure maintenance
AI6 Manage changes.
- AI6.1 Change standards and procedure
- AI6.2 Impact assessment, prioritisation and authorisation
- AI6.4 Change status tracking and reporting
DS5 Ensure systems security.
- DS5.1 Management of IT security
- DS5.3 Identity management
- DS5.4 User account management
- DS5.5 Security testing, surveillance and monitoring
- DS5.7 Protection of security technology
- DS5.10 Network security
DS9 Manage the configuration.
- DS9.1 Configuration repository and baseline
- DS9.2 Identification and maintenance of configuration items
- DS9.3 Configuration integrity review
ME3 Ensure compliance with external requirements.
- ME3.1 Identification of external legal, regulatory and contractual compliance requirements
ME4 Provide IT governance.
- ME4.1 Establishment of an IT governance framework
- ME4.2 Strategic alignment
- ME4.5 Risk management
- ME4.6 Performance measurement
Refer to ISACA publication COBIT Control Practices: Guidance to Achieve Control Objectives for
Successful IT Governance, 2nd Edition, published in 2007, for the related control practice value and risk
drivers.
V. Executive Summary of Audit/Assurance Focus
VMware Server Virtualization Management

Server virtualization is defined as the capability to run multiple OS images on a single hardware server at
the same time. The technology originated in the 1970s, primarily to optimize the use of expensive
mainframe processing power. In recent years, the technology has moved to the personal computer (PC)

platform.
The primary goal of virtualization is to separate the servers physical hardware from the OS software
(known as hardware abstraction). The goal is to improve utilization of expensive hardware resources.
To achieve this, the virtualization software, called a hypervisor, imitates the desired computer hardware,
allowing multipleoften differentOSs to run on a single physical computer host.
Each such guest OS, called a virtual machine (VM), appears to have access to and control of the hosts
resourcesthe central processor, memory, disk storage, network, etc.to itself. In fact, the hypervisor is
actually in control of the host processor and its resources, allocating these limited resources to each VM,
as needed. Resources not needed by a VM at a point in time can be allocated to another running VM. In
this way, multiple VMs coexist simultaneously on a single hardware platform. The hypervisor also
ensures that these VMs can neither see nor disrupt one other. A more detailed description of the
VMware ESX virtualization architecture is included as Appendix A. Virtualization Architecture.
Virtualization technology provides significant improvements in the utilization of expensive hardware

assets by consolidating servers. It provides additional benefits, including:
Simplified disaster recoveryEntire machine configurations are stored in a set of files, simplifying
and speeding up backup and restore procedures, and convenient mirrored environments to minimize
the risk of downtime.
Automatic provisioning of servers from standard configuration builds
Direct savings in reduced floor space for data center floors and reduced energy costs due to reduction
in numbers of physical servers, often by an order of magnitude
Simplified administrationVirtual servers can typically be rebooted in seconds.
A safe environment for testing patches and upgradesIf a faulty patch or change causes a VM to fail,
other VMs on the same host are unaffected.
As such, virtualization is used to streamline insourced IT operations and to reduce costs. Outsourced IT
servicers utilize virtualization to maximum operational efficiencies for their customers. In fact, cloud
computing is almost exclusively a virtualized environment.
Business Impact and Risk

The move to virtualization is typically driven by considerations of return on investment (ROI) and
ongoing cost efficiencies:
The ROI benefits:
- Increased utilization of hardware resources, typically 10 to 80 percent
- Fewer systems to administer, less overall cost
- Decreased time to production
- Increased availability and uptime
Ongoing cost benefits:
- Reduced capital expenditure, such as hardware, cabling and infrastructure costs
- Reduced operating expense: lower ongoing costs of facility, management and maintenance
- Greater flexibility and scalability
- Data center consolidation
- Speed of server deploymenttemplate-based server provisioning
- Improved capacity management
- Enhanced uptime since a VM can rapidly be restarted after a system crash
- Cost-effective disaster recovery and backup
However, deploying a virtualized environment also exposes the enterprise to a series of new business and
technology risks. These include:

Reduction in security if information security specialists are not involved in planning and deployment
A successful compromise of the virtualization layer can result in compromise of all hosted virtual
machines and applications
Guest machines of different (higher and lower) trust levels may be hosted on a single physical server
with insufficient separation
Inadequate controls over administrative access to the hypervisor can allow unauthorized access to
applications running on virtual hosts
Ease of creating VMs may result in reduction in controls over deployment, such as deviations from
baseline configurations and security
Administrators may not be knowledgeable about exploits which specifically target VM environments
Inadequate or insufficient tools available for proper monitoring of the virtualized environment
Inadequate training of administrators in virtualization technologies and problems
Compromised system security and confidentiality
Invalid transactions or transactions processed incorrectly
Costly compensating controls
Reduced system availability and questionable integrity of information
Failure to respond to relationship issues with optimal and approved decisions
Insufficient allocation of resources
Unclear responsibilities and accountabilities
Inaccurate billings for use of IT resources
Inability to satisfy the audit/assurance charter and requirements of regulators or external auditors
resulting in noncompliance with regulatory requirements and security breaches leading to lost
productivity, reputation loss and remediation costs
Objective and Scope

ObjectiveThe VMware server virtualization audit/assurance review will provide management with an
independent assessment of the effectiveness of the configuration of, controls over and security of the
virtualized servers operating under VMware in the enterprises computing environment.
ScopeThe review will focus on the governance, configuration and management of the relevant
VMware virtualized servers in the enterprise, with emphasis on control issues specific to virtualized
environments.
The selection of specific applications, functions and servers will be based on the risks introduced to the
enterprise by these systems.
The VMware server virtualization audit/assurance review is not designed to replace or focus on audits
that provide assurance of specific application processes and excludes assurance of an applications
functionality and suitability.
Since the areas under review rely heavily on the effectiveness of core IT general controls, it is
recommended that audit/assurance reviews of the following areas be performed prior to the execution of
the VMware server virtualization review so that appropriate reliance can be placed on these assessments:
Identity management as it applies to the VMware environment, i.e., privileged VMware users, user
access to VMs, etc.
Security incident management
Secure architecture, including virtualized servers and server farms and network security
Systems developmentTest environments are typically hosted on virtualized servers for ease of
testing and recovery after crashes.

Risk management
Vulnerability management and testing
Cryptographic controls and associated key management
Minimum Audit Skills

This review is considered highly technical. The audit and assurance professional should have the requisite
knowledge of VMware ESXs functionality, components, features, weaknesses and security good
practices.
The audit and assurance professional should be cautioned not to attempt to conduct an audit/assurance
review of VMware environments utilizing this program as a checklist.
It should not be assumed that an audit and assurance professional holding the CISA designation alone has
the requisite skills to perform this review.

