Server Virtualization Audit Work Program

Control Objective # of Ctrls

Image and Snapshot Management 13
Change Management 5
Access Management 13
Security Monitoring 3
Communications Management 4
Isolation Management 4
Total 42

Virtualization Technologies In-Scope Ctrls

Hypervisor 21
Virtualization Management System (VMS) 20
Virtualization Implementation Tool (VIT) 26
Guest OS 15
Total 82
Server Virtualization Audit Work Program

Virtualization Controls

Hypervisor
Control Objective Control Activity Risk In-scope
Image and Snapshot The process for image and snapshot management (i.e. creation,
Management security, distribution, storage, use, retirement, destruction) is
documented, assigned, communicated to stakeholders and
consistently applied by the organization. Not relevant No

A virtualization topography is documented and updated with each

change to the virtualization environment.
Not relevant No

The process for performing virtual machine rollbacks, including

disconnecting the virtual machine from the network prior to performing
the rollback, is defined, assigned, communicated to stakeholders and
is consistently applied by the organization. Not relevant No

Additions of or changes to virtualization environments are approved

by management.

Not relevant No

Server implementation templates agree to documented organizational

server hardening standards.

Not relevant No
Server Virtualization Audit Work Program

Virtualization Controls

Hypervisor
Control Objective Control Activity Risk In-scope
Server implementation templates are stored on a separate partition
from Guest systems.

Not relevant No

Changes to documented server hardening standards are reflected on

existing virtual environments and in the server implementation
templates.

Not relevant No

Images are periodically monitored and scanned by management for

unauthorized changes and the presence of malware.

Not relevant No

Images and snapshots are periodically reviewed by management for

appropriateness of existence, and unneeded images and snapshots
are deactivated or removed, as required. Not relevant No
Server Virtualization Audit Work Program

Virtualization Controls

Hypervisor
Control Objective Control Activity Risk In-scope
The deactivation or suspension of images is approved by
management.
Not relevant No

Deactivated images and snapshots are reviewed for currency (i.e.

patches, security settings) and approved by management prior to
reactivation.

Not relevant No

Security of images at rest is maintained at the highest level required.

Not relevant No

Images and snapshots are stored on an encrypted device and access

to these images is restricted to authorized personnel.

Not relevant No
Server Virtualization Audit Work Program

Virtualization Controls

Hypervisor
Control Objective Control Activity Risk In-scope
Change The change management process for virtualization technologies is
Management documented, assigned, communicated to stakeholders and Hypervisor change management
consistently applied by the organization. procedures are performed
inconsistently which result in
unapproved or unexpected changes
to the Hypervisor. These unapproved Yes
changes could compromise the
security and integrity of the Guest
OS systems supported by the
Hypervisor.

Changes (i.e. logic, configuration, patches) to virtualization

technologies are authorized, tested and approved prior to Unapproved Hypervisor changes are
implementation. implemented which could result in
unexpected or unapproved
modification to Hypervisor
functionality or key system data. Yes
These unapproved changes could
compromise the security and integrity
of the Guest OS systems supported
by the Hypervisor.

Changes (i.e. logic, configuration, patches) to virtualization

technologies are monitored periodically by management. Unapproved Hypervisor changes are
implemented and go undetected
which could result in unexpected or
unapproved modification to
Hypervisor functionality or key
Yes
system data. These unapproved
changes could compromise the
security and integrity of the Guest
OS systems supported by the
Hypervisor.
Server Virtualization Audit Work Program

Virtualization Controls

Hypervisor
Control Objective Control Activity Risk In-scope
Segregation of duties is maintained in the change management
Hypervisor support personnel have
process. Individuals with access to develop changes or request
access to develop changes or
patches from external parties do not have the ability to implement
request patches from external parties
these changes/patches.
and implement these
changes/patches into production Yes
which could result in unexpected or
unapproved modification to
Hypervisor functionality or key
system data.
Security patches installed on virtualization technologies are the most
current versions available, unless otherwise stated by organizational The latest security patches are not
policy. installed on the Hypervisor which
could result in exploitation of the
technology due to known security
weaknesses. This exploitation could
result in unexpected or unapproved
Yes
modification to Hypervisor
functionality or key system data.
These unapproved changes could
compromise the security and integrity
of the Guest OS systems supported
by the Hypervisor.

