How To Control Vcloud Air From A Microsoft Vcloud 1.1.1 (Vcloud)



Similar documents
VMware vcloud Air HIPAA Matrix

HIPAA/HITECH Compliance Using VMware vcloud Air

VMware vcloud Air Security TECHNICAL WHITE PAPER

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

PCI DSS Requirements - Security Controls and Processes

PCI Requirements Coverage Summary Table

Vendor Questionnaire

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Client Security Risk Assessment Questionnaire

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Autodesk PLM 360 Security Whitepaper

SonicWALL PCI 1.1 Implementation Guide

State of Wisconsin DET File Transfer Protocol Service Offering Definition (FTP & SFTP)

Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard

Managing Remote Access

Achieving PCI-Compliance through Cyberoam

74% 96 Action Items. Compliance

PCI Requirements Coverage Summary Table

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Automate PCI Compliance Monitoring, Investigation & Reporting

Supplier Information Security Addendum for GE Restricted Data

Central Agency for Information Technology

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

GFI White Paper PCI-DSS compliance and GFI Software products

ADMINISTRATIVE POLICY # (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # (2014) Remote Access

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

March

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Implementation Guide

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Cybersecurity Health Check At A Glance

Cyber-Ark Software and the PCI Data Security Standard

Security Controls for the Autodesk 360 Managed Services

vcloud Director User's Guide

Workflow Templates Library

Payment Card Industry Self-Assessment Questionnaire

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

2: Do not use vendor-supplied defaults for system passwords and other security parameters

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Data Management Policies. Sage ERP Online

Upgrading Horizon Workspace

1B1 SECURITY RESPONSIBILITY

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Configuring Single Sign-on from the VMware Identity Manager Service to Dropbox

Security Guide vcenter Operations Manager for Horizon View 1.5 TECHNICAL WHITE PAPER

ACE Management Server Deployment Guide VMware ACE 2.0

PCI DSS Reporting WHITEPAPER

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

What s New in VMware Data Recovery 2.0 TECHNICAL MARKETING DOCUMENTATION

INCIDENT RESPONSE CHECKLIST

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

Retention & Destruction

Consensus Policy Resource Community. Lab Security Policy

Guideline on Auditing and Log Management

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

Mobile Secure Desktop Maximum Scalability, Security and Availability for View with F5 Networks HOW-TO GUIDE

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

Best Practices for PCI DSS V3.0 Network Security Compliance

Security from a customer s perspective. Halogen s approach to security

How To Achieve Pca Compliance With Redhat Enterprise Linux

Remote Access Procedure. e-governance

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

SUPPLIER SECURITY STANDARD

Best Practices Report

ADM:49 DPS POLICY MANUAL Page 1 of 5

LogRhythm and PCI Compliance

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Integration with Active Directory

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

VMware vcloud Networking and Security Overview

<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3.

Did you know your security solution can help with PCI compliance too?

General Standards for Payment Card Environments at Miami University

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

How To Protect Your Data From Being Stolen

Procedure Title: TennDent HIPAA Security Awareness and Training

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

Migrating to vcloud Automation Center 6.1

CHIS, Inc. Privacy General Guidelines

Transcription:

SOC 1 Control Objectives/Activities Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a variety of industry standard audits, assessments and certification efforts, including Service Organization Controls 1 (SOC1) Type 2. This document is intended to provide customers with additional context around the SOC 1 control objectives that VMware has designed and implemented for management and delivery of vcloud Air services. An independent third- party audit firm annually assesses these controls, and the details of these audits are available upon request. The matrix within this document is a tool that can assist your organization in quickly identifying the control activities that vcloud Air has in place to satisfy the control objectives. **DISCLAIMER This document only includes the control objectives and related control activities of services and excludes the control objectives and related controls of any data center providers. An independent third- party audit firm assesses vcloud Air services annually. To request a copy of the most recent vcloud Air SOC 1 report, please contact your VMware salesperson. COMPUTER OPERATIONS Control activities provide reasonable assurance that application and data files for the vcloud Air system are backed up in a timely manner and securely stored. 1.01 Documented policies and procedures are in place to guide personnel in performing data backups and data restoration. 1.02 An automated backup system is in place to perform scheduled backups of production data and systems. 1.03 The automated backup system is configured to send alert notifications to information technology operations personnel regarding backup job completion status. 1.04 Information technology operations personnel perform backup media restores as a component of normal business operations to verify that system components can be recovered from system backups. 1.05 Administrative access privileges to backup systems and data are restricted to user accounts accessible by 1