VI. Audit/Assurance Program

COSO
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross Comments
Monitoring
Audit/Assurance Program Step Cross- link -
reference refere
nce
1. PLANNING AND SCOPING THE AUDIT

1.1 Define audit/assurance objectives.
The audit/assurance objectives are high level and describe the overall audit goals.
Acta #2 La
introduccin
Alcance_ y revisin de
Objetivos objetivos se
- realiz con el
1.1.1 Review the audit/assurance objectives in the introduction to this audit/assurance program. Auditoria Gerente
Audio_Al General en la
cance_O segunda
bjetivos- visita.
Auditoria
1.1.2 Modify the audit/assurance objectives to align with the audit/assurance universe, annual plan NA
and charter.
1.2 Define boundaries of review.
The review must have a defined scope. The reviewer should understand the operating environment
and prepare a proposed scope, subject to a later risk assessment.
Caracteri
sticas_A
1.2.1 Obtain a description of all virtualization environments in use and under consideration. mbiente_
Virtualiza
do
1.2.2 Obtain and review any previous audit reports with remediation plans. Identify open issues, NA
and assess updates to the documents with respect to these issues.
1.3 Identify and document risks.
The risk assessment is necessary to evaluate where audit resources should be focused. In most
COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference refere
nce
enterprises, audit resources are not available for all processes. The risk-based approach assures
utilization of audit resources in the most effective manner.
No se ha
realizado el
1.3.1 Identify the business risk associated with virtualization technology of concern to business anlisis de
owners and key stakeholders. riesgos
anteriorment
e.
1.3.2 Verify that the business risks are aligned, rated or classified with virtualization technology NA
security criteria such as confidentiality, integrity and availability.
1.3.3 Review internal audit reports of virtualization technology. NA
1.3.4 Determine if the risks identified previously have been appropriately addressed. NA
1.3.5 Evaluate the overall risk factor for performing the review. NA
1.3.6 Based on the risk assessment, identify changes to the scope. NA
Audio_Al Se analiz
cance_O con el
1.3.7 Discuss the risks with IT management, and adjust the risk assessment. bjetivos- Gerente TI
Auditoria los posibles
riesgos deTI
1.3.8 Based on the risk assessment, revise the scope. NA
1.4 Define the audit change process.
The initial audit approach is based on the reviewers understanding of the operating environment and
associated risks. As further research and analysis are performed, changes to the scope and approach
will result.
Si existe dos
encargados
1.4.1 Identify the senior IT assurance resource responsible for the review.
del rea de
TI
1.4.2 Establish the process for suggesting and implementing changes to the audit/assurance No existe
COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference refere
nce
ningn
program and the authorizations required.
proceso.
1.5 Define assignment success.
The success factors need to be identified. Communication among the IT audit/assurance team, other
assurance teams and the enterprise is essential.
1.5.1 Identify the drivers for a successful review (this should exist in the assurance functions NA
standards and procedures).
1.5.2 Communicate success attributes to the process owner or stakeholder, and obtain agreement. NA
1.6 Define the audit/assurance resources required.
The resources required are defined in the introduction to this audit/assurance program.
Reconoci
miento_
1.6.1 Determine the audit/assurance skills necessary for the review.
Habilidad
es_Roles
1.6.2 Estimate the total resources (hours) and time frame (start and end dates) required for the Acta #2
review.
1.7 Define deliverables.
The deliverable is not limited to the final report. Communication between the audit/assurance teams
and the process owner is essential to assignment success.
Acta #2 Se estableci
entregar el
informe
1.7.1 Determine the interim deliverables, including initial findings, status reports, draft reports, due
dates for responses or meetings, and the final report.
detallado
borrador y el
informe
ejecutivo.
1.8 Communicate.
The audit/assurance process must be clearly communicated to the customer/client.
1.8.1 Conduct an opening conference to discuss: Alcance_
Review objectives with the stakeholders
COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference refere
nce
Objetivos
Documents and information security resources required to perform an effective review -
Timelines and deliverables Auditoria
2. GOVERNANCE OF THE VIRTUALIZED ENVIRONMENT

2.1 Governance and Enterprise Risk Management (ERM)
3. Governance
Audit/Assurance Objective: Governance functions are established to ensure effective and sustainable
management processes that result in transparency of business decisions, clear lines of responsibility,
information security in alignment with regulatory and customer organization standards, and
accountability.
4. Governance Model DS5.1
ME1.5
Control: The organization has mechanisms in place to identify all providers and brokers of
ME4.1
virtualization technologies currently used across the enterprise. The organization ensures that IT X X X X
ME4.2
architecture, network and information security units actively participate in the governance and
policy activities to align business objectives and information security capabilities of
virtualization technology/ies with those of the organization.
4.1.1.1.1 Determine if IT management and information security have deployed a formal Existe el
governance framework related to virtualization including appropriate monitoring monitoreo
processes.
pero no es
formal
4.1.1.1.2 Determine if the IT and information security functions are actively involved in SI,
the decision-making process associated with the virtualized environment. Departament
o de TI
4.1.1.1.3 Determine if the enterprise has identified control objectives for the virtualized N/A
environment.
4.1.1.1.4 Determine if the organization maintains a properly labeled inventory of all Invetario Si tiene
COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference refere
nce
virtualized servers and OSs. Frontera implementad