Access Management The process for controlling access to virtualization technologies is

documented, assigned, communicated to stakeholders and Hypervisor access management
consistently applied by the organization. procedures are performed
inconsistently which result in
unauthorized access to the
Hypervisor. This unauthorized access
could result in inappropriate Yes
modifications to Hypervisor security
settings, which could compromise the
security and integrity of the Guest
OS systems supported by the
Hypervisor.
Access Management

Server Virtualization Audit Work Program

Virtualization Controls

Hypervisor
Control Objective Control Activity Risk In-scope
Security configuration hardening standards are documented,
communicated to stakeholders and implemented on virtualization Hypervisor security settings are not
technologies. configured according to approved
management hardening standards
which could result in exploitation of
the technology due to known security
weaknesses. This exploitation could
result in unexpected or unapproved Yes
modification to Hypervisor
functionality or key system data.
These unapproved changes could
compromise the security and integrity
of the Guest OS systems supported
by the Hypervisor.

File system hardening standards are documented, communicated to

stakeholders and implemented on virtualization technologies.

Not relevant No
Server Virtualization Audit Work Program

Virtualization Controls

Hypervisor
Control Objective Control Activity Risk In-scope
Access to virtualization technologies is restricted by passwords, and
password configurations adhere to organization's password policy. The Hypervisor may be accessed
without password authentication or
existing accounts may be breached
via easily guessed passwords which
could result in unauthorized access
to the technology. This unauthorized
Yes
access could result in inappropriate
modifications to Hypervisor security
settings, which could compromise the
security and integrity of the Guest
OS systems supported by the
Hypervisor.

Privileged access to virtualization technologies is restricted to

authorized individuals. Unauthorized users have the ability
to add/modify/delete Hypervisor
accounts and perform other sensitive
functions. This unauthorized access
could result in inappropriate
Yes
modifications to Hypervisor security
settings, which could compromise the
security and integrity of the Guest
OS systems supported by the
Hypervisor.
Access to system tools or utilities used in conjunction with
virtualization technologies is restricted to authorized individuals. Unauthorized users have access to
system tools or utilities used in
conjunction with the Hypervisor. This
unauthorized access could result in
inappropriate modifications to Yes
Hypervisor security settings, which
could compromise the security and
integrity of the Guest OS systems
supported by the Hypervisor.
Server Virtualization Audit Work Program

Virtualization Controls

Hypervisor
Control Objective Control Activity Risk In-scope
New access to virtualization technologies is approved prior to
provisioning by appropriate personnel. The access approved by Accounts are provisioned on the
management is provisioned appropriately by the IT administrator. Hypervisor without proper approval
or are provisioned with unapproved
access. This unauthorized access
could result in inappropriate
Yes
modifications to Hypervisor security
settings, which could compromise the
security and integrity of the Guest
OS systems supported by the
Hypervisor.

Accounts for users who no longer require access to virtualization

technologies are removed timely. Hypervisor accounts for
services/users that no longer require
access to the technology are not
removed timely which could result in
unauthorized access to the
Hypervisor. This unauthorized access
Yes
could result in inappropriate
modifications to Hypervisor security
settings, which could compromise the
security and integrity of the Guest
OS systems supported by the
Hypervisor.

Access to virtualization technologies is reviewed periodically by

management and access changes, if requested, are made timely. Hypervisor accounts for
services/users that no longer require
access to the technology are not
removed and go undetected by
management. This unauthorized
access could result in inappropriate Yes
modifications to Hypervisor security
settings, which could compromise the
security and integrity of the Guest
OS systems supported by the
Hypervisor.
Server Virtualization Audit Work Program

Virtualization Controls

Hypervisor
Control Objective Control Activity Risk In-scope
Physical access to the hardware supporting virtualization
technologies is restricted to authorized individuals. Unauthorized users have physical
access to the hardware supporting
the Hypervisor which could result in Data
damage to the underlying hardware Center
and cause a disruption of service to
the virtualized environments.

