Escolar Documentos
Profissional Documentos
Cultura Documentos
Audit/Assurance Program
VMware Server Virtualization Audit/Assurance Program
ISACA
With 95,000 constituents in 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge,
certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise
governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent
ISACA hosts international conferences, publishes the ISACA Journal, and develops international IS auditing and
control standards, which help its constituents ensure trust in, and value from, information systems. It also advances
and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor (CISA),
Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and
Certified in Risk and Information Systems Control (CRISC) designations. ISACA continually updates COBIT ,
which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities,
particularly in the areas of assurance, security, risk and control, and deliver value to the business.
Disclaimer
ISACA has designed and created VMware Server Virtualization Audit/Assurance Program (the Work) primarily
as an educational resource for audit and assurance professionals. ISACA makes no claim that use of any of the Work
will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures
and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same
results. In determining the propriety of any specific information, procedure or test, audit and assurance professionals
should apply their own professional judgment to the specific circumstances presented by the particular systems or IT
environment.
Reservation of Rights
2011 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified,
distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical,
photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of
all or portions of this publication are permitted solely for academic, internal and noncommercial use and for
consulting/advisory engagements and must include full attribution of the materials source. No other right or
permission is granted with respect to this work.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
E-mail: info@isaca.org
Web site: www.isaca.org
ISBN 978-1-60420-179-6
VMware Server Virtualization Audit/Assurance Program
CRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in countries throughout
the world.
ISACA wishes to recognize:
Author
Jeff Kalwerisky, CISA, CA (SA), HISP, CPEinteractive, Inc., USA
Expert Reviewers
Madhav Chablani, CISA, CISM, TippingPoint Consulting, India
Curt Hartinger, CISA, CISM, CPA, GSNA, MSIA, Office of the State Treasurer, USA
Aurelio Jaimes, CISA, Mexico
Prashant A. Khopkar, CISA, CA, Grant Thornton, LLP, USA
K. K. Mookhey, CISA, CISM, CISSP, Network Intelligence India Pvt. Ltd., India
Philippe Rivest, CISA, CEH, CISSP, TransForce, Canada
Vipin Sehgal, CISA, Sun Life Financial, Canada
Vinoth Sivasubramanian, ABRCCI, CEH, ISO 27001 LA, ITIL V3, UAE Exchange Center LLC, UAE
Knowledge Board
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Chair
Michael Berardi Jr., CISA, CGEIT, Nestle USA, USA
John Ho Chi, CISA, CISM, CBCP, CFE, Ernst & Young LLP, Singapore
Jose Angel Pena Ibarra, CGEIT, Alintec S.A., Mexico
Jo Stewart-Rattray, CISA, CISM, CGEIT, CSEPS, RSM Bird Cameron, Australia
Jon Singleton, CISA, FCA, Auditor General of Manitoba (retired), Canada
Patrick Stachtchenko, CISA, CGEIT, CA, Stachtchenko & Associates SAS, France
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA
ASIS International
The Center for Internet Security
Commonwealth Association for Corporate Governance Inc.
FIDA Inform
Information Security Forum
Information Systems Security Association
Institut de la Gouvernance des Systmes dInformation
Institute of Management Accountants Inc.
ISACA chapters
ITGI Japan
Norwich University
Solvay Brussels School of Economics and Management
University of Antwerp Management School
ASI System Integration
Hewlett-Packard
IBM
SOAProjects Inc.
Symantec Corp.
TruArx Inc.
Table of Contents
I. Introduction.......................................................................................................................................5
II. Using This Document........................................................................................................................6
III. Controls Maturity Analysis................................................................................................................8
IV. Assurance and Control Framework..................................................................................................10
V. Executive Summary of Audit/Assurance Focus...............................................................................11
VI. Audit/Assurance Program................................................................................................................14
1. Planning and Scoping the Audit...................................................................................................14
2. Governance of the virtualized environment.................................................................................15
3. PreFieldwork Preparation............................................................................................................19
4. VMware virtualized environment................................................................................................20
5. compliance...................................................................................................................................25
VII. Maturity Assessment........................................................................................................................27
VIII. Assessment Maturity vs. Target Maturity........................................................................................34
Appendix A. Virtualization Architecture....................................................................................................35
Appendix B. VMware Performance Metrics..............................................................................................36
I. Introduction
Overview
ISACA has developed the IT Assurance Framework (ITAF) as a comprehensive and good-practice-setting
model. ITAF provides standards that are designed to be mandatory and that are the guiding principles
under which the IT audit and assurance profession operates. The guidelines provide information and
direction for the practice of IT audit and assurance. The tools and techniques provide methodologies, tools
and templates to provide direction in the application of IT audit and assurance processes.
Purpose
The audit/assurance program is a tool and template to be used as a road map for the completion of a
specific assurance process. ISACA has commissioned audit/assurance programs to be developed for use
by IT audit and assurance practitioners. This audit/assurance program is intended to be utilized by IT
audit and assurance professionals with the requisite knowledge of the subject matter under review, as
described in ITAF section 2200General Standards. The audit/assurance programs are part of ITAF
section 4000IT Assurance Tools and Techniques.
Control Framework
The audit/assurance programs have been developed in alignment with the ISACA COBIT framework
specifically COBIT 4.1using generally applicable and accepted good practices. They reflect ITAF
sections 3400IT Management Processes, 3600IT Audit and Assurance Processes, and 3800IT
Audit and Assurance Management.
Many organizations have embraced several frameworks at an enterprise level, including the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. The
importance of the control framework has been enhanced due to regulatory requirements by the US
Securities and Exchange Commission (SEC) as directed by the US Sarbanes-Oxley Act of 2002 and
similar legislation in other countries. Enterprises seek to integrate control framework elements used by
the general audit/assurance team into the IT audit and assurance framework. Since COSO is widely used,
it has been selected for inclusion in this audit/assurance program. The reviewer may delete or rename
these columns to align with the enterprises control framework.