global o un
docuemento
de inventario
de sistemas
operativos ,
usuarios y
equipos
5. Information Security Collaboration PO4.5
PO4.6
Control: Both parties define the reporting relationship and responsibilities.
AI3.2
X X X X
DS2.2
DS5.1
ME2.1\
5.1.1.1.1 Determine if the responsibilities for governance are documented and approved by Si est
relevant enterprise or IT management. documentad
as pero la
informacin
no pudo ser
proporciona
da por el
acuerdo de
confidenciali
dad
5.1.1.1.2 Determine if the information security function has performed a risk assessment of N/A
the use of virtualization technology against the organizations information
security policies and the threats, vulnerabilities and IT risks associated with the
transition to a virtualized environment.
6. ERM
Audit/Assurance Objective: Risk management practices are implemented to evaluate inherent risks
COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference refere
nce
within the virtualized environment, identify appropriate control mechanisms and ensure that residual
risk is within acceptable levels.
7. Identification of Risks PO9.3
PO9.5 NA
Control: The risk management process provides a thorough assessment of the risks to the
AI6.2 X X X
business from implementing a virtualized environment and is aligned to ERM, if applicable.
ME4.2
ME4.5
7.1.1.1.1 Determine if the organization has an ERM model. NA
7.1.1.1.2 If an ERM model has been implemented, determine if the risk assessment of the NA
use of virtualization technology is aligned with the enterprises ERM.
7.1.1.1.3 Determine whether the decision to use virtualization technology will limit the NA
availability or execution of required information security activities, such as:
Vulnerability assessments and penetration testing
Availability of audit logs
Access to activity monitoring reports
Segregation of duties (SoD)
7.1.1.1.4 Determine if the risk management approach includes the following: NA
Identification and valuation of virtualized assets and applications
Identification and analysis of threats and vulnerabilities to the virtualized
environment with their potential impact on assets
Analysis of the likelihood of adverse events using a scenario approach
Documented management approval of risk acceptance levels and criteria
Risk action plans (control, avoid, transfer, accept)
7.1.1.1.5 Determine if the assets identified in the risk assessment included all virtualized NA
assets and if the information security classifications used in the risk assessments
are aligned with the ERM.
7.1.1.1.6 Determine if the risk assessment includes the capabilities and financial condition NA
of the (or each) vendor involved in providing virtualization capabilities to the
enterprise.
8. Acceptance of Risk PO9.4 X X NA
PO9.5
Control: Risk acceptance is approved by a member of management with the authority to accept
AI1.3
COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference refere
nce
the risk on behalf of the organization and who understands the implications of the decision. ME4.5
8.1.1.1.1 Determine if management has performed an analysis of its quantification and NA
acceptance of residual risk prior to implementing a VMware environment.
8.1.1.1.2 Determine if the individual accepting such risk has the authority to make this NA
decision.
9. Information Risk Management NA
Audit/Assurance Objective: A process to manage information risk exists and is integrated into the
organizations overall ERM framework. Information risk management information and metrics are
available for the information security function to manage risks within the risk tolerance of the data
owner.
10. Risk Management Framework and Maturity Model PO9.1 NA
PO9.2
Control: A risk management framework and a maturity model have been implemented to
PO9.4 X X X
quantify risk and assess the effectiveness of the risk model.
DS5.1
ME4.5
10.1.1.1.1 Determine if a risk framework has been identified and approved. NA
10.1.1.1.2 Determine if a maturity model is used to assess the effectiveness. NA
10.1.1.1.3 Review the maturity model results, and determine if the lack of maturity NA
materially affects the audit objectives.
11. Risk Management Controls PO9.4 NA
PO9.5 X X X
Control: Risk management controls are in effect to manage risk-based decisions.
PO9.6
11.1.1.1.1 Identify the technology controls and contractual requirements necessary to make NA
fact-based information risk decisions. Consider:
Use of information
Access controls
Security controls
Physical security controls
Privacy and data leak protection (DLP) controls
11.1.1.1.2 Ensure that the organization has clearly defined service levels for performance, NA
security and availability for the virtualized environment .
COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference refere
nce
11.1.1.1.3 Obtain the analytical data requirements, and determine whether the organization NA
routinely monitors and evaluates them against expectations.
11.1.1.1.4 Determine whether the organization has identified the information available and NA
the control practices necessary to manage the virtualized environment that
address availability, confidentiality, data ownership, e-discovery, privacy and
legal issues.
11.1.1.1.5 Determine whether the organization has established suitable monitoring NA
practices to identify risk issues.
11.1.1.1.6 Determine whether the organization has identified and monitors the control and NA
security processes in a virtualized environment necessary to provide for secure
operations.
11.1.1.1.7 Determine if the VMware server virtualized environment provides appropriate NA
metrics and controls to assist in implementing information risk management
requirements.
12. PREFIELDWORK PREPARATION
12.1 Obtain and review the current organizational chart for the management and security Link
functions of the VMware ESX/ESXi operating environment. Carac
terisit
cas
del
Servi
dor
13. Determine whether an audit of the VMware ESX environment has been performed. Link No se ha
Caracteri realizado
sitcas del
Servidor
13.1.1 If an audit had been performed, obtain the work papers for the previous audit. NA
14. Review the security configuration, and determine if identified issues have been corrected. NA
15. Determine the specific version of the VMware hypervisor(s) installed, namely, VMware ESX, El hypervisor
VMware ESXi, or VMware Server.1 EXSi es el
COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference refere
nce
que se usa
para
virtualizar
16. In the case of VMware Server, determine the host OS(s) and version(s), e.g., Windows, Linux, Link Link Existen
or UNIX versions. Acuerdo Acuer Instalados
de do de diferentes
confiden confi Sistemas
cialidad denci Operativos,
alida pero por el
d acuerdo de
confidenciali
dad no se
puede
mostrar sus
caracteristica
sVmware
ESXi 6.5
Build
5310538
17. Determine and document the type of storage array available to VMware. Examples include: Caracteri Cara Actualmente
Internet Small Computer Systems Interface (iSCSI) sticas cteris Existe un
Storage Attached Network (SAN) SAN ticas medio de
Network File System (NFS), on UNIX or Linux systems SAN almacenami
ento externo
de tipo SAN
1
Note: ESX and ESXi run directly on the hardware without an intervening OS, while VMware Server runs as a process under an existing OS. Security with ESXi needs more
(manual) attention than ESX.
COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference refere
nce
Storage
V7000
18. Select the VMware servers to be included in the review.
18.1.1 Based on the prioritized list of servers developed previously, identify the virtualized servers Link de Link Si tiene una
to be included in the review. Be sure that there is a representative sample of high-risk servers. Hosts de lista
A group of servers may have similar functions or risk levels and can be aggregated into a
Hosts establecida
group.
del cual se
escogen
dosSe puede
analizar un
servidor ESXi
18.1.2 Determine if there is a corporate standard server configuration and related settings for each Link Link Si existe pero
type of server. Acuerdo Acuer no se
de do de puedde
confiden confi entregar la
cialidad denci configuraci
alida n por
d acuerdos de
confidenciali
dad
19. Obtain documentation for the virtualized servers to be reviewed.
19.1.1 Obtain the latest architectural diagram(s) of the virtualized environment. Diagrama Diagr Si se tiene un
de ama diagrama de
arquitect de la
ura arquit arqguitectur
virtualiza ectur a del
da a ambiente
virtua virtualizado

COSO
Risk Assessment
Reference Issue
Control Environment
Control Activities
Monitoring
reference refere
nce
lizada
19.1.2 Using the VMware Infrastructure Client (VIC), determine the hierarchy of objects in the Link de Link Se tiene
ESX deployment: Hosts de documentaci
All virtualized hosts (VMs) Hosts n de las
Details of each VMcentral processing unit (CPU), storage, OS, applications
caracteristica
Privileged users on a sample of VMs
scaracterstic
as de
infraestructu
ra VWareNo
se puede
mostrar las
VM dentro
de los hosts
19.1.3 Obtain an understanding of the ESX operating environment and relevant management
issues.
19.1.3.1 Interview the senior management individual (manager or director) responsible for the El Gerente
VMware ESX environment to gain an understanding of policies, procedures and PM si es
known issues. responsable
de las
politicaspol
ticas y
procedimine
tos para los
ambientes
virtualizados
durante los
proyectos.