Segregation of duties is maintained in the logical access process.

Individuals responsible for provisioning access are not responsible for Hypervisor support personnel that
approving access. are responsible for provisioning
access are also responsible for
approving access. This lack of
division of responsibilities could
result in unauthorized access to the
Hypervisor. This unauthorized access Yes
could result in inappropriate
modifications to Hypervisor security
settings, which could compromise the
security and integrity of the Guest
OS systems supported by the
Hypervisor.

Physical auxiliary hardware (i.e. storage devices) is disconnected

from the host system when not actively used. Malicious files or programs are
transmitted to the Hypervisor via
physical auxiliary hardware that is
connected to the host server
supporting the Hypervisor. This
malware could infect the Hypervisor
Data
and cause unexpected or
Center
unapproved modification to its
functionality or key system data.
These unapproved changes could
compromise the security and integrity
of the Guest OS systems supported
by the Hypervisor.
Server Virtualization Audit Work Program

Virtualization Controls

Hypervisor
Control Objective Control Activity Risk In-scope
Remote administration capabilities, if used, are configured to restrict
access to authorized individuals. Hypervisor remote administration
capabilities are not restricted to
authorized individuals which could
result in unauthorized access to the
Hypervisor. This unauthorized access
could result in inappropriate Yes
modifications to Hypervisor security
settings, which could compromise the
security and integrity of the Guest
OS systems supported by the
Hypervisor.

Security Monitoring Security settings for virtualization technologies are periodically

Unapproved or unexpected changes
monitored by management for appropriateness.
are made to Hypervisor security
settings and go undetected by
management. These unapproved
Yes
changes could compromise the
security and integrity of the Guest
OS systems supported by the
Hypervisor.
Logging and audit functionality is turned on, where applicable, for Audit logs are not able for review to
virtualization technologies. support investigations of suspected Yes
Hypervisor security breaches.
The security of activity occurring between guest systems is
periodically monitored by management.

Not relevant No
Server Virtualization Audit Work Program

Virtualization Controls

Hypervisor
Control Objective Control Activity Risk In-scope
Communications Virtualization technologies are synchronized to a trusted authoritative
Date and time stamps included on
Management time server.
system outputs cannot be relied
upon due to the lack of
synchronization to a trusted time
Yes
server. This lack of reliance can
hinder management reviews of
system activity or security
investigations.
Unnecessary services between virtualization technologies (i.e. file
sharing, clipboard) are disabled. Attacks on the Hypervisor are
launched via enabled
communications services. These
attacks could result in unauthorized
Yes
access to the Hypervisor which could
compromise the security and integrity
of the Guest OS systems supported
by the Hypervisor.

Networks internal to the hypervisor are partitioned in a similar way to Unauthorized access to portions of
physical network components. the Hypervisor could compromise the
security and integrity of the Guest Yes
OS systems supported by the
Hypervisor.
Communications between virtualization technologies are sent on Communications emanating from the
trusted networks or otherwise encrypted. Hypervisor are intercepted as a result
of weak or no encryption. Information
Yes
gleaned from the interception could
be used to exploit security
weaknesses.
Isolation The process for isolation management is documented, assigned,
Management communicated to stakeholders and consistently applied by the
organization. Not relevant No
Server Virtualization Audit Work Program

Isolation Virtualization Controls

Management
Hypervisor
Control Objective Control Activity Risk In-scope
Communications and resource access between Guest systems is
restricted.
Not relevant No

Guest systems are configured to restrict "escape" access from the

Guest OS to the other virtualization technologies.
Not relevant No

Management practices zoning of guest systems on Hypervisors. Inappropriate access is gained to

high risk systems as a result of a
successful attack on a system with No
lower security settings residing on
the same Hypervisor.