Step 1 is part of the fact-gathering and prefieldwork preparation. Because the prefieldwork is essential to
a successful and professional review, the steps have been itemized in this plan. The first level steps, e.g.,
1.1, are shown in bold type and provide the reviewer with a scope or high-level explanation of the
Beginning in step 2, the steps associated with the work program are itemized. To simplify the use of the
program, the audit/assurance program describes the audit/assurance objectivethe reason for performing
the steps in the topic area; the specific controls follow. Each review step is listed below the control. These
steps may include assessing the control design by walking through a process, interviewing, observing or
otherwise verifying the process and the controls that address that process. In many cases, once the control
design has been verified, specific tests need to be performed to provide assurance that the process
associated with the control is being followed.
The maturity assessment, which is described in more detail later in this document, makes up the last
section of the program.
The audit/assurance plan wrap-upthose processes associated with the completion and review of work
papers, preparation of issues and recommendations, report writing, and report clearinghas been
excluded from this document because it is standard for the audit/assurance function and should be
identified elsewhere in the enterprises standards.
COBIT Cross-reference
The COBIT cross-reference provides the audit and assurance professional with the ability to refer to the
specific COBIT control objective that supports the audit/assurance step. The COBIT control objective
should be identified for each audit/assurance step in the section. Multiple cross-references are not
uncommon. Processes at lower levels in the work program are too granular to be cross-referenced to
COBIT. The audit/assurance program is organized in a manner to facilitate an evaluation through a
structure parallel to the development process. COBIT provides in-depth control objectives and suggested
control practices at each level. As professionals review each control, they should refer to COBIT 4.1 or
the IT Assurance Guide: Using COBIT for good-practice control guidance.
COSO Components
As noted in the introduction, COSO and similar frameworks have become increasingly popular among
audit/assurance professionals. This ties the assurance work to the enterprises control framework. While
the IT audit and assurance function uses COBIT as a framework, operational audit and assurance
professionals use the framework established by the enterprise. Since COSO is the most prevalent internal
control framework, it has been included in this document and is a bridge to align IT audit and assurance
with the rest of the audit/assurance function. Many audit/assurance organizations include the COSO
control components within their reports and summarize assurance activities to the audit committee of the
board of directors.
For each control, the audit and assurance professional should indicate the COSO component(s) addressed.
It is possible, but generally not necessary, to extend this analysis to the specific audit step level.
The original COSO internal control framework contained five components. In 2004, COSO was revised
as the Enterprise Risk Management (ERM) Integrated Framework and extended to eight components. The
primary difference between the two frameworks is the additional focus on ERM and integration into the
business decision model. ERM is in the process of being adopted by large enterprises. The two
frameworks are compared in Figure 1.
The original COSO internal control framework addresses the needs of the IT audit and assurance
professional: control environment, risk assessment, control activities, information and communication,
and monitoring. As such, ISACA has elected to utilize the five-component model for these audit/
assurance programs. As more enterprises implement the ERM model, the additional three columns can be
added, if relevant. When completing the COSO component columns, consider the definitions of the
components as described in figure 1.
Reference/Hyperlink
Good practices require the audit and assurance professional to create a work paper that describes the work
performed, issues identified and conclusions for each line item. The reference/hyperlink is to be used to
cross-reference the audit/assurance step to the work paper that supports it. The numbering system of this
document provides a ready numbering scheme for the work papers. If desired, a link to the work paper
can be pasted into this column.
Issue Cross-reference
This column can be used to flag a finding/issue that the IT audit and assurance professional wants to
further investigate or establish as a potential finding. The potential findings should be documented in a
work paper that indicates the disposition of the findings (formally reported, reported as a memo or verbal
finding, or waived).
Comments
The comments column can be used to indicate the waiving of a step or other notations. It is not to be used
in place of a work paper that describes the work performed.
IT Assurance Guide Using COBIT Appendix VIIMaturity Model for Internal Control, shown in figure
2, provides a generic maturity model that shows the status of the internal control environment and the
establishment of internal controls in an enterprise. It shows how the management of internal control, and
an awareness of the need to establish better internal controls, typically develops from an ad hoc to an
optimized level. The model provides a high-level guide to help COBIT users appreciate what is required
for effective internal controls in IT and to help position their enterprise on the maturity scale.
4 Managed and There is an effective internal control and risk management IT process criticality is regularly defined with full support
Measurable environment. A formal, documented evaluation of controls and agreement from the relevant business process owners.
occurs frequently. Many controls are automated and regularly Assessment of control requirements is based on policy and
reviewed. Management is likely to detect most control issues, the actual maturity of these processes, following a thorough
but not all issues are routinely identified. There is consistent and measured analysis involving key stakeholders.
follow-up to address identified control weaknesses. A limited, Accountability for these assessments is clear and enforced.
tactical use of technology is applied to automate controls. Improvement strategies are supported by business cases.
Performance in achieving the desired outcomes is
consistently monitored. External control reviews are
organized occasionally.
5 Optimized An enterprise-wide risk and control program provides Business changes consider the criticality of IT processes and
continuous and effective control and risk issues resolution. cover any need to reassess process control capability. IT
Internal control and risk management are integrated with process owners regularly perform self-assessments to confirm
enterprise practices, supported with automated real-time that controls are at the right level of maturity to meet business
monitoring with full accountability for control monitoring, needs and they consider maturity attributes to find ways to
risk management and compliance enforcement. Control make controls more efficient and effective. The organization
evaluation is continuous, based on self-assessments and gap benchmarks to external best practices and seeks external
and root cause analyses. Employees are proactively involved advice on internal control effectiveness. For critical
in control improvements. processes, independent reviews take place to provide
assurance that the controls are at the desired level of maturity
and working as planned.
The maturity model evaluation is one of the final steps in the evaluation process. The IT audit and
assurance professional can address the key controls within the scope of the work program and formulate
an objective assessment of the maturity levels of the control practices. The maturity assessment can be a
part of the audit/assurance report and can be used as a metric from year to year to document progression
in the enhancement of controls. However, it must be noted that the perception of the maturity level may
vary between the process/IT asset owner and the auditor. Therefore, an auditor should obtain the
concerned stakeholders concurrence before submitting the final report to management.