20. VMWARE VIRTUALIZED ENVIRONMENT Audio_A

mbiente_
Virtualiza
do_VMW
are

21. Hardened VMware Hypervisor

Audit/Assurance Objective: The VMware ESX or ESXi hypervisor has been configured to address
identified security vulnerabilities or provide compensating controls for residual risks.
22. VMware Hardening Guide AI3.2
Control: The enterprise uses a good-practices hardening guide specifically for VMware. DS5.7
X
DS9.1
DS9.2
22.1.1.1 Determine whether IT management uses an appropriate hardening reference, such as: Guia de
Security Hardening, by VMware, VMWare Hay
www.vmware.com/files/pdf/vi35_security_hardening_wp.pdf conocimient
ESX Server Security Technical Implementation Guide Version 1, Release 1, by o de los
the Defense Information Systems Agency (DISA), documentos,
iase.disa.mil/stigs/stig/esx_server_stig_v1r1_final.pdf X
pero se
aplican
nicamente
determinado
s puntos.
22.1.1.2 Using the ESXi console, press F2 to enter the Configuration screen and then choose Consola Si se permite
the appropriate menu option in each of the following cases. ESXi el acceso a la
consola de
configuraci
nSe puede
X X
acceder
desde la
pantalla
ubicada en el
chasis
23. Root Password
DS5.3 X
Control: The root password has been changed from the default value.
23.1.1.1 Select Configure Root Password, and verify that the root password is not set to any Link No se
default value, such as root or admin. Acuerdo mantienen
de las
confiden contraseas
cialidad por defecto.
No se puede
mostrar por
acuerdo de
confidenciali
dad
23.1.1.2 Determine that at least two suitable senior individuals in IT know the root password Link 1.4.1 Si existe dos
and that they have been granted the privileged access on a need to know basis. Acuerdo encargados
de del rea de
confiden TI que
cialidad conocen la
contrasea
23.1.1.3 Determine that all such privileged users have their own individual local accounts. Link Existe una
Acuerdo sola cuenta
de de usuario
confiden como
cialidad adminstrador
.
23.1.1.4 Determine that a copy of the root password is securely stored under the control of a Link Se almacena
suitable nonoperations management individual for use in an emergency. Acuerdo las
de contraseas
confiden en un
cialidad archivoe de
texto plano.
Que se
encuentra
custodiado
por el
Gerente TI.
24. Lockdown Mode AI3.2
Control: ESX is configured for maximum security. DS5.1 X
DS5.7
24.1.1.1 Select Configure Lockdown Mode, and determine if ESX is configured in Lockdown Link Lockdown
Mode, which disables direct root access. Acuerdo Mode esta
de deshabilitad
confiden o ya que si
cialidad tiene el
acceso root.
25. The ESXi shell is protected. AI3.2
Control: SSH access to the Busybox shell is not enabled.2 DS5.7 X
DS9.1
25.1.1.1 Determine that SSH access into the ESXi management console has NOT been enabled Link Si esta
(which compromises the security shell around the console tool.) Acuerdo deshabilitad
de o el acceso
confiden SSH.
cialidad
26. Adequate audit trails exist. AI6.4
X
Control: Remote logging is configured to log actions by privileged users. DS5.5
26.1.1.1 Determine that Remote Logging has been configured to capture events from the Imagen_ Si captura
following: (1) the VC, Lab, Site, LifeCycle and Update Manager hosts, and (2) the MS eventos_ desde VC y
Windows workstation from which the VIC, RCLI, and VI SDK applications are log Update
launched. manager.
26.1.1.2 Determine that log files are protected against unauthorized changes: review security Link Si existe la
policies, determine ownership of log files and access permissions, and which users Acuerdo proteccin
have access to the log files. de de los
confiden accesos inno
cialidad autorizados.
26.1.1.3 Determine that IT security regularly reviews log files for security anomalies, No Eexiste
preferably using a good practices software tool. una persona
encargada
de revisar los
logs
mensualmen
te.
26.1.1.4 Determine that all log files are included in the normal backup and restore functions. No se realiza
un backup
de los logs
26.1.1.5 Determine that access is restricted to backup copies of log files, both onsite and NAEl backup
offsite. de los logs
solo es
realizado por
personas
autorizadas
27. The VMware ESX or ESXi hypervisor is regularly updated. AI6.1
Control: Appropriate patching procedures are in place and regularly activated. AI6.4 X
DS9.2
2
When VMware ESXi boots, it starts Busybox, a Linux-like (more accurately POSIX) environment that provides a management appliance VM with several useful Linux tools.
27.1.1.1 Examine documentary evidence that the enterprise monitors VMware security status Se realiza la
for current patches and regularly applies necessary patches using VMware Update actualizacin
Manager (VUM). manualment
e de los
servidores
pero no est
documentad
o el proceso.
27.1.1.2 Determine that VMware patching is included with the enterprise strategy for No est
deploying other patches in a safely tested and orderly fashion. implcito en
las
estrategias
de la
empresa.
27.1.1.3 Obtain explanations for any recent VMware patches that have not been installed. NA
28. Separation of Management and Regular Functions NoSi, el
Control: VMware ESX is configured with at least two networks: one for VMs and one for servidor
system management. cunenta con
se cuenta
con una sola
redcon una
red para
DS5.10 administraci
DS9.1 X onadministra
DS9.2 cin y otra
para las
maquinasm
quinas
virtuales a
traveztravs
de las NIC
configuradas
28.1.1.1 Determine that a separate network is configured for VMware management by NA
reviewing the most current architecture diagram and capturing the relevant IP
addresses and network masks (to confirm that VMs are multi-homed.)
28.1.1.2 Determine that access to the management network is restricted to a limited number of NA
individuals strictly on a need to know basis.