Legend:
Initially determined to be covered by the Infrastructure Review Audit
INF pending confirmation.
Initially determined to be covered by the Data Center Audit pending
Data Center confirmation.
 Virtualization Technologies
Virtualization Management System (VMS) Virtualization Implementation Tool (VIT)
Risk In-scope Risk In-scope
Image management procedures are
not performed consistently potentially
compromising the confidentiality,
Not relevant No Yes
integrity and/or availability of the
systems and data within the virtual
environments.
Virtualization environments are not
adequately documented and tracked
Not relevant No Yes
which could result in data loss that is
undetected by management.
Virtual machines are rolled backed
while still connected to the network,
which could result in the
Not relevant No reintroduction of malicious code or No
protocols reusing TCP sequence
numbers or re-exposure of previously
patched vulnerabilities.
Virtualized environments are
established or altered without proper
management approval which could
Not relevant No Yes
compromise the confidentiality,
integrity and/or availability of data
within the virtual environments.
Virtualized environments are
established that are non-compliant
with management security standards
Not relevant No which could compromise the Yes
confidentiality, integrity and/or
availability of data within the virtual
environments.
Guest OS
Risk In-scope
Image management procedures are
not performed consistently potentially
compromising the confidentiality,
Yes
integrity and/or availability of the
systems and data within the virtual
environments.
Virtualization environments are not
adequately documented and tracked
Yes
which could result in data loss that is
undetected by management.
Virtual machines are rolled backed
while still connected to the network,
which could result in the
reintroduction of malicious code or No
protocols reusing TCP sequence
numbers or re-exposure of previously
patched vulnerabilities.
Virtualized environments are
established or altered without proper
management approval which could
Yes
compromise the confidentiality,
integrity and/or availability of data
within the virtual environments.
Virtualized environments are
established that are non-compliant
with management security standards
which could compromise the Yes
confidentiality, integrity and/or
availability of data within the virtual
environments.
 Virtualization Technologies

Virtualization Management System (VMS) Virtualization Implementation Tool (VIT) Guest OS

Risk In-scope Risk In-scope Risk In-scope
Server implementation templates are Server implementation templates are
stored on the same partition as stored on the same partition as
production machines which could production machines which could
Not relevant No Yes Yes
result in corruption or loss in the result in corruption or loss in the
event of a compromised Guest event of a compromised Guest
system. system.

Changes in documented hardening

standards are not reflected in the
server implementation templates
Changes in documented hardening
which could result in the generation
standards are not reflected in
of virtualized environments that are
Not relevant No Yes existing Guest OS which could result Yes
non-compliant with management's
in security vulnerabilities in the
security standards and could
existing Guest systems.
compromise the confidentiality,
integrity and/or availability of data
within the virtual environments.

Unauthorized changes are made to

the image files are go undetected by
management.
Malware is attached to the image
Not relevant No Not relevant No files and is undetected is Yes
management.
The unapproved changes and
malware could lead to compromised
system information.

Unneeded images and snapshots

are not deleted from the virtualization
Not relevant No Not relevant No environment which could in Yes
compromised system data in the
event of a security breach.
 Virtualization Technologies

Virtualization Management System (VMS) Virtualization Implementation Tool (VIT) Guest OS

Risk In-scope Risk In-scope Risk In-scope

Images are suspended or

deactivated without management
Not relevant No Not relevant No Yes
approval which could result in service
unavailability and/or loss of data.

Images or snapshots are reactivated

without updated patches or without
security settings that comply with
Not relevant No Not relevant No No
organizational hardening standards.
This reactivation could result in
compromised system data.

Images or snapshots of high risk

environments are stored on servers
Not relevant No Not relevant No with lower risk security settings which Yes
could result in the compromise of
high risk system data.

