IT Audit for the Virtual Environment

by J. Michael Butler, Rob Vandenbrink Sept. 1, 2017 via SANS Institute

Industry requirements, government agency directives, and federal and state disclosure laws (starting with California’s SB1386) have one goal in common: Protect personal and private information. It really doesn’t matter whether we are talking about credit card information, bank account numbers,social security numbers, health data or insurance information. In fact, instead of personal information,some organizations are focused on protecting utility infrastructures,such as power plants,telecommunications,or gas lines. Although the information requiring protection in such a case is not“personal,”the same security and audit principles still apply. So, to achieve compliance, IT groups check policies and procedures against rules, regulations, and directives. They follow best practices and build defense-in-depth. IT auditors, SAS70 auditors, and PCI QSAs (Qualified Security Assessor) meet with the operations teams, whose responsesshow that they are,indeed,compliant…that is,until we start talking about virtualization. In this realm, auditors are usually at a loss.

https://www.sans.org/reading-room/whitepapers/analyst/audit-virtual-environment-34810