29. The password database is protected. DS5.3
Control: Shadow passwords are implemented to prevent nonroot users from accessing user DS5.4
X
passwords. DS9.1
DS9.2
29.1.1.1 Determine that shadow passwords are enabled (this is a system default but may have Link Si, se
been disabled). Acuerdo mantiene la
29.1.1.2 Determine that access to the shadow password database is highly restricted as de configuracio
required by the enterprises security policies. confiden nconfiguraci
cialidad n de
shadow
password
30. The hardened status of the VMware ESX or ESXi environment is maintained. AI3.2 4.1.8 Se aplican
Control: IT security regularly assesses the current hardening status of the ESX/ESXi AI3.3 ciertos
hypervisor, using good practices software tools. DS5.5 X puntos de las
DS9.3 buenas
prcticas
30.1.1.1 Determine that IT security regularly runs an assessment tool to identify anomalies Link No se realiza
from the enterprises hardening standards.3 Acuerdo mediante
de una
confiden herramienta
cialidad sino
manuanlmen
temanualme
nte
30.1.1.2 Determine that previously detected anomalies were documented, remediated, reported Link No se sigue
to management and formally closed out. Acuerdo un
de procedimine
confiden toprocedimi
cialidad ento formal
para la
documentaci
ondocument
acin
30.2 Secure Storage
3
Examples of such tools include Bastille, Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) and Tripwire ConfigCheck.
Audit/Assurance Objective: The virtualized environment is protected against unauthorized access to the
VMs disk files.
31. Disk storage is properly isolated. DS9.1
Control: The VM repository or datastore cannot be accessed directly by any VM. DS9.2 X
DS9.3
31.1.1.1 Determine, from architecture diagrams, that only virtualization hosts and VMware NA, no se
Consolidated Backup (VCB) proxy servers can access VM repositories and datastores. tienen un
servidor
Proxy
31.1.1.2 Determine that all network traffic to and from storage repositories is isolated from NA, se tiene
nonstorage traffic. una sola red
de trfico de
datosLos
storage tiene
redundaciare
dundancia
de paths
para
asegurar
disponibilida
d
31.1.1.3 If a VCB proxy server is in use, determine whether the communication from the VCB NA
server to the storage array is secure; suitable techniques include IPsec4 and CHAP5
authentication.
31.1.1.4 In the case of NFS, determine that appropriate security architecture exists: NA
NFS traffic is isolated on its own set of physical switches.
Access to the NFS server is restricted by specifying the actual IP addresses of the
ESX/ESXi kernel device dedicated to handling NFS traffic.
31.1.1.5 Determine that SSH is disabled on ESX and ESXi environments. 4.1.4. SSH se
1 encuentra
deshdesabilit
ado pero en
el caso de
necesitar se
inica el
4
Internet Protocol Security (Ipsec) is an end-to-end security protocol, operating in the Internet layer of the IP suite, which encrypts all packets of a communication session.
5
Challenge Handshake Authentication Protocol (CHAP) is used to validate the identity of remote clients by using a cryptographically strong three-way handshake.
servicio SSH
31.1.1.6 Determine from the latest architectural diagram that VMotion traffic is isolated from NA
all other traffic, e.g., on its own virtual LAN (VLAN).
31.1.1.7 Determine that VMs in a less trusted security zone (e.g., the demilitarized zone N/A
[DMZ]) are not on the same hosts as VMs in more trusted security zones (e.g., Existe DMZ
production, test, quality assurance [QA], management) pero se
encuentra
dentro del
mismo host
31.2 Creation of VMs is controlled.
Audit/Assurance Objective: Appropriate procedural controls exist to ensure that all operating VMs are
properly authorized and configured.
32. VM Maintenance AI3.2
Control: Creation, modification and removal of VMs are reviewed and monitored and require AI3.3 X
appropriate authorizations. AI6.4
32.1.1.1 Determine that a formal review process is in place and operating to create, modify or Existe un
remove VMs. Gain a copy of the written policy and corresponding standard operating proceso pero
procedure (SOP). cada
proyecto
docuemntad
ocumenta las
maquinas
que crea,
modifica o
eliminano se
lo
documenta
formalmente
32.1.1.1.1 Gather a sample of documented VM changes, and compare to the documented NA
policy/SOP.
32.1.1.1.2 Determine whether one or more standard templates is used to configure new Se utilizan
VMs to enterprise standards for each class of server (Web, email, application, plantillas
database, etc.).
estndares
propias de
los
proveedores
En caso de
necesitar
una imagen
personalizad
a el cliente
debe
proveer
dicha imagen
32.2 Propagation of VMs into production is adequately controlled.
Audit/Assurance Objective: Change control procedures are in place to provide assurance that VMs are
promoted into production only after being inspected for quality or security defects.
33. VM Change Management and Promotion to Production
AI3.3
Control: VM changes are subject to appropriate review and authorization prior to introduction into X
AI6.4
the production environment.
33.1.1.1 Obtain a copy of the documented policy and procedures for promoting VMs into Link Se permite
production. Determine that relevant approvals are required and documented from Acuerdo ver solo al
development, test and QA de equipo
confiden auditor
cialidad
33.1.1.2 Select a representative sample of VM promotions to production. Determine that Link Se cumplen
policies and procedures have been followed. Acuerdo las polticas
de para la
confiden promocin
cialidad de la
mquina
virtual de
aplicacin,
se permite
ver solo al
equipo
auditor
34. Promotions to production maintain required security. AI3.3
Control: VM changes/additions to production maintain appropriate security. AI6.4 X
DS5.7
34.1.1.1 Determine that no connectivity exists between VMs of different trust levels. No existen
diferentes
niveles de
conectividad
Existen redes
para cada
uno de los
procesos.
34.1.1.2 Determine that third-party tools (if any), such as performance monitors or intrusion NA
detection software, do not bridge trust zones in the virtualized environment.
34.1.1.3 Determine that the remote restart network is segmented from other networks. NA
34.1.1.4 Determine that remote-based domain controllers are installed with a dedicated No existe
modem and telephone line that includes a password and dial-back feature to a specific
telephone number.
35. Capacity Planning
Audit/Assurance Objective: The enterprise regularly reviews the VMware virtualized environment
to identify current ant anticipated performance and capacity bottlenecks in a proactive manner.
36. A capacity planning tool, such as VMware Capacity Planner, is in use to monitor the VMware
environments current performance.
ME4.6 X X X
Control: Use of a software tool to monitor actual performance and capacity of the VMware
environment will alert the enterprise to potential bottlenecks before they occur.
36.1.1.1 Determine from IT management whether and how often capacity planning statistics Se realiza la
are gathered and documented for the VMware environment. planificacin
de capacidad
de acuerdo
al servicio
que se da,
pero no se
documentaAl
inicio de un
proyecto se
realiza una
estimacin
de
almacenami
ento del
storage.
36.1.1.2 Determine whether IT management uses a formal software tool, such as VMware Si se utiliza
Capacity Planner, to gather operational performance statistics, such as CPU cycles, herramientas
number of servers, disk storage, network throughput, etc. propias de
Vmware
36.1.1.3 Suggested capacity metrics are described in Appendix B.

36.1.1.4 Determine whether and how these statistics are used to model future capacity in a Las
proactive manner. estadsticas
son
almacenadas
en una base
de datos
para
posteriorme
nte ser
utilizadasN/A
36.1.1.5 Determine whether the capacity planning model includes nontechnical (business) NA
issues that may impact performance, e.g., planned growth, business cycles, etc.
37. COMPLIANCE Audio_C
umplimie
nto
38. VMware is included in compliance controls and assessments. No existe
Audit/Assurance Objective: The VMware virtualization environment is included in processes to documentaci
ensure continuing compliance with regulations, such as the US Sarbanes-Oxley Act, the US Gramm- n de
Leach Bliley Act (GLBA), Processing Card IndustryData Security Standards (PCI-DSS) and other evaluaciones
local and global regulations.
realizadas
recientemen
te
39. The VMware virtualization environment is included in compliance assessments.
Control: The various processes to assess compliance with necessary regulations include the ME3.1 X X X X
VMware virtualization environment.
39.1.1.1 Select a sample of recent, documented compliance assessments, and determine that NA
the VMware environment was reviewed.
39.1.1.2 Select a sample of compliance issues related to the VMware virtualization NA
environment, and determine that they were appropriately documented, tracked,
remediated, reported to management and closed out.