At the conclusion of the review, once all findings and recommendations are completed, the professional
assesses the current state of the COBIT control framework and assigns it a maturity level using the six-
level scale. Some practitioners utilize decimals (x.25, x.5, x.75) to indicate gradations in the maturity
model. As a further reference, COBIT provides a definition of the maturity designations by control
objective. While this approach is not mandatory, the process is provided as a separate section at the end of
the audit/assurance program for those enterprises that wish to implement it. It is suggested that a maturity
assessment be made at the COBIT control level. To provide further value to the client/customer, the
professional can also obtain maturity targets from the client/customer. Using the assessed and target
maturity levels, the professional can create an effective graphic presentation that describes the
achievement or gaps between the actual and targeted maturity goals. A graphic is provided as the last page
of the document (section VIII), based on sample assessments.
Utilizing COBIT as the control framework from which IT audit and assurance activities are based aligns
IT audit and assurance with good practices as developed by the enterprise.
Refer to ISACA publication COBIT Control Practices: Guidance to Achieve Control Objectives for
Successful IT Governance, 2nd Edition, published in 2007, for the related control practice value and risk
drivers.
platform.
The primary goal of virtualization is to separate the servers physical hardware from the OS software
(known as hardware abstraction). The goal is to improve utilization of expensive hardware resources.
To achieve this, the virtualization software, called a hypervisor, imitates the desired computer hardware,
allowing multipleoften differentOSs to run on a single physical computer host.
Each such guest OS, called a virtual machine (VM), appears to have access to and control of the hosts
resourcesthe central processor, memory, disk storage, network, etc.to itself. In fact, the hypervisor is
actually in control of the host processor and its resources, allocating these limited resources to each VM,
as needed. Resources not needed by a VM at a point in time can be allocated to another running VM. In
this way, multiple VMs coexist simultaneously on a single hardware platform. The hypervisor also
ensures that these VMs can neither see nor disrupt one other. A more detailed description of the
VMware ESX virtualization architecture is included as Appendix A. Virtualization Architecture.
As such, virtualization is used to streamline insourced IT operations and to reduce costs. Outsourced IT
servicers utilize virtualization to maximum operational efficiencies for their customers. In fact, cloud
computing is almost exclusively a virtualized environment.
However, deploying a virtualized environment also exposes the enterprise to a series of new business and
technology risks. These include:
Reduction in security if information security specialists are not involved in planning and deployment
A successful compromise of the virtualization layer can result in compromise of all hosted virtual
machines and applications
Guest machines of different (higher and lower) trust levels may be hosted on a single physical server
with insufficient separation
Inadequate controls over administrative access to the hypervisor can allow unauthorized access to
applications running on virtual hosts
Ease of creating VMs may result in reduction in controls over deployment, such as deviations from
baseline configurations and security
Administrators may not be knowledgeable about exploits which specifically target VM environments
Inadequate or insufficient tools available for proper monitoring of the virtualized environment
Inadequate training of administrators in virtualization technologies and problems
Compromised system security and confidentiality
Invalid transactions or transactions processed incorrectly
Costly compensating controls
Reduced system availability and questionable integrity of information
Failure to respond to relationship issues with optimal and approved decisions
Insufficient allocation of resources
Unclear responsibilities and accountabilities
Inaccurate billings for use of IT resources
Inability to satisfy the audit/assurance charter and requirements of regulators or external auditors
resulting in noncompliance with regulatory requirements and security breaches leading to lost
productivity, reputation loss and remediation costs
ScopeThe review will focus on the governance, configuration and management of the relevant
VMware virtualized servers in the enterprise, with emphasis on control issues specific to virtualized
environments.
The selection of specific applications, functions and servers will be based on the risks introduced to the
enterprise by these systems.
The VMware server virtualization audit/assurance review is not designed to replace or focus on audits
that provide assurance of specific application processes and excludes assurance of an applications
functionality and suitability.
Since the areas under review rely heavily on the effectiveness of core IT general controls, it is
recommended that audit/assurance reviews of the following areas be performed prior to the execution of
the VMware server virtualization review so that appropriate reliance can be placed on these assessments:
Identity management as it applies to the VMware environment, i.e., privileged VMware users, user
access to VMs, etc.
Security incident management
Secure architecture, including virtualized servers and server farms and network security
Systems developmentTest environments are typically hosted on virtualized servers for ease of
testing and recovery after crashes.
Risk management
Vulnerability management and testing
Cryptographic controls and associated key management
The audit and assurance professional should be cautioned not to attempt to conduct an audit/assurance
review of VMware environments utilizing this program as a checklist.
It should not be assumed that an audit and assurance professional holding the CISA designation alone has
the requisite skills to perform this review.
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross Comments
Monitoring
Audit/Assurance Program Step Cross- link -
reference refere
nce
1.1.2 Modify the audit/assurance objectives to align with the audit/assurance universe, annual plan NA
and charter.
1.2 Define boundaries of review.
The review must have a defined scope. The reviewer should understand the operating environment
and prepare a proposed scope, subject to a later risk assessment.
Caracteri
sticas_A
1.2.1 Obtain a description of all virtualization environments in use and under consideration. mbiente_
Virtualiza
do
1.2.2 Obtain and review any previous audit reports with remediation plans. Identify open issues, NA
and assess updates to the documents with respect to these issues.
1.3 Identify and document risks.
The risk assessment is necessary to evaluate where audit resources should be focused. In most
2011 ISACA. All rights reserved. Page 14
VMware Server Virtualization Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross Comments
Monitoring
Audit/Assurance Program Step Cross- link -
reference refere
nce
enterprises, audit resources are not available for all processes. The risk-based approach assures
utilization of audit resources in the most effective manner.
No se ha
realizado el
1.3.1 Identify the business risk associated with virtualization technology of concern to business anlisis de
owners and key stakeholders. riesgos
anteriorment
e.
1.3.2 Verify that the business risks are aligned, rated or classified with virtualization technology NA
security criteria such as confidentiality, integrity and availability.
1.3.3 Review internal audit reports of virtualization technology. NA
1.3.4 Determine if the risks identified previously have been appropriately addressed. NA
1.3.5 Evaluate the overall risk factor for performing the review. NA
1.3.6 Based on the risk assessment, identify changes to the scope. NA
Audio_Al Se analiz
cance_O con el
1.3.7 Discuss the risks with IT management, and adjust the risk assessment. bjetivos- Gerente TI
Auditoria los posibles
riesgos deTI
1.3.8 Based on the risk assessment, revise the scope. NA
1.4 Define the audit change process.
The initial audit approach is based on the reviewers understanding of the operating environment and
associated risks. As further research and analysis are performed, changes to the scope and approach
will result.