Critical system data stored on

images and snapshots is accessed
by inappropriate users as a result of
weak or no encryption or
Not relevant No inappropriate access to the storage Yes Not relevant No
location. This unauthorized access
could result in the compromise of
integrity and availability of data within
the virtual environments.
 Virtualization Technologies
Virtualization Management System (VMS)
Risk In-scope
VMS change management
procedures are performed
inconsistently which result in
unapproved or unexpected changes
to the VMS. These unapproved
Yes
changes could compromise the
security and integrity of the
Hypervisor and the Guest OS
systems supported by the
Hypervisor.
Unapproved VMS changes are
implemented which could result in
unexpected or unapproved
modification to VMS functionality or
key system data. These unapproved
Yes
changes could compromise the
security and integrity of the
Hypervisor and the Guest OS
systems supported by the
Hypervisor.
Unapproved VMS changes are
implemented and go undetected
which could result in unexpected or
unapproved modification to VMS
functionality or key system data.
Yes
These unapproved changes could
compromise the security and integrity
of the Hypervisor and the Guest OS
systems supported by the
Hypervisor.
Virtualization Implementation Tool (VIT) Guest OS
Risk In-scope Risk In-scope
VIT change management procedures
are performed inconsistently which Guest OS change management
result in unapproved or unexpected procedures are performed
changes to the VIT. These Yes inconsistently which result in INF
unapproved changes could affect the unapproved or unexpected changes
integrity and availability of data within to the Guest OS.
the virtual environments.
Unapproved VIT changes are
implemented which could result in
Unapproved Guest OS changes are
unexpected or unapproved
implemented which could result in
modification to VIT functionality or
Yes unexpected or unapproved INF
key system data. These unapproved
modification to Guest OS
changes could affect the integrity and
functionality or key system data.
availability of data within the virtual
environments.
Unapproved VIT changes are
implemented and go undetected
Unapproved Guest OS changes are
which could result in unexpected or
implemented and go undetected
unapproved modification to VIT
Yes which could result in unexpected or INF
functionality or key system data.
unapproved modification to Guest
These unapproved changes could
OS functionality or key system data.
affect the integrity and availability of
data within the virtual environments.
 Virtualization Technologies
Virtualization Management System (VMS)
Risk In-scope
VMS support personnel have access
to develop changes or request
patches from external parties and
implement these changes/patches
Yes
into production which could result in
unexpected or unapproved
modification to VMS functionality or
key system data.
The latest security patches are not
installed on the VMS which could
result in exploitation of the
technology due to known security
weaknesses. This exploitation could
result in unexpected or unapproved
modification to VMS functionality or Yes
key system data. These unapproved
changes could compromise the
security and integrity of the
Hypervisor and the Guest OS
systems supported by the
Hypervisor.
VMS access management
procedures are performed
inconsistently which result in
unauthorized access to the VMS.
This unauthorized access could
Yes
result in inappropriate modifications
to Hypervisor security settings, which
could compromise the security and
integrity of the Guest OS systems
supported by the Hypervisor.
Virtualization Implementation Tool (VIT)
Risk In-scope
VIT support personnel have access
to develop changes or request
patches from external parties and
implement these changes/patches
Yes
into production which could result in
unexpected or unapproved
modification to VIT functionality or
key system data.
The latest security patches are not
installed on the VIT which could
result in exploitation of the
technology due to known security
weaknesses. This exploitation could
result in unexpected or unapproved Yes
modification to VIT functionality or
key system data. These unapproved
changes could affect the integrity and
availability of data within the virtual
environments.
VIT access management procedures
are performed inconsistently which
result in unauthorized access to the
VIT. This unauthorized access could
Yes
result the setup or installation of
unapproved virtual environments or
inappropriate modifications to setup
templates.
Guest OS
Risk In-scope
Guest OS support personnel have
access to develop changes or
request patches from external parties
and implement these
INF
changes/patches into production
which could result in unexpected or
unapproved modification to Guest
functionality or key system data.
The latest security patches are not
installed on the Guest OS which
could result in exploitation of the
technology due to known security
INF
weaknesses. This exploitation could
result in unexpected or unapproved
modification to Guest OS
functionality or key system data.
Guest OS access management
procedures are performed
inconsistently which result in
unauthorized access to the Guest
INF
OS. This unauthorized access could
result in unexpected or unapproved
modification to Guest OS
functionality or key system data.
 Virtualization Technologies
Virtualization Management System (VMS)
Risk In-scope
VMS security settings are not
configured according to approved
management hardening standards
which could result in exploitation of
the technology due to known security
weaknesses. This exploitation could
result in unexpected or unapproved
modification to VMS functionality or
key system data. These unapproved
changes could compromise the
security and integrity of the Guest
OS systems supported by the
Hypervisor.
Not relevant
Virtualization Implementation Tool (VIT)
Risk In-scope
VIT security settings are not
configured according to approved
management hardening standards
which could result in exploitation of
the technology due to known security
weaknesses. This exploitation could
Yes Yes
result in unexpected or unapproved
modification to VIT functionality or
key system data. These unapproved
changes could affect the integrity and
availability of data within the virtual
environments.
No Not relevant No
Guest OS
Risk In-scope
Guest OS security settings are not
configured according to approved
management hardening standards
which could result in exploitation of
the technology due to known security INF
weaknesses. This exploitation could
result in unexpected or unapproved
modification to Guest OS
functionality or key system data.
File system security settings are not
configured according to approved
management hardening standards
which could result in unauthorized
access to key OS or Hypervisor
Yes
system files. This unauthorized
access could result in unexpected or
unapproved modification of Guest
OS or Hypervisor functionality or
data.
 Virtualization Technologies