VII. Maturity Assessment

The maturity assessment is an opportunity to assess the maturity of the processes reviewed. Based on the results of the audit/assurance review and
the reviewers observations, assign a maturity level to each of the following COBIT control practices. The assessment should be limited to the control
practices related directly to VMware and virtual environments.
Reference
Assessed Target
Hyper- Comments
Maturity Maturity
COBIT Control Objectives link
PO4 Define the IT processes, organisation and relationshipsAn IT organisation is
defined by considering requirements for staff, skills, functions, accountability,
authority, roles and responsibilities, and supervision. This organisation is embedded
into an IT process framework that ensures transparency and control as well as the
involvement of senior executives and business management. A strategy committee
ensures board oversight of IT, and one or more steering committees in which business
and IT participate determine the prioritisation of IT resources in line with business
needs. Processes, administrative policies and procedures are in place for all functions,
with specific attention to control, quality assurance, risk management, information
security, data and systems ownership, and segregation of duties. To ensure timely
support of business requirements, IT is to be involved in relevant decision processes.
PO4.5 IT organisational structureEstablish an internal and external IT organisational

structure that reflects business needs. In addition, put a process in place for periodically
reviewing the IT organisational structure to adjust staffing requirements and sourcing
strategies to meet expected business objectives and changing circumstances.
PO4.6 Establishment of roles and responsibilitiesEstablish and communicate roles

and responsibilities for IT personnel and end users that delineate between IT personnel
and end-user authority, responsibilities and accountability for meeting the
organisations needs.
PO9 Assess and manage IT risksA risk management framework is created and
maintained. The framework documents a common and agreed-upon level of IT risks,
mitigation strategies and residual risks. Any potential impact on the goals of the
organisation caused by an unplanned event is identified, analysed and assessed. Risk
mitigation strategies are adopted to minimise residual risk to an accepted level. The
result of the assessment is understandable to the stakeholders and expressed in
financial terms, to enable stakeholders to align risk to an acceptable level of tolerance.
Reference
Assessed Target
Hyper- Comments
Maturity Maturity
PO9.1 IT risk management frameworkEstablish an IT risk management framework

that is aligned to the organisations (enterprises) risk management framework.
PO9.2 Establishment of risk contextEstablish the context in which the risk

assessment framework is applied to ensure appropriate outcomes. This should include
determining the internal and external context of each risk assessment, the goal of the
assessment, and the criteria against which risks are evaluated.
PO 9.4 Risk assessmentAssess on a recurrent basis the likelihood and impact of all
identified risks, using qualitative and quantitative methods. The likelihood and impact
associated with inherent and residual risk should be determined individually, by
category and on a portfolio basis.
PO9.5 Risk responseDevelop and maintain a risk response process designed to

ensure that cost effective controls mitigate exposure to risks on a continuing basis. The
risk response process should identify risk strategies such as avoidance, reduction,
sharing or acceptance; determine associated responsibilities; and consider risk
tolerance levels.
PO9.6 Maintenance and monitoring of a risk action planPrioritise and plan the
control activities at all levels to implement the risk responses identified as necessary,
including identification of costs, benefits and responsibility for execution. Obtain
approval for recommended actions and acceptance of any residual risks, and ensure
that committed actions are owned by the affected process owner(s). Monitor execution
of the plans, and report on any deviations to senior management.
AI3 Acquire and maintain technology infrastructureOrganisations have
processes for the acquisition, implementation and upgrade of the technology
infrastructure. This requires a planned approach to acquisition, maintenance and
protection of infrastructure in line with agreed-upon technology strategies and the
provision of development and test environments. This ensures that there is ongoing
technological support for business applications.
AI3.2 Infrastructure resource protection and availabilityImplement internal control,

security and auditability measures during configuration, integration and maintenance
Reference
Assessed Target
Hyper- Comments
Maturity Maturity
of hardware and infrastructural software to protect resources and ensure availability
and integrity. Responsibilities for using sensitive infrastructure components should be
clearly defined and understood by those who develop and integrate infrastructure
components. Their use should be monitored and evaluated.
AI3.3 Infrastructure maintenanceDevelop a strategy and plan for infrastructure

maintenance, and ensure that changes are controlled in line with the organisations
change management procedure. Include periodic reviews against business needs, patch
management, upgrade strategies, risks, vulnerabilities assessment and security
requirements.
AI6 Manage changesAll changes, including emergency maintenance and patches,
relating to infrastructure and applications within the production environment are
formally managed in a controlled manner. Changes (including those to procedures,
processes, system and service parameters) are logged, assessed and authorised prior to
implementation and reviewed against planned outcomes following implementation.
This assures mitigation of the risks of negatively impacting the stability or integrity of
the production environment.
AI6.1 Change standards and proceduresSet up formal change management

procedures to handle in a standardised manner all requests (including maintenance and
patches) for changes to applications, procedures, processes, system and service
parameters, and the underlying platforms.
AI6.2 Impact assessment, prioritisation and authorisationAssess all requests for

change in a structured way to determine the impact on the operational system and its
functionality. Ensure that changes are categorised, prioritised and authorised
AI6.4 Change status tracking and reportingEstablish a tracking and reporting system
to document rejected changes, communicate the status of approved and in-process
changes, and complete changes. Make certain that approved changes are implemented
as planned.
DS5 Ensure systems securityThe need to maintain the integrity of information and
protect IT assets requires a security management process. This process includes
establishing and maintaining IT security roles and responsibilities, policies, standards,
Reference
Assessed Target
Hyper- Comments
Maturity Maturity
and procedures. Security management also includes performing security monitoring
and periodic testing and implementing corrective actions for identified security
weaknesses or incidents.
DS5.1 Management of IT securityManage IT security at the highest appropriate

organisational level, so the management of security actions is in line with business
requirements.
DS5.3 Identity managementEnsure that all users (internal, external and temporary)
and their activity on IT systems (business application, IT environment, system
operations, development and maintenance) are uniquely identifiable. Enable user
identities via authentication mechanisms. Confirm that user access rights to systems
and data are in line with defined and documented business needs and that job
requirements are attached to user identities. Ensure that user access rights are requested
by user management, approved by system owners and implemented by the security-
responsible person. Maintain user identities and access rights in a central repository.
Deploy cost-effective technical and procedural measures, and keep them current to
establish user identification, implement authentication and enforce access rights.
DS5.4 User account managementAddress requesting, establishing, issuing,

suspending, modifying and closing user accounts and related user privileges with a set
of user account management procedures. Include an approval procedure outlining the
data or system owner granting the access privileges. These procedures should apply for
all users, including administrators (privileged users) and internal and external users, for
normal and emergency cases. Rights and obligations relative to access to enterprise
systems and information should be contractually arranged for all types of users.
DS5.5 Security testing, surveillance and monitoringTest and monitor the IT security
implementation in a proactive way. IT security should be reaccredited in a timely
manner to ensure that the approved enterprises information security baseline is
maintained.
DS5.7 Protection of security technologyMake security-related technology resistant

to tampering, and do not disclose security documentation unnecessarily.