Si existe dos
encargados
1.4.1 Identify the senior IT assurance resource responsible for the review.
del rea de
TI
1.4.2 Establish the process for suggesting and implementing changes to the audit/assurance No existe
2011 ISACA. All rights reserved. Page 15
VMware Server Virtualization Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross Comments
Monitoring
Audit/Assurance Program Step Cross- link -
reference refere
nce
ningn
program and the authorizations required.
proceso.
1.5 Define assignment success.
The success factors need to be identified. Communication among the IT audit/assurance team, other
assurance teams and the enterprise is essential.
1.5.1 Identify the drivers for a successful review (this should exist in the assurance functions NA
standards and procedures).
1.5.2 Communicate success attributes to the process owner or stakeholder, and obtain agreement. NA
1.6 Define the audit/assurance resources required.
The resources required are defined in the introduction to this audit/assurance program.
Reconoci
miento_
1.6.1 Determine the audit/assurance skills necessary for the review.
Habilidad
es_Roles
1.6.2 Estimate the total resources (hours) and time frame (start and end dates) required for the Acta #2
review.
1.7 Define deliverables.
The deliverable is not limited to the final report. Communication between the audit/assurance teams
and the process owner is essential to assignment success.
Acta #2 Se estableci
entregar el
informe
1.7.1 Determine the interim deliverables, including initial findings, status reports, draft reports, due
dates for responses or meetings, and the final report.
detallado
borrador y el
informe
ejecutivo.
1.8 Communicate.
The audit/assurance process must be clearly communicated to the customer/client.
1.8.1 Conduct an opening conference to discuss: Alcance_
Review objectives with the stakeholders
2011 ISACA. All rights reserved. Page 16
VMware Server Virtualization Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross Comments
Monitoring
Audit/Assurance Program Step Cross- link -
reference refere
nce
Objetivos
Documents and information security resources required to perform an effective review -
Timelines and deliverables Auditoria
4.1.1.1.4 Determine if the organization maintains a properly labeled inventory of all Invetario Si tiene
2011 ISACA. All rights reserved. Page 17
VMware Server Virtualization Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross Comments
Monitoring
Audit/Assurance Program Step Cross- link -
reference refere
nce
COSO
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross Comments
Monitoring
Audit/Assurance Program Step Cross- link -
reference refere
nce
within the virtualized environment, identify appropriate control mechanisms and ensure that residual
risk is within acceptable levels.
7. Identification of Risks PO9.3
PO9.5 NA
Control: The risk management process provides a thorough assessment of the risks to the
AI6.2 X X X
business from implementing a virtualized environment and is aligned to ERM, if applicable.
ME4.2
ME4.5
7.1.1.1.1 Determine if the organization has an ERM model. NA
7.1.1.1.2 If an ERM model has been implemented, determine if the risk assessment of the NA
use of virtualization technology is aligned with the enterprises ERM.
7.1.1.1.3 Determine whether the decision to use virtualization technology will limit the NA
availability or execution of required information security activities, such as:
Vulnerability assessments and penetration testing
Availability of audit logs
Access to activity monitoring reports
Segregation of duties (SoD)
7.1.1.1.4 Determine if the risk management approach includes the following: NA
Identification and valuation of virtualized assets and applications
Identification and analysis of threats and vulnerabilities to the virtualized
environment with their potential impact on assets
Analysis of the likelihood of adverse events using a scenario approach
Documented management approval of risk acceptance levels and criteria
Risk action plans (control, avoid, transfer, accept)
7.1.1.1.5 Determine if the assets identified in the risk assessment included all virtualized NA
assets and if the information security classifications used in the risk assessments
are aligned with the ERM.
7.1.1.1.6 Determine if the risk assessment includes the capabilities and financial condition NA
of the (or each) vendor involved in providing virtualization capabilities to the
enterprise.
8. Acceptance of Risk PO9.4 X X NA
PO9.5
Control: Risk acceptance is approved by a member of management with the authority to accept
AI1.3
2011 ISACA. All rights reserved. Page 19
VMware Server Virtualization Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross Comments
Monitoring
Audit/Assurance Program Step Cross- link -
reference refere
nce
the risk on behalf of the organization and who understands the implications of the decision. ME4.5
8.1.1.1.1 Determine if management has performed an analysis of its quantification and NA
acceptance of residual risk prior to implementing a VMware environment.
8.1.1.1.2 Determine if the individual accepting such risk has the authority to make this NA
decision.
9. Information Risk Management NA
Audit/Assurance Objective: A process to manage information risk exists and is integrated into the
organizations overall ERM framework. Information risk management information and metrics are
available for the information security function to manage risks within the risk tolerance of the data
owner.
10. Risk Management Framework and Maturity Model PO9.1 NA
PO9.2
Control: A risk management framework and a maturity model have been implemented to
PO9.4 X X X
quantify risk and assess the effectiveness of the risk model.
DS5.1
ME4.5
10.1.1.1.1 Determine if a risk framework has been identified and approved. NA
10.1.1.1.2 Determine if a maturity model is used to assess the effectiveness. NA
10.1.1.1.3 Review the maturity model results, and determine if the lack of maturity NA
materially affects the audit objectives.
11. Risk Management Controls PO9.4 NA
PO9.5 X X X
Control: Risk management controls are in effect to manage risk-based decisions.
PO9.6
11.1.1.1.1 Identify the technology controls and contractual requirements necessary to make NA
fact-based information risk decisions. Consider:
Use of information
Access controls
Security controls
Physical security controls
Privacy and data leak protection (DLP) controls
11.1.1.1.2 Ensure that the organization has clearly defined service levels for performance, NA
security and availability for the virtualized environment .
2011 ISACA. All rights reserved. Page 20
VMware Server Virtualization Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross Comments
Monitoring
Audit/Assurance Program Step Cross- link -
reference refere
nce
11.1.1.1.3 Obtain the analytical data requirements, and determine whether the organization NA
routinely monitors and evaluates them against expectations.