Virtualization Management System (VMS) Virtualization Implementation Tool (VIT) Guest OS

Risk In-scope Risk In-scope Risk In-scope

The VMS may be accessed without

password authentication or existing
accounts may be breached via easily
guessed passwords which could
result in unauthorized access to the
technology. This unauthorized
Yes
access could result in inappropriate
modifications to Hypervisor security
settings, which could compromise the
security and integrity of the Guest
OS systems supported by the
Hypervisor.
The VIT may be accessed without
The Guest OS may be accessed
password authentication or existing
without password authentication or
accounts may be breached via easily
existing accounts may be breached
guessed passwords which could
via easily guessed passwords which
result in unauthorized access to the
Yes could result in unauthorized access INF
technology. This unauthorized
to the technology. This unauthorized
access could result the setup or
access could result in unexpected or
installation of unapproved virtual
unapproved modification to Guest
environments or inappropriate
OS functionality or key system data.
modifications to setup templates.

Unauthorized users have the ability

to add/modify/delete VMS accounts
and perform other sensitive
functions. This unauthorized access
could result in inappropriate
Yes
modifications to Hypervisor security
settings, which could compromise the
security and integrity of the Guest
OS systems supported by the
Hypervisor.
Unauthorized users have the ability
Unauthorized users have the ability
to add/modify/delete VIT accounts
to add/modify/delete Guest OS
and perform other sensitive
accounts and perform other sensitive
functions. This unauthorized access
Yes functions. This unauthorized access INF
could result the setup or installation
could result in unexpected or
of unapproved virtual environments
unapproved modification to Guest
or inappropriate modifications to
OS functionality or key system data.
setup templates.