Reference
Assessed Target
Hyper- Comments
Maturity Maturity
DS5.10 Network securityUse security techniques and related management
procedures (e.g., firewalls, security appliances, network segmentation, intrusion
detection/protection) to authorize access and control information flows from and to
networks.
DS9 Manage the configurationEnsuring the integrity of hardware and software
configurations requires the establishment and maintenance of an accurate and complete
configuration repository. This process includes collecting initial configuration
information, establishing baselines, verifying and auditing configuration information,
and updating the configuration repository as needed.
DS9.1 Configuration repository and baselineEstablish a supporting tool and a central

repository to contain all relevant information on configuration items. Monitor and
record all assets and changes to assets. Maintain a baseline of configuration items for
every system and service as a checkpoint to which to return after changes.
DS9.2 Identification and maintenance of configuration itemsEstablish configuration

procedures to support management and logging of all changes to the configuration
repository. Integrate these procedures with change management, incident management
and problem management procedures.
DS9.3 Configuration integrity reviewPeriodically review the configuration data to

verify and confirm the integrity of the current and historical configuration. Periodically
review installed software against the policy for software usage to identify personal or
unlicensed software or any software instances in excess of current license agreements.
Report, act on and correct errors and deviations.
ME3 Ensure compliance with external requirementsEffective oversight of
compliance requires the establishment of a review process to ensure compliance with
laws, regulations and contractual requirements. This process includes identifying
compliance requirements, optimising and evaluating the response, obtaining assurance
that the requirements have been complied with and, finally, integrating ITs compliance
reporting with the rest of the business.
ME3.1 Identification of external legal, regulatory and contractual compliance

requirementsIdentify, on a continuous basis, locl and international laws, regulations,
and other external requirements that must be complies with for incorporation into the
Reference
Assessed Target
Hyper- Comments
Maturity Maturity
organisations IT policies, standards, procedures and methodologies.
ME4 Provide IT governanceEstablishing an effective governance framework
includes defining organisational structures, processes, leadership, roles and
responsibilities to ensure that enterprise IT investments are aligned and delivered in
accordance with enterprise strategies and objectives.
ME4.1 Establishment of an IT governance frameworkDefine, establish and align the

IT governance framework with the overall enterprise governance and control
environment. Base the framework on a suitable IT process and control model and
provide for unambiguous accountability and practices to avoid a breakdown in internal
control and oversight. Confirm that the IT governance framework ensures compliance
with laws and regulations and is aligned with, and confirms delivery of, the enterprises
strategies and objectives. Report IT governance status and issues.
ME4.2 Strategic alignmentEnable board and executive understanding of strategic IT

issues, such as the role of IT, technology insights and capabilities. Ensure that there is a
shared understanding between the business and IT regarding the potential contribution
of IT to the business strategy. Work with the board and the established governance
bodies, such as an IT strategy committee, to provide strategic direction to management
relative to IT, ensuring that the strategy and objectives are cascaded into business units
and IT functions, and that confidence and trust are developed between the business and
IT. Enable the alignment of IT to the business in strategy and operations, encouraging
co-responsibility between the business and IT for making strategic decisions and
obtaining benefits from IT-enabled investments.
ME4.5 Risk managementWork with the board to define the enterprises appetite for
IT risk, and obtain reasonable assurance that IT risk management practices are
appropriate to ensure that the actual IT risk does not exceed the boards risk appetite.
Embed risk management responsibilities into the organisation, ensuring that the
business and IT regularly assess and report IT-related risks and their impact and that
the enterprises IT risk position is transparent to all stakeholders.
ME4.6 Performance measurementConfirm that agreed-upon IT objectives have been

met or exceeded, or that progress toward IT goals meets expectations. Where agreed-
upon objectives have been missed or progress is not as expected, review managements
Reference
Assessed Target
Hyper- Comments
Maturity Maturity
remedial action. Report to the board relevant portfolios, programme and IT
performance, supported by reports to enable senior management to review the
enterprises progress toward identified goals.

VIII. Assessment Maturity vs. Target Maturity

This spider graph is an example of the assessment results and maturity target for a specific enterprise.

Appendix A. Virtualization Architecture
This appendix describes the virtualization architecture and should be of use to the audit/assurance
professional.
A so-called bare-metal hypervisor installs directly on the hardware, with no intervening operating system,
such as Windows or Linux. As such, it is optimized for a particular type of hardware and provides high
utilization of the hardware, typically in the 90 percent range. The VMware ESX (and ESXi) hypervisor is a
successful example of a bare-metal hypervisor. In summary, the VMware virtualization model comprises a
three-level structure:
VM layerThis houses the various hosted OSs and applications in separated VMs, each of which
sees itself as a physical machine with its own hardware.
ESX layerThe VM ESX kernel, residing in this layer, schedules the physical hardware (local CPUs,
memory, hard disks, local network cables, local storage bus adapters) for the VMs, together with the
management interface.
Shared resources layerThe physical hardware subsystems such as storage and physical network,
shared by many VMs.
VMware Infrastructure 3 (VI3) is a set of 12 software components in a single suite, as follows:

1. ESX or ESXiThe hypervisors described previously; ESXi is a simplified version designed to be
configured by (relatively) nontechnical personnel
2. Virtual SMP (symmetric multiprocessing)Enables a VM to use up to four physical processors
simultaneously
3. Virtual machine file system (VMFS)A file system that allows VMs to access the same data storage
assets concurrently
4. VMotionThe resource that moves an in-process VM from one host to another without loss of
connectivity
5. Storage VMotionMoves in-process VM files from one host to another to improve utilization of
storage resources
6. Distributed Resource Scheduler (DRS)Monitors available resources so an administrator can move
VMs to improve resource utilization or level the processing load on the physical servers
7. High Availability (HA)Used to restart VMs on a new host if the host on which they were running
has failed
8. VMware Consolidated Backup (VCB)A centralized service to backup VMs through a backup
proxy server
9. Distributed Power Management (DPM)This utility reduces power consumption by consolidating
active VMs onto the minimum number of hosts so that inactive hosts can sleepthe latter
automatically wake up as needed
The following three useful components are not standard with VI3 and can be purchased separately:
10. Virtual Center (VC)The centralized management console for configuring hosts and VMs and also
for creating fault-tolerant clusters
11. ConverterUsed to convert physical Windows machines into VMs and restore backup images created
by a VCB
12. Capacity PlannerAn agentless, hosted application service that gathers data about the IT
infrastructure
2010 ISACA. All rights reserved. 44