11.1.1.1.4 Determine whether the organization has identified the information available and NA
the control practices necessary to manage the virtualized environment that
address availability, confidentiality, data ownership, e-discovery, privacy and
legal issues.
11.1.1.1.5 Determine whether the organization has established suitable monitoring NA
practices to identify risk issues.
11.1.1.1.6 Determine whether the organization has identified and monitors the control and NA
security processes in a virtualized environment necessary to provide for secure
operations.
11.1.1.1.7 Determine if the VMware server virtualized environment provides appropriate NA
metrics and controls to assist in implementing information risk management
requirements.
12. PREFIELDWORK PREPARATION
12.1 Obtain and review the current organizational chart for the management and security Link
functions of the VMware ESX/ESXi operating environment. Carac
terisit
cas
del
Servi
dor
13. Determine whether an audit of the VMware ESX environment has been performed. Link No se ha
Caracteri realizado
sitcas del
Servidor
13.1.1 If an audit had been performed, obtain the work papers for the previous audit. NA
14. Review the security configuration, and determine if identified issues have been corrected. NA
15. Determine the specific version of the VMware hypervisor(s) installed, namely, VMware ESX, El hypervisor
VMware ESXi, or VMware Server.1 EXSi es el
2011 ISACA. All rights reserved. Page 21
VMware Server Virtualization Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross Comments
Monitoring
Audit/Assurance Program Step Cross- link -
reference refere
nce
que se usa
para
virtualizar
16. In the case of VMware Server, determine the host OS(s) and version(s), e.g., Windows, Linux, Link Link Existen
or UNIX versions. Acuerdo Acuer Instalados
de do de diferentes
confiden confi Sistemas
cialidad denci Operativos,
alida pero por el
d acuerdo de
confidenciali
dad no se
puede
mostrar sus
caracteristica
sVmware
ESXi 6.5
Build
5310538
17. Determine and document the type of storage array available to VMware. Examples include: Caracteri Cara Actualmente
Internet Small Computer Systems Interface (iSCSI) sticas cteris Existe un
Storage Attached Network (SAN) SAN ticas medio de
Network File System (NFS), on UNIX or Linux systems SAN almacenami
ento externo
de tipo SAN
1
Note: ESX and ESXi run directly on the hardware without an intervening OS, while VMware Server runs as a process under an existing OS. Security with ESXi needs more
(manual) attention than ESX.
2011 ISACA. All rights reserved. Page 22
VMware Server Virtualization Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross Comments
Monitoring
Audit/Assurance Program Step Cross- link -
reference refere
nce
Storage
V7000
18. Select the VMware servers to be included in the review.
18.1.1 Based on the prioritized list of servers developed previously, identify the virtualized servers Link de Link Si tiene una
to be included in the review. Be sure that there is a representative sample of high-risk servers. Hosts de lista
A group of servers may have similar functions or risk levels and can be aggregated into a
Hosts establecida
group.
del cual se
escogen
dosSe puede
analizar un
servidor ESXi
18.1.2 Determine if there is a corporate standard server configuration and related settings for each Link Link Si existe pero
type of server. Acuerdo Acuer no se
de do de puedde
confiden confi entregar la
cialidad denci configuraci
alida n por
d acuerdos de
confidenciali
dad
19. Obtain documentation for the virtualized servers to be reviewed.
19.1.1 Obtain the latest architectural diagram(s) of the virtualized environment. Diagrama Diagr Si se tiene un
de ama diagrama de
arquitect de la
ura arquit arqguitectur
virtualiza ectur a del
da a ambiente
virtua virtualizado
COSO
CommunicationInformation and
Risk Assessment
Reference Issue
Control Environment
Control Activities
COBIT Hyper- Cross Comments
Monitoring
Audit/Assurance Program Step Cross- link -
reference refere
nce
lizada
19.1.2 Using the VMware Infrastructure Client (VIC), determine the hierarchy of objects in the Link de Link Se tiene
ESX deployment: Hosts de documentaci
All virtualized hosts (VMs) Hosts n de las
Details of each VMcentral processing unit (CPU), storage, OS, applications
caracteristica
Privileged users on a sample of VMs
scaracterstic
as de
infraestructu
ra VWareNo
se puede
mostrar las
VM dentro
de los hosts
19.1.3 Obtain an understanding of the ESX operating environment and relevant management
issues.
19.1.3.1 Interview the senior management individual (manager or director) responsible for the El Gerente
VMware ESX environment to gain an understanding of policies, procedures and PM si es
known issues. responsable
de las
politicaspol
ticas y
procedimine
tos para los
ambientes
virtualizados
durante los
proyectos.
confidenciali
dad
23.1.1.2 Determine that at least two suitable senior individuals in IT know the root password Link 1.4.1 Si existe dos
and that they have been granted the privileged access on a need to know basis. Acuerdo encargados
de del rea de
confiden TI que
cialidad conocen la
contrasea
23.1.1.3 Determine that all such privileged users have their own individual local accounts. Link Existe una
Acuerdo sola cuenta
de de usuario
confiden como
cialidad adminstrador
.
23.1.1.4 Determine that a copy of the root password is securely stored under the control of a Link Se almacena
suitable nonoperations management individual for use in an emergency. Acuerdo las
de contraseas
confiden en un
cialidad archivoe de
texto plano.
Que se
encuentra
custodiado
por el
Gerente TI.
24. Lockdown Mode AI3.2
Control: ESX is configured for maximum security. DS5.1 X
DS5.7
24.1.1.1 Select Configure Lockdown Mode, and determine if ESX is configured in Lockdown Link Lockdown
Mode, which disables direct root access. Acuerdo Mode esta
de deshabilitad
confiden o ya que si
cialidad tiene el
acceso root.