Computer Operations Control activities provide reasonable assurance that vcloud Air systems are maintained in a manner that helps ensure system availability. 2.01 Documented escalation procedures and a ticketing system are in place to guide employees in identifying, reporting, and responding to system availability issues and related security incidents. 2.02 Documented standard build procedures are utilized for the installation and maintenance of production servers. Patch Management 2.03 A patch management methodology is in place to guide personnel in the initiation, testing, and deployment of patches for production infrastructure. Monitoring 2.04 Network Operations personnel utilize an automated ticketing system to manage system incidents, response, and resolution. 2.05 Multiple enterprise monitoring applications are utilized to monitor operational performance of production servers and network devices. 2.06 The enterprise monitoring applications are configured to forward system events to a central logging system. The central logging system is configured to display on- screen alert notifications when predefined thresholds are exceeded on monitored systems. 2.07 Security and network operations personnel monitor the central logging system for security and availability events 24 hours per day. 2.08 Operational statistics reports are reviewed by management on a quarterly basis. Antivirus 2.09 A central antivirus server is configured with antivirus software to protect registered production workstations and servers. 2.10 The antivirus software is configured to scan for updates to antivirus definitions and update registered clients on daily basis. 2.11 The antivirus software is configured to scan registered clients on a weekly basis. 2

INFORMATION SECURITY Control activities provide reasonable assurance that system information, once entered into the system, is protected from unauthorized or unintentional use, modification, addition or deletion. 3.01 Documented policies and procedures are in place to guide personnel regarding information security procedures. 3.02 User access requests to production systems are documented within a ticketing system and require manager approval. 3.03 An employee termination ticket is completed and employee access to production systems is revoked as a component of the employee termination process. Network Domain Authentication 3.04 The network domain is configured to enforce the following password requirements: Minimum password length Minimum password history Password expiration intervals Password complexity Invalid password account lockout threshold Network Domain Access 3.05 Administrative access privileges to the network domain are restricted to user accounts accessible by Network Domain Logging 3.06 The network domain is configured to log the following security events that are reviewed by security administrators on an ad hoc basis: Account logon events Account management Security administration Production Environment Authentication 3.07 Users connect to the production environment via a two- factor VPN authentication. Production Environment Access 3.08 Administrative access privileges to the VPN systems are restricted to user accounts accessible by 3

Operating System Authentication (Windows) 3.09 Users are required to authenticate with a valid user account and password before being granted access to the operating systems. Operating System Access (Windows) 3.10 Administrative access privileges to the operating systems are restricted to user accounts accessible by Operating System Logging (Windows) 3.11 The operating systems are configured to log the following security events that are reviewed by security administrators on an ad hoc basis: Account logon events Account management Security administration Operating System Authentication (Linux) 3.12 Prior to gaining access to Linux operating systems, operating system users are required to connect and authenticate via a user account and password before being granted access to the operating systems. Operating System (Linux) 3.13 Administrative access privileges to the operating systems are restricted to user accounts accessible by 3.14 Operating system users are authenticated via public/private SSH key pair with passphrase before being granted access to the operating system. Operating System Logging (Linux) 3.15 The operating systems are configured to log the following security events that are reviewed by security administrators on an ad hoc basis: Account logon events Account management Security administration Application Authentication (vcloud Director) 3.16 Authentication to the application is granted based on the user s network domain credentials. Application Access (vcloud Director) 3.17 Administrative access privileges to the application are restricted to user accounts accessible by Application Authentication (vcim) 3.18 Application users are authenticated via a user account and password before being granted access to the application. 4

Application Access (vcim) 3.19 Administrative access privileges to the application are restricted to user accounts accessible by Application Logging (vcloud Director and vcim) 3.20 The applications are configured to log the following security events that are reviewed by security administrators on an ad hoc basis: Account logon events Account management Security administration DATA COMMUNICATIONS Control activities provide reasonable assurance that data maintains its integrity and security as it is transmitted between third parties and vcloud Air. 4.01 Management maintains documented policies and procedures to govern data communication activities that include, but are not limited to, the following: Firewall system administration Remote access 4.02 Documented escalation procedures for reporting security incidents are in place to guide employees in identifying, reporting, and acting upon system security breaches and other incidents. Firewall Systems 4.03 High availability firewall systems are in place to filter unauthorized inbound network traffic from the Internet. 4.04 The firewall systems are configured to deny any type of network connection that is not explicitly authorized by a firewall system rule. 4.05 Access to modify the firewall system software, configurations or rulesets is restricted to shared and individual user accounts accessible by Remote Access 4.06 Users connect to the production environment via a two- factor VPN authentication. 4.07 Encrypted VPNs are required for remote access to help ensure the security and integrity of the data passing over the public network. 4.08 Administrative access privileges to the VPN systems are restricted to user accounts accessible by 5

