VMware Server Virtualization Audit/Assurance Program 

 

VMware®  Server Virtualization Audit/Assurance Program  Download (Member Only, 629K)
Bookstore Purchase the Book

  Provide feedback on this document
Knowledge Center  Visit the Audit Tools and Techniques Knowledge Center community
Knowledge Center  Visit the Virtualization Knowledge Center community

IT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IT audit and assurance professional has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the Certified Information Systems Auditor (CISA) designation and/or necessary subject matter expertise to adequately review the work performed.

Objective—The VMware server virtualization audit/assurance review will provide management with an independent assessment of the effectiveness of the configuration of, controls over and security of the virtualized servers operating under VMware in the enterprise’s computing environment.

Scope—The review will focus on the governance, configuration and management of the relevant VMware virtualized servers in the enterprise, with emphasis on control issues specific to virtualized environments.

The selection of specific applications, functions and servers will be based on the risks introduced to the enterprise by these systems.

The VMware server virtualization audit/assurance review is not designed to replace or focus on audits that provide assurance of specific application processes and excludes assurance of an application’s functionality and suitability.

Since the areas under review rely heavily on the effectiveness of core IT general controls, it is recommended that audit/assurance reviews of the following areas be performed prior to the execution of the VMware server virtualization review so that appropriate reliance can be placed on these assessments:

  • Identity management as it applies to the VMware environment, i.e., privileged VMware users, user access to VMs, etc.
  • Security incident management
  • Secure architecture, including virtualized servers and server farms and network security
  • Systems development—Test environments are typically hosted on virtualized servers for ease of testing and recovery after crashes.
  • Risk management
  • Vulnerability management and testing
  • Cryptographic controls and associated key management