25. The ESXi shell is protected. AI3.2
Control: SSH access to the Busybox shell is not enabled.2 DS5.7 X
DS9.1
2011 ISACA. All rights reserved. Page 27
VMware Server Virtualization Audit/Assurance Program
25.1.1.1 Determine that SSH access into the ESXi management console has NOT been enabled Link Si esta
(which compromises the security shell around the console tool.) Acuerdo deshabilitad
de o el acceso
confiden SSH.
cialidad
26. Adequate audit trails exist. AI6.4
X
Control: Remote logging is configured to log actions by privileged users. DS5.5
26.1.1.1 Determine that Remote Logging has been configured to capture events from the Imagen_ Si captura
following: (1) the VC, Lab, Site, LifeCycle and Update Manager hosts, and (2) the MS eventos_ desde VC y
Windows workstation from which the VIC, RCLI, and VI SDK applications are log Update
launched. manager.
26.1.1.2 Determine that log files are protected against unauthorized changes: review security Link Si existe la
policies, determine ownership of log files and access permissions, and which users Acuerdo proteccin
have access to the log files. de de los
confiden accesos inno
cialidad autorizados.
26.1.1.3 Determine that IT security regularly reviews log files for security anomalies, No Eexiste
preferably using a good practices software tool. una persona
encargada
de revisar los
logs
mensualmen
te.
26.1.1.4 Determine that all log files are included in the normal backup and restore functions. No se realiza
un backup
de los logs
26.1.1.5 Determine that access is restricted to backup copies of log files, both onsite and NAEl backup
offsite. de los logs
solo es
realizado por
personas
autorizadas
27. The VMware ESX or ESXi hypervisor is regularly updated. AI6.1
Control: Appropriate patching procedures are in place and regularly activated. AI6.4 X
DS9.2
2
When VMware ESXi boots, it starts Busybox, a Linux-like (more accurately POSIX) environment that provides a management appliance VM with several useful Linux tools.
2011 ISACA. All rights reserved. Page 28
VMware Server Virtualization Audit/Assurance Program
27.1.1.1 Examine documentary evidence that the enterprise monitors VMware security status Se realiza la
for current patches and regularly applies necessary patches using VMware Update actualizacin
Manager (VUM). manualment
e de los
servidores
pero no est
documentad
o el proceso.
27.1.1.2 Determine that VMware patching is included with the enterprise strategy for No est
deploying other patches in a safely tested and orderly fashion. implcito en
las
estrategias
de la
empresa.
27.1.1.3 Obtain explanations for any recent VMware patches that have not been installed. NA
28. Separation of Management and Regular Functions NoSi, el
Control: VMware ESX is configured with at least two networks: one for VMs and one for servidor
system management. cunenta con
se cuenta
con una sola
redcon una
red para
DS5.10 administraci
DS9.1 X onadministra
DS9.2 cin y otra
para las
maquinasm
quinas
virtuales a
traveztravs
de las NIC
configuradas
28.1.1.1 Determine that a separate network is configured for VMware management by NA
reviewing the most current architecture diagram and capturing the relevant IP
addresses and network masks (to confirm that VMs are multi-homed.)
28.1.1.2 Determine that access to the management network is restricted to a limited number of NA
2011 ISACA. All rights reserved. Page 29
VMware Server Virtualization Audit/Assurance Program
3
Examples of such tools include Bastille, Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) and Tripwire ConfigCheck.
2011 ISACA. All rights reserved. Page 30
VMware Server Virtualization Audit/Assurance Program
Audit/Assurance Objective: The virtualized environment is protected against unauthorized access to the
VMs disk files.
31. Disk storage is properly isolated. DS9.1
Control: The VM repository or datastore cannot be accessed directly by any VM. DS9.2 X
DS9.3
31.1.1.1 Determine, from architecture diagrams, that only virtualization hosts and VMware NA, no se
Consolidated Backup (VCB) proxy servers can access VM repositories and datastores. tienen un
servidor
Proxy
31.1.1.2 Determine that all network traffic to and from storage repositories is isolated from NA, se tiene
nonstorage traffic. una sola red
de trfico de
datosLos
storage tiene
redundaciare
dundancia
de paths
para
asegurar
disponibilida
d
31.1.1.3 If a VCB proxy server is in use, determine whether the communication from the VCB NA
server to the storage array is secure; suitable techniques include IPsec4 and CHAP5
authentication.
31.1.1.4 In the case of NFS, determine that appropriate security architecture exists: NA
NFS traffic is isolated on its own set of physical switches.
Access to the NFS server is restricted by specifying the actual IP addresses of the
ESX/ESXi kernel device dedicated to handling NFS traffic.
31.1.1.5 Determine that SSH is disabled on ESX and ESXi environments. 4.1.4. SSH se
1 encuentra
deshdesabilit
ado pero en
el caso de
necesitar se
inica el
4
Internet Protocol Security (Ipsec) is an end-to-end security protocol, operating in the Internet layer of the IP suite, which encrypts all packets of a communication session.
5
Challenge Handshake Authentication Protocol (CHAP) is used to validate the identity of remote clients by using a cryptographically strong three-way handshake.
2011 ISACA. All rights reserved. Page 31
VMware Server Virtualization Audit/Assurance Program
servicio SSH
31.1.1.6 Determine from the latest architectural diagram that VMotion traffic is isolated from NA
all other traffic, e.g., on its own virtual LAN (VLAN).
31.1.1.7 Determine that VMs in a less trusted security zone (e.g., the demilitarized zone N/A
[DMZ]) are not on the same hosts as VMs in more trusted security zones (e.g., Existe DMZ
production, test, quality assurance [QA], management) pero se
encuentra
dentro del
mismo host
31.2 Creation of VMs is controlled.
Audit/Assurance Objective: Appropriate procedural controls exist to ensure that all operating VMs are
properly authorized and configured.
32. VM Maintenance AI3.2
Control: Creation, modification and removal of VMs are reviewed and monitored and require AI3.3 X
appropriate authorizations. AI6.4
32.1.1.1 Determine that a formal review process is in place and operating to create, modify or Existe un
remove VMs. Gain a copy of the written policy and corresponding standard operating proceso pero
procedure (SOP). cada
proyecto
docuemntad
ocumenta las
maquinas
que crea,
modifica o
eliminano se
lo
documenta
formalmente
32.1.1.1.1 Gather a sample of documented VM changes, and compare to the documented NA
policy/SOP.
