Infrastructure and Virtualization Security

A key component of the Information Security Program are infrastructure and virtualization security policies.

IVS Control Domains

IVS-01: Audit Logging / Intrusion Detection -

  • IVS-01.1: Are file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis, and response to incidents?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IVS-01.2: Is physical and logical user access to audit logs restricted to authorized personnel?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IVS-01.3: Can you provide evidence that due diligence mapping of regulations and standards to your controls/architecture/processes has been performed?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IVS-01.4: Are audit logs centrally stored and retained?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IVS-01.5: Are audit logs reviewed on a regular basis for security events (e.g., with automated tools)?


Policy to be referenced here is INSERT
*Action item: INSERT

IVS-02: Change Detection -

  • IVS-02.1: Do you log and alert any changes made to virtual machine images regardless of their running state (e.g., dormant, off or running)?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IVS-02.2: Does the virtual machine management infrastructure include a tamper audit or software integrity function to detect changes to the build/configuration of the virtual machine?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IVS-02.3: Are changes made to virtual machines, or moving of an image and subsequent validation of the image's integrity, made immediately available to customers through electronic methods (e.g., portals or alerts)?


Policy to be referenced here is INSERT
*Action item: INSERT

IVS-03: Clock Synchronization -

  • IVS-03.1: Do you use a synchronized time-service protocol (e.g., NTP) to ensure all systems have a common time reference?


Policy to be referenced here is INSERT
*Action item: INSERT

IVS-04: Capacity / Resource Planning -

  • IVS-04.1: Do you provide documentation regarding what levels of system (e.g., network, storage, memory, I/O, etc.) oversubscription you maintain and under what circumstances/scenarios?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IVS-04.2: Do you restrict use of the memory oversubscription capabilities present in the hypervisor?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IVS-04.3: Does your system's capacity requirements take into account current, projected, and anticipated capacity needs for all systems used to provide services to the tenants?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IVS-04.4: Is system performance monitored and tuned in order to continuously meet regulatory, contractual, and business requirements for all the systems used to provide services to the tenants?


Policy to be referenced here is INSERT
*Action item: INSERT

IVS-05: Management / Vulnerability Management -

  • IVS-05.1: Do security vulnerability assessment tools or services accommodate the virtualization technologies being used (e.g., virtualization aware)?


Policy to be referenced here is INSERT
*Action item: INSERT

IVS-06: Network Security -

  • IVS-06.1: For your IaaS offering, do you provide customers with guidance on how to create a layered security architecture equivalence using your virtualized solution?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IVS-06.2: Do you regularly update network architecture diagrams that include data flows between security domains/zones?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IVS-06.3: Do you regularly review for appropriateness the allowed access/connectivity (e.g., firewall rules) between security domains/zones within the network?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IVS-06.4: Are all firewall access control lists documented with business justification?


Policy to be referenced here is INSERT
*Action item: INSERT

IVS-07: OS Hardening and Base Controls -

  • IVS-07.1: Are operating systems hardened to provide only the necessary ports, protocols, and services to meet business needs using technical controls (e.g., antivirus, file integrity monitoring, and logging) as part of their baseline build standard or template?


Policy to be referenced here is INSERT
*Action item: INSERT

IVS-08: Production / Non-Production Environments -

  • IVS-08.1: For your SaaS or PaaS offering, do you provide tenants with separate environments for production and test processes?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IVS-08.2: For your IaaS offering, do you provide tenants with guidance on how to create suitable production and test environments?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IVS-08.3: Do you logically and physically segregate production and non-production environments?


Policy to be referenced here is INSERT
*Action item: INSERT

IVS-09: Segmentation -

  • IVS-09.1: Are system and network environments protected by a firewall or virtual firewall to ensure business and customer security requirements?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IVS-09.2: Are system and network environments protected by a firewall or virtual firewall to ensure compliance with legal, regulatory and contractual requirements?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IVS-09.3: Have you implemented the necessary measures for the appropriate isolation and segmentation of tenants' access to infrastructure system and network components, in adherence to established policies, legal, statutory, and regulatory compliance obligations?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IVS-09.4: Do you have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IVS-09.5: Are system and network environments protected by a firewall or virtual firewall to ensure protection and isolation of sensitive data?


Policy to be referenced here is INSERT
*Action item: INSERT

IVS-10: VM Security / Data Protection -

  • IVS-10.1: Are secured and encrypted communication channels used when migrating physical servers, applications, or data to virtual servers?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IVS-10.2: Do you use a network segregated from production-level networks when migrating physical servers, applications, or data to virtual servers?


Policy to be referenced here is INSERT
*Action item: INSERT

IVS-11: VMM Security / Hypervisor Hardening -

  • IVS-11.1: Do you restrict personnel access to all hypervisor management functions or administrative consoles for systems hosting virtualized systems based on the principle of least privilege and supported through technical controls (e.g., two-factor authentication, audit trails, IP address filtering, firewalls and TLS-encapsulated communications to the administrative consoles)?


Policy to be referenced here is INSERT
*Action item: INSERT

IVS-12: Wireless Security -

  • IVS-12.1: Are policies and procedures established and mechanisms configured and implemented to protect the wireless network environment perimeter and to restrict unauthorized wireless traffic?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IVS-12.2: Are policies and procedures established and mechanisms implemented to ensure wireless security settings are enabled with strong encryption for authentication and transmission, replacing vendor default settings (e.g., encryption keys, passwords, SNMP community strings)?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IVS-12.3: Are policies and procedures established and mechanisms implemented to protect wireless network environments and detect the presence of unauthorized (rogue) network devices for a timely disconnect from the network?


Policy to be referenced here is INSERT
*Action item: INSERT

IVS-13: Network Architecture -

  • IVS-13.1: Do your network architecture diagrams clearly identify high-risk environments and data flows that may have legal compliance impacts?


Policy to be referenced here is INSERT
*Action item: INSERT

  • IVS-13.2: Do you implement technical measures and apply defense-in-depth techniques (e.g., deep packet analysis, traffic throttling and black-holing) for detection and timely response to network-based attacks associated with anomalous ingress or egress traffic patterns (e.g., MAC spoofing and ARP poisoning attacks) and/or distributed denial-of-service (DDoS) attacks?


Policy to be referenced here is INSERT
*Action item: INSERT

Related Documents

  • None