Unauthorized users have access to

system tools or utilities used in
conjunction with the VMS. This
unauthorized access could result in
inappropriate modifications to
Hypervisor security settings, which
could compromise the security and
integrity of the Guest OS systems
supported by the Hypervisor.
Unauthorized users have access to
system tools or utilities used in
conjunction with the VIT. This
Yes unauthorized access could result the
setup or installation of unapproved
virtual environments or inappropriate
modifications to setup templates.
Unauthorized users have access to
system tools or utilities used in
conjunction with the Guest OS. This
Yes unauthorized access could result in INF
unexpected or unapproved
modification to Guest OS
functionality or key system data
 Virtualization Technologies
Virtualization Management System (VMS)
Risk In-scope
Accounts are provisioned on the
VMS without proper approval or are
provisioned with unapproved access.
This unauthorized access could
result in inappropriate modifications Yes
to Hypervisor security settings, which
could compromise the security and
integrity of the Guest OS systems
supported by the Hypervisor.
VMS accounts for services/users that
no longer require access to the
technology are not removed timely
which could result in unauthorized
access to the VMS. This
unauthorized access could result in Yes
inappropriate modifications to
Hypervisor security settings, which
could compromise the security and
integrity of the Guest OS systems
supported by the Hypervisor.
VMS accounts for services/users that
no longer require access to the
technology are not removed and go
undetected by management. This
unauthorized access could result in
Yes
inappropriate modifications to
Hypervisor security settings, which
could compromise the security and
integrity of the Guest OS systems
supported by the Hypervisor.
Virtualization Implementation Tool (VIT)
Risk In-scope
Accounts are provisioned on the VIT
without proper approval or are
provisioned with unapproved access.
This unauthorized access could
Yes
result the setup or installation of
unapproved virtual environments or
inappropriate modifications to setup
templates.
VIT accounts for services/users that
no longer require access to the
technology are not removed timely
which could result in unauthorized
access to the VIT. This unauthorized Yes
access could result the setup or
installation of unapproved virtual
environments or inappropriate
modifications to setup templates.
VIT accounts for services/users that
no longer require access to the
technology are not removed and go
undetected by management. This
Yes
unauthorized access could result the
setup or installation of unapproved
virtual environments or inappropriate
modifications to setup templates.
Guest OS
Risk In-scope
Accounts are provisioned on the
Guest OS without proper approval or
are provisioned with unapproved
access. This unauthorized access INF
could result in unexpected or
unapproved modification to Guest
OS functionality or key system data
Guest OS accounts for
services/users that no longer require
access to the technology are not
removed timely which could result in
unauthorized access to the Guest INF
OS. This unauthorized access could
result in unexpected or unapproved
modification to Guest OS
functionality or key system data
Guest OS accounts for
services/users that no longer require
access to the technology are not
removed and go undetected by
INF
management. This unauthorized
access could result in unexpected or
unapproved modification to Guest
OS functionality or key system data
 Virtualization Technologies

Virtualization Management System (VMS) Virtualization Implementation Tool (VIT) Guest OS

Risk In-scope Risk In-scope Risk In-scope

Not relevant No Not relevant No Not relevant No

VMS support personnel that are

responsible for provisioning access
are also responsible for approving
access. This lack of division of
responsibilities could result in
unauthorized access to the VMS.
Yes
This unauthorized access could
result in inappropriate modifications
to Hypervisor security settings, which
could compromise the security and
integrity of the Guest OS systems
supported by the Hypervisor.
VIT support personnel that are
responsible for provisioning access
are also responsible for approving
access. This lack of division of
responsibilities could result in
Yes
unauthorized access to the VIT. This
unauthorized access could result the
setup or installation of unapproved
virtual environments or inappropriate
modifications to setup templates.
Guest OS support personnel that are
responsible for provisioning access
are also responsible for approving
access. This lack of division of
responsibilities could result in
INF
unauthorized access to the Guest
OS. This unauthorized access could
result in unexpected or unapproved
modification to Guest OS
functionality or key system data