32.1.1.1.2 Determine whether one or more standard templates is used to configure new Se utilizan
VMs to enterprise standards for each class of server (Web, email, application, plantillas
database, etc.).
estndares
propias de
los
proveedores
En caso de
2011 ISACA. All rights reserved. Page 32
VMware Server Virtualization Audit/Assurance Program
necesitar
una imagen
personalizad
a el cliente
debe
proveer
dicha imagen
32.2 Propagation of VMs into production is adequately controlled.
Audit/Assurance Objective: Change control procedures are in place to provide assurance that VMs are
promoted into production only after being inspected for quality or security defects.
33. VM Change Management and Promotion to Production
AI3.3
Control: VM changes are subject to appropriate review and authorization prior to introduction into X
AI6.4
the production environment.
33.1.1.1 Obtain a copy of the documented policy and procedures for promoting VMs into Link Se permite
production. Determine that relevant approvals are required and documented from Acuerdo ver solo al
development, test and QA de equipo
confiden auditor
cialidad
33.1.1.2 Select a representative sample of VM promotions to production. Determine that Link Se cumplen
policies and procedures have been followed. Acuerdo las polticas
de para la
confiden promocin
cialidad de la
mquina
virtual de
aplicacin,
se permite
ver solo al
equipo
auditor
34. Promotions to production maintain required security. AI3.3
Control: VM changes/additions to production maintain appropriate security. AI6.4 X
DS5.7
34.1.1.1 Determine that no connectivity exists between VMs of different trust levels. No existen
diferentes
niveles de
conectividad
2011 ISACA. All rights reserved. Page 33
VMware Server Virtualization Audit/Assurance Program
Existen redes
para cada
uno de los
procesos.
34.1.1.2 Determine that third-party tools (if any), such as performance monitors or intrusion NA
detection software, do not bridge trust zones in the virtualized environment.
34.1.1.3 Determine that the remote restart network is segmented from other networks. NA
34.1.1.4 Determine that remote-based domain controllers are installed with a dedicated No existe
modem and telephone line that includes a password and dial-back feature to a specific
telephone number.
35. Capacity Planning
Audit/Assurance Objective: The enterprise regularly reviews the VMware virtualized environment
to identify current ant anticipated performance and capacity bottlenecks in a proactive manner.
36. A capacity planning tool, such as VMware Capacity Planner, is in use to monitor the VMware
environments current performance.
ME4.6 X X X
Control: Use of a software tool to monitor actual performance and capacity of the VMware
environment will alert the enterprise to potential bottlenecks before they occur.
36.1.1.1 Determine from IT management whether and how often capacity planning statistics Se realiza la
are gathered and documented for the VMware environment. planificacin
de capacidad
de acuerdo
al servicio
que se da,
pero no se
documentaAl
inicio de un
proyecto se
realiza una
estimacin
de
almacenami
ento del
storage.
36.1.1.2 Determine whether IT management uses a formal software tool, such as VMware Si se utiliza
Capacity Planner, to gather operational performance statistics, such as CPU cycles, herramientas
number of servers, disk storage, network throughput, etc. propias de
Vmware
2011 ISACA. All rights reserved. Page 34
VMware Server Virtualization Audit/Assurance Program
Reference
Assessed Target
Hyper- Comments
Maturity Maturity
COBIT Control Objectives link
PO4 Define the IT processes, organisation and relationshipsAn IT organisation is
defined by considering requirements for staff, skills, functions, accountability,
authority, roles and responsibilities, and supervision. This organisation is embedded
into an IT process framework that ensures transparency and control as well as the
involvement of senior executives and business management. A strategy committee
ensures board oversight of IT, and one or more steering committees in which business
and IT participate determine the prioritisation of IT resources in line with business
needs. Processes, administrative policies and procedures are in place for all functions,
with specific attention to control, quality assurance, risk management, information
security, data and systems ownership, and segregation of duties. To ensure timely
support of business requirements, IT is to be involved in relevant decision processes.
Reference
Assessed Target
Hyper- Comments
Maturity Maturity
COBIT Control Objectives link
PO 9.4 Risk assessmentAssess on a recurrent basis the likelihood and impact of all
identified risks, using qualitative and quantitative methods. The likelihood and impact
associated with inherent and residual risk should be determined individually, by
category and on a portfolio basis.
PO9.6 Maintenance and monitoring of a risk action planPrioritise and plan the
control activities at all levels to implement the risk responses identified as necessary,
including identification of costs, benefits and responsibility for execution. Obtain
approval for recommended actions and acceptance of any residual risks, and ensure
that committed actions are owned by the affected process owner(s). Monitor execution
of the plans, and report on any deviations to senior management.
AI3 Acquire and maintain technology infrastructureOrganisations have
processes for the acquisition, implementation and upgrade of the technology
infrastructure. This requires a planned approach to acquisition, maintenance and
protection of infrastructure in line with agreed-upon technology strategies and the
provision of development and test environments. This ensures that there is ongoing
technological support for business applications.
Reference
Assessed Target
Hyper- Comments
Maturity Maturity
COBIT Control Objectives link
of hardware and infrastructural software to protect resources and ensure availability
and integrity. Responsibilities for using sensitive infrastructure components should be
clearly defined and understood by those who develop and integrate infrastructure
components. Their use should be monitored and evaluated.
AI6.4 Change status tracking and reportingEstablish a tracking and reporting system
to document rejected changes, communicate the status of approved and in-process
changes, and complete changes. Make certain that approved changes are implemented
as planned.
DS5 Ensure systems securityThe need to maintain the integrity of information and
protect IT assets requires a security management process. This process includes
establishing and maintaining IT security roles and responsibilities, policies, standards,
2011 ISACA. All rights reserved. Page 38
VMware Server Virtualization Audit/Assurance Program
Reference
Assessed Target
Hyper- Comments
Maturity Maturity
COBIT Control Objectives link
and procedures. Security management also includes performing security monitoring
and periodic testing and implementing corrective actions for identified security
weaknesses or incidents.
DS5.3 Identity managementEnsure that all users (internal, external and temporary)
and their activity on IT systems (business application, IT environment, system
operations, development and maintenance) are uniquely identifiable. Enable user
identities via authentication mechanisms. Confirm that user access rights to systems
and data are in line with defined and documented business needs and that job
requirements are attached to user identities. Ensure that user access rights are requested
by user management, approved by system owners and implemented by the security-
responsible person. Maintain user identities and access rights in a central repository.