Appendix B. VMware Performance Metrics
If the utilization of any of the resources allocated to running VMs (CPU cycles, memory, disk, disk
input/output (I/O), network) exceeds acceptable operational thresholds, capacity bottlenecks can occur,
resulting in unacceptable performance and leading to poor ROI and dissatisfied users. Therefore, it is
important to monitor the VMware virtualization environment proactively to identify potential bottlenecks
before they can affect system performance.
An appropriate set of performance metrics provides the raw data to identify bottlenecks and also to model
future performance under the impact of expected changes in the business environment. The following table
shows a suggested set of VMware metrics that will assist in the tasks of performance evaluation and
capacity management. They are collected by VMwares Virtual Center (VC) component.
CPU Metrics
Metric Details Good Practice
cpu.ready.summation Indicates whether a VM is having A CPU Ready bottleneck
CPU ready issues, resulting from occurs when more than 5
CPU over-utilization, e.g., if VMs percent of time involved in a
are contending for limited CPU CPU transaction by a VM is in
time wait time for the resource.
cpu.usagemhz.average Measures CPU utilization at the VMs with high values for this
VM level metric may be negatively
impacting other VMs.
disk.busResets.summation A value for this metric indicates a Reallocate storage, e.g.,
possible disk overload issue due spread busy files across
to: multiple physical drives.
Too many VMs accessing the Move VMs to other
disk datastores with available
Too many I/Os from the VMs capacity.
to the disk
Hardware failure
disk.commandsAborted.summatio The number of times a request Reallocate storage, e.g.,
n was sent to a disk and was spread busy files across
aborted. Similar reasons to above. multiple physical drives.
Move VMs to other
datastores with available
capacity.
disk.totalLatency.avarage Measures a disks total latency, Balance workloads by
i.e., time taken to complete an rightsizing resources allocated
I/O. A value in this metric to the top consuming VMs to
indicates a bottleneck. reduce load on bottlenecked
disk(s) and/or by moving these
VMs to other datastores.
disk.queueLatency.average Shows the average time an I/O Balance workloads by
command waits in a queue to be rightsizing resources allocated
processed by the disk. A value in to the top consuming VMs to
this metric indicates a bottleneck. reduce load on bottlenecked
disk(s) and/or by moving these
VMs to other datastores.
disk.read.average These two metrics show real-time A graph of throughput over
disk.write.average traffic levels from and to a disk, time shows VM performance
CPU Metrics
Metric Details Good Practice
respectively, at the VM level. The and problems that may be
average of the two metrics gives a impacting other VMs.
measure of disk throughput.
mem.consumed.average Measures the number of memory Add more memory, or move
pages a VM is using in real time. the offending VM(s) to a host
This statistic indicates whether a with more available memory.
memory bottleneck exists or
whether a VM is a memory hog.
mem.overhead.average Measures the amount of memory Rightsize VMs that have
used to manage allocated memory excessive memory allocations,
at the VM level, i.e., the memory or move them to hosts with
administration overhead more available memory.
mem.swapin.average Indicate bottlenecks are occurring Excessive VM swaps indicate
mem.swapout.average in memory swapping, i.e., virtual the need for additional
storage administration. If so, memory resources.
mem,swapped.average
performance may be severely
degraded.
mem.vmmemctl.average A value in this metric indicates Change memory allocation
that ballooning is occurring, parameters and/or move VMs
i.e., when VMs come close to to hosts with more available
system limits on memory use. memory.
This indicates a bottleneck.

WAPVM VMware Virtualization Research 20feb2017 G1

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

WAPVM VMware Virtualization Research 20feb2017 G1

Hochgeladen von

Copyright:

Verfügbare Formate

VMware Server Virtualization

2011 ISACA. All rights reserved. Page 2

ISACA Board of Directors

Guidance and Practices Committee

ISACA and IT Governance Institute Affiliates and Sponsors

2011 ISACA. All rights reserved. Page 3

2011 ISACA. All rights reserved. Page 4

Governance, Risk and Control of IT

Responsibilities of IT Audit and Assurance Professionals

II. Using This Document

Work Program Steps

2011 ISACA. All rights reserved. Page 5

purpose for the substeps.

2011 ISACA. All rights reserved. Page 6

Figure 1Comparison of COSO Internal Control and ERM Integrated Frameworks

2011 ISACA. All rights reserved. Page 7

III. Controls Maturity Analysis

Figure 2Maturity Model for Internal Control

2011 ISACA. All rights reserved. Page 8

Figure 2Maturity Model for Internal Control

IV. Assurance and Control Framework

ISACA IT Assurance Framework and Standards

ISACA Control Framework

2011 ISACA. All rights reserved. Page 9

Virtualization addresses several COBIT IT control processes:

V. Executive Summary of Audit/Assurance Focus

VMware Server Virtualization Management

2011 ISACA. All rights reserved. Page 10

Virtualization technology provides significant improvements in the utilization of expensive hardware

Business Impact and Risk

2011 ISACA. All rights reserved. Page 11

Objective and Scope

2011 ISACA. All rights reserved. Page 12

Minimum Audit Skills

2011 ISACA. All rights reserved. Page 13

VI. Audit/Assurance Program

1. PLANNING AND SCOPING THE AUDIT

2. GOVERNANCE OF THE VIRTUALIZED ENVIRONMENT

virtualized servers and OSs. Frontera implementad

2011 ISACA. All rights reserved. Page 23

2011 ISACA. All rights reserved. Page 24

20. VMWARE VIRTUALIZED ENVIRONMENT Audio_A

2011 ISACA. All rights reserved. Page 25

21. Hardened VMware Hypervisor

individuals strictly on a need to know basis.

36.1.1.3 Suggested capacity metrics are described in Appendix B.

2011 ISACA. All rights reserved. Page 35

VII. Maturity Assessment

PO4.5 IT organisational structureEstablish an internal and external IT organisational

PO4.6 Establishment of roles and responsibilitiesEstablish and communicate roles

PO9.1 IT risk management frameworkEstablish an IT risk management framework

PO9.2 Establishment of risk contextEstablish the context in which the risk

PO9.5 Risk responseDevelop and maintain a risk response process designed to

AI3.2 Infrastructure resource protection and availabilityImplement internal control,

AI3.3 Infrastructure maintenanceDevelop a strategy and plan for infrastructure

AI6.1 Change standards and proceduresSet up formal change management

AI6.2 Impact assessment, prioritisation and authorisationAssess all requests for

DS5.1 Management of IT securityManage IT security at the highest appropriate

DS5.4 User account managementAddress requesting, establishing, issuing,

DS5.7 Protection of security technologyMake security-related technology resistant

2011 ISACA. All rights reserved. Page 39

DS9.1 Configuration repository and baselineEstablish a supporting tool and a central

DS9.2 Identification and maintenance of configuration itemsEstablish configuration