Network Administration 4.09 Security operations personnel utilize an automated ticketing system to document security violations, responses, and resolution. 4.10 Security operations personnel monitor the central logging system for security events 24 hours per day. 4.11 Web servers utilize SSL encryption for web communication sessions. 4.12 An IDS is in place to analyze network device logs and report possible or actual network security breaches. 4.13 The IDS is configured to forward network events to a central logging system. The central logging system is configured to send e- mail alert notifications to the security operations team when certain network events are detected. 4.14 Information security personnel perform a vulnerability assessment on a monthly basis. 4.15 Management ensures that a penetration test is performed at least annually to identify potential security vulnerabilities. APPLICATION CHANGE CONTROL Control activities provide reasonable assurance that unauthorized changes are not made to vcloud Air production application systems. 5.01 Documented policies and procedures are in place to guide personnel in the requesting, approval, and testing of changes to applications. Source Code Repository 5.02 Version control software is utilized to control access to the source code. 5.03 Changes to source code result in the creation of a new version of the application code. Application Change Process 5.04 A ticketing system is in place to centrally maintain, manage, and monitor enhancement, development, and maintenance activities. 5.05 QA personnel perform testing of software changes prior to implementation in the production environment. 5.06 Testing efforts are performed in an environment that is physically and logically separate from the production environment. 5.07 A change advisory board (CAB) meeting is held on a weekly basis to discuss ongoing and upcoming projects and to approve software changes. 5.08 CAB members approve software changes prior to implementation. 6

5.09 The ability to implement changes is restricted to user accounts accessible by 5.10 Release notes and known issues are available to customers on the support center web site. CHANGE MANAGEMENT Control activities provide reasonable assurance that changes to vcloud Air infrastructure are logged, authorized, tested, approved, implemented, and documented. 6.01 Documented policies and procedures are in place to guide personnel in the requesting, approval, and testing of changes to systems and infrastructure. Hosting Infrastructure Changes 6.02 A ticketing system is in place to centrally maintain, manage, and monitor enhancement, development, and maintenance activities. 6.03 Operations support personnel document test plans prior to implementation in the production environment. 6.04 A CAB meeting is held on a weekly basis to discuss ongoing and upcoming projects and to approve infrastructure changes. 6.05 CAB members approve CAB level infrastructure changes prior to implementation. CUSTOMER SUPPORT AND INCIDENT RESPONSE Control activities provide reasonable assurance that customer inquiries and issues are responded to in a timely manner. 7.01 Documented policies and procedures are in place to guide personnel in regards to customer support and incident response procedures. 7.02 GSS personnel utilize an automated ticketing system to track and manage customer inquiries and issues to resolution. 7.03 vcloud Air Operations personnel meet with GSS personnel on a weekly basis to review open and aged tickets. 7.04 A customer service ticket metrics report is generated on a weekly basis. 7

MONITORING OF DATA CENTER OPERATIONS Control activities provide reasonable assurance that controls at Data Center Provider organizations are monitored and additional VMware controls are applied to VMware contracted secured spaces. 8.01 Documented policies and procedures are in place to guide VMware authorized personnel in regards to monitoring data center controls. 8.02 Agreements are in place with data center providers to ensure that physical and environmental security controls are being met. 8.03 Data center provider audit reports and or certification documentation, if available, are reviewed to determine effectiveness of data center provider physical and environmental security controls. 8.04 VMware authorized data center operations personnel perform quarterly walkthroughs of the data center providers using a checklist to monitor controls which include the following: Security guards and/or personnel are in place to monitor the data center ingress points Assigned badge access devices are in working order Assigned biometric devices are in working order Data center temperature is at an acceptable level Systems are powered appropriately 8.05 Badge access logs for the contracted secured spaces are requested from the data center providers and retained by VMware for at least ninety days. VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright 2015 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information