Deploy cost-effective technical and procedural measures, and keep them current to
establish user identification, implement authentication and enforce access rights.
DS5.5 Security testing, surveillance and monitoringTest and monitor the IT security
implementation in a proactive way. IT security should be reaccredited in a timely
manner to ensure that the approved enterprises information security baseline is
maintained.
Reference
Assessed Target
Hyper- Comments
Maturity Maturity
COBIT Control Objectives link
DS5.10 Network securityUse security techniques and related management
procedures (e.g., firewalls, security appliances, network segmentation, intrusion
detection/protection) to authorize access and control information flows from and to
networks.
DS9 Manage the configurationEnsuring the integrity of hardware and software
configurations requires the establishment and maintenance of an accurate and complete
configuration repository. This process includes collecting initial configuration
information, establishing baselines, verifying and auditing configuration information,
and updating the configuration repository as needed.
Reference
Assessed Target
Hyper- Comments
Maturity Maturity
COBIT Control Objectives link
organisations IT policies, standards, procedures and methodologies.
ME4 Provide IT governanceEstablishing an effective governance framework
includes defining organisational structures, processes, leadership, roles and
responsibilities to ensure that enterprise IT investments are aligned and delivered in
accordance with enterprise strategies and objectives.
ME4.5 Risk managementWork with the board to define the enterprises appetite for
IT risk, and obtain reasonable assurance that IT risk management practices are
appropriate to ensure that the actual IT risk does not exceed the boards risk appetite.
Embed risk management responsibilities into the organisation, ensuring that the
business and IT regularly assess and report IT-related risks and their impact and that
the enterprises IT risk position is transparent to all stakeholders.
Reference
Assessed Target
Hyper- Comments
Maturity Maturity
COBIT Control Objectives link
remedial action. Report to the board relevant portfolios, programme and IT
performance, supported by reports to enable senior management to review the
enterprises progress toward identified goals.
A so-called bare-metal hypervisor installs directly on the hardware, with no intervening operating system,
such as Windows or Linux. As such, it is optimized for a particular type of hardware and provides high
utilization of the hardware, typically in the 90 percent range. The VMware ESX (and ESXi) hypervisor is a
successful example of a bare-metal hypervisor. In summary, the VMware virtualization model comprises a
three-level structure:
VM layerThis houses the various hosted OSs and applications in separated VMs, each of which
sees itself as a physical machine with its own hardware.
ESX layerThe VM ESX kernel, residing in this layer, schedules the physical hardware (local CPUs,
memory, hard disks, local network cables, local storage bus adapters) for the VMs, together with the
management interface.
Shared resources layerThe physical hardware subsystems such as storage and physical network,
shared by many VMs.
The following three useful components are not standard with VI3 and can be purchased separately:
10. Virtual Center (VC)The centralized management console for configuring hosts and VMs and also
for creating fault-tolerant clusters
11. ConverterUsed to convert physical Windows machines into VMs and restore backup images created
by a VCB
12. Capacity PlannerAn agentless, hosted application service that gathers data about the IT
infrastructure
An appropriate set of performance metrics provides the raw data to identify bottlenecks and also to model
future performance under the impact of expected changes in the business environment. The following table
shows a suggested set of VMware metrics that will assist in the tasks of performance evaluation and
capacity management. They are collected by VMwares Virtual Center (VC) component.
CPU Metrics
Metric Details Good Practice
cpu.ready.summation Indicates whether a VM is having A CPU Ready bottleneck
CPU ready issues, resulting from occurs when more than 5
CPU over-utilization, e.g., if VMs percent of time involved in a
are contending for limited CPU CPU transaction by a VM is in
time wait time for the resource.
cpu.usagemhz.average Measures CPU utilization at the VMs with high values for this
VM level metric may be negatively
impacting other VMs.
disk.busResets.summation A value for this metric indicates a Reallocate storage, e.g.,
possible disk overload issue due spread busy files across
to: multiple physical drives.
Too many VMs accessing the Move VMs to other
disk datastores with available
Too many I/Os from the VMs capacity.
to the disk
Hardware failure
disk.commandsAborted.summatio The number of times a request Reallocate storage, e.g.,
n was sent to a disk and was spread busy files across
aborted. Similar reasons to above. multiple physical drives.
Move VMs to other
datastores with available
capacity.
disk.totalLatency.avarage Measures a disks total latency, Balance workloads by
i.e., time taken to complete an rightsizing resources allocated
I/O. A value in this metric to the top consuming VMs to
indicates a bottleneck. reduce load on bottlenecked
disk(s) and/or by moving these
VMs to other datastores.
disk.queueLatency.average Shows the average time an I/O Balance workloads by
command waits in a queue to be rightsizing resources allocated
processed by the disk. A value in to the top consuming VMs to
this metric indicates a bottleneck. reduce load on bottlenecked
disk(s) and/or by moving these
VMs to other datastores.
disk.read.average These two metrics show real-time A graph of throughput over
disk.write.average traffic levels from and to a disk, time shows VM performance
2011 ISACA. All rights reserved. 45
VMware Server Virtualization Audit/Assurance Program
CPU Metrics
Metric Details Good Practice
respectively, at the VM level. The and problems that may be
average of the two metrics gives a impacting other VMs.
measure of disk throughput.
mem.consumed.average Measures the number of memory Add more memory, or move
pages a VM is using in real time. the offending VM(s) to a host
This statistic indicates whether a with more available memory.
memory bottleneck exists or
whether a VM is a memory hog.
mem.overhead.average Measures the amount of memory Rightsize VMs that have
used to manage allocated memory excessive memory allocations,
at the VM level, i.e., the memory or move them to hosts with
administration overhead more available memory.
mem.swapin.average Indicate bottlenecks are occurring Excessive VM swaps indicate
mem.swapout.average in memory swapping, i.e., virtual the need for additional
storage administration. If so, memory resources.
mem,swapped.average
performance may be severely
degraded.
mem.vmmemctl.average A value in this metric indicates Change memory allocation
that ballooning is occurring, parameters and/or move VMs
i.e., when VMs come close to to hosts with more available
system limits on memory use. memory.
This indicates a bottleneck.