Malicious files or programs are

Malicious files or programs are
transmitted to the VMS via physical
transmitted to the VIT via physical
auxiliary hardware that is connected
auxiliary hardware that is connected
to the host server supporting the
to the host server supporting the VIT.
VMS. This malware could infect the
This malware could infect the VIT
Hypervisor and cause unexpected or Data Data
and cause unexpected or Not relevant No
unapproved modification to its Center Center
unapproved modification to its
functionality or key system data.
functionality or key system data.
These unapproved changes could
These unapproved changes could
compromise the security and integrity
affect the integrity and availability of
of the Guest OS systems supported
data within the virtual environments.
by the Hypervisor.
 Virtualization Technologies
Virtualization Management System (VMS)
Risk In-scope
VMS remote administration
capabilities are not restricted to
authorized individuals which could
result in unauthorized access to the
VMS. This unauthorized access
could result in inappropriate Yes
modifications to Hypervisor security
settings, which could compromise the
security and integrity of the Guest
OS systems supported by the
Hypervisor.
Unapproved or unexpected changes
are made to VMS security settings
and go undetected by management.
These unapproved changes could Yes
compromise the security and integrity
of the Guest OS systems supported
by the Hypervisor.
Audit logs are not able for review to
support investigations of suspected Yes
VMS security breaches.
Not relevant No
Virtualization Implementation Tool (VIT)
Risk In-scope
VIT remote administration
capabilities are not restricted to
authorized individuals which could
result in unauthorized access to the
VIT. This unauthorized access could Yes
result the setup or installation of
unapproved virtual environments or
inappropriate modifications to setup
templates.
Unapproved or unexpected changes
are made to VIT security settings and
go undetected by management.
Yes
These unapproved changes could
affect the integrity and availability of
data within the virtual environments.
Audit logs are not able for review to
support investigations of suspected Yes
VIT security breaches.
Not relevant No
Guest OS
Risk In-scope
Guest OS remote administration
capabilities are not restricted to
authorized individuals which could
result in unauthorized access to the
INF
Guest OS. This unauthorized access
could result in unexpected or
unapproved modification to Guest
OS functionality or key system data
Unapproved or unexpected changes
are made to Guest OS security
settings and go undetected by
INF
management which could result in
unapproved modification to Guest
OS system functionality or data.
Audit logs are not able for review to
support investigations of suspected INF
Guest OS security breaches.
Communications between Guest OS
systems are intercepted and not
detected by management.
Yes
Information gleaned from the
interception could be used to exploit
security weaknesses.
 Virtualization Technologies
Virtualization Management System (VMS)
Risk In-scope
Date and time stamps included on
system outputs cannot be relied
upon due to the lack of
synchronization to a trusted time
Yes
server. This lack of reliance can
hinder management reviews of
system activity or security
investigations.
Attacks on the VMS are launched via
enabled communications services.
These attacks could result in
unauthorized access to the
Yes
Hypervisor which could compromise
the security and integrity of the Guest
OS systems supported by the
Hypervisor.
Not relevant No
Communications emanating from the
VMS are intercepted as a result of
weak or no encryption. Information
Yes
gleaned from the interception could
be used to exploit security
weaknesses.
Not relevant No
Virtualization Implementation Tool (VIT)
Risk
Date and time stamps included on
system outputs cannot be relied
upon due to the lack of
synchronization to a trusted time
server. This lack of reliance can
hinder management reviews of
system activity or security
investigations.
Not relevant
Not relevant
Communications emanating from the
VIT are intercepted as a result of
weak or no encryption. Information
gleaned from the interception could
be used to exploit security
weaknesses.
Not relevant
Guest OS
In-scope Risk In-scope
Date and time stamps included on
system outputs cannot be relied
upon due to the lack of
synchronization to a trusted time
Yes Yes
server. This lack of reliance can
hinder management reviews of
system activity or security
investigations.
Attacks on the Guest OS are
launched via enabled
communications services. These
No Yes
attacks could result in unauthorized
changes to Guest OS functionality
and data.
No Not relevant No
Communications emanating from the
Guest OS are intercepted as a result
of weak or no encryption. Information
Yes Yes
gleaned from the interception could
be used to exploit security
weaknesses.
Isolation management procedures
are performed inconsistently which
No No
result in Guest systems that are not
sufficiently isolated.
 Virtualization Technologies

Virtualization Management System (VMS) Virtualization Implementation Tool (VIT) Guest OS

Risk In-scope Risk In-scope Risk In-scope
Inappropriate access is gained to
multiple Guest systems as a result of
Not relevant No Not relevant No a successful attack on No
communication and resource links
between the systems.
Inappropriate access is gained to
multiple Guest systems as a result of
Not relevant No Not relevant No No
a successful attack on and escape
from one Guest system.

Not relevant No Not relevant No Not relevant No

Additional Discussion Topics
Incorporate backups of virtualized storage into backup policies.
Organizations that have policies relating to allocation of computer resources
should consider virtualization in such policies.
Organizations that have security policies that cover network shared storage
should apply those policies to shared disks in virtualization systems.

The organization should also consider how incidents involving the

virtualization solutions should be handled and document those plans as
well.4 An incident response team can save a snapshot of the guest OS to
capture the contents of memory, the hard disk, and state information. Many
forensics tools can directly examine the contents of a snapshot, allowing full
forensic analysis of the image itself.

Note that sensitive data may be found nearly anywhere on a device because
of the nature of virtualization. An organization should strongly consider
erasing all storage devices completely.