3.3.11 Virtualization
| No: 43028139 | Date(g): 4/11/2021 | Date(h): 29/3/1443 |
Effective from 2021-11-04 - Nov 03 2021
To view other versions open the versions tab on the right
Principle
Formal process for creation, distribution, storage, use and retirement of virtualized images, snapshots or containerization should be defined and managed in a controlled and secured manner.
Control Requirements
| 1. | A process should be defined, approved, implemented and communicated by the Member Organizations to setup, deploy and configure a virtual environment. | |||
| 2. | The process should be governed with well-defined policies, procedures and standards. | |||
| 3. | The effectiveness of the virtualization or containerization process should be measured and periodically evaluated. | |||
| 4. | All virtual components deployed in the Member Organizations should be provided with the same level of security as of non-virtualized environment. | |||
| 5. | All virtual components should be adequately configured using defined and approved minimum baseline security standards (MBSS) specific to virtualization or containerization. | |||
| 6. | Strong authentication mechanism should be implemented and access should be granted on need to know or least privileged basis for all virtual environments including host operating system, hypervisor, guest operating systems and any other related components. | |||
| 7. | The creation, distribution, storage, use, retirement and destruction of the virtual images and snapshots should be handle in a controlled and secured manner. | |||
| 8. | The following should be considered as part of virtualization/containerization but not limited to: | |||
| a. | administrative access should be tightly controlled where access via local admin should be restricted; | |||
| b. | management of hypervisors should be restricted to administrators only; | |||
| c. | virtual test environment should be physically and/or logically segregated from the production environment and even should not operate on the same host; | |||
| d. | unnecessary program and services should be disabled on virtual machines unless authorized by the business; | |||
| e. | audit logging should be enabled and monitored for all virtual machines that should include but not limited to: | |||
| 1. | creation, deployment and removal; | |||
| 2. | root and administrative activities; and | |||
| 3. | creation, modification and deletion of system level objects. | |||
| f. | appropriate controls should be in place to protect sensitive and critical data being used and managed through virtual images or snapshots; and | |||
| g. | all virtual drives used by the guest operating systems should be backed-up and tested on regular basis, using the same policy for backup management as is used for non-virtualized systems. | |||