This guidance describes the security configurations that can support Governance, Risk, and Compliance (GRC) considerations. Due to the variety of compliance standards and different organizational business needs, due care should be taken to identify and map VMware Cloud Foundation configurations against a targeted regulation.
Where possible, examples of audit artifacts are included as evidence in the VMware Cloud Foundation Audit Guide Appendix, focused on compliance and producing evidence to meet controls. To map configurations across regulatory standards, we use a third-party tool produced by the Unified Compliance Framework (UCF). This removes a subjective, manual control cross-walk approach and replaces it with a repeatable and data driven methodology. The crosswalk or reference across regulatory standards is not a mapping matrix, but instead utilizes the UCF as a shared library of controls tied to the underlying citation text within each standard. This removes the subjective mapping and replaces it with a programmatic, software-driven mapping engine.
In some cases, the regulation may be too generic or too vague, which can reduce the mapping efficacy. In these cases, an additional review is performed to isolate new citation text and then included in the engine through the corresponding and newly identified UCF control. No mapping is provided with an accompany UCF control and accompanying citation text for each regulation. If no mapping is identified, the mapping uses
VMware Best Practice text to clarify that mapping was not found but to keep up with the security principles, the configuration is recommended.
The compliance mapping is a subject of expansion, as more security controls are evaluated, including additional compliance domains and regulations.
The top ten compliance and regulatory standards mapping are included:
NIST 800-53 R4 (Moderate)
PCI DSS 3.2.1
NIST 800-171 / CMMC
ISO27001:2013 / GDPR
SOC 2 (across all five Trust Service Principles)
For guidance on each standard, refer to the VMware Cloud Foundation Audit Guide Appendix.
Controls are designed to mitigate risk. These are derived by using a Risk Framework, such as the Guide for Applying the Risk Management Framework to Federal Information Systems published by NIST, publication number 800-37. NIST 800-53 R4 control catalog is used to develop a baseline of controls compared to the software-defined data center technical and security configurations. These security configurations must be evaluated and considered against the risk management framework used by your organization. Other frameworks such as ISO27001 can be coupled with its Annex A, ISO27002, or ISO27005 to evaluate controls to mitigate risk.
It is the responsibility of each security, compliance, and audit teams in your organization to verify that configurations meet their compliance requirements. The attack vectors and compliance guidelines are constantly evolving, which requires constant monitoring and risk management processes.
Business Impact Assessment
Measuring risk and evaluating scope may require performing a business impact assessment. This analysis can inform IT security and audit professionals the areas of the Software-Defined Data Center that require more controls, tightened access restrictions, micro-segmentation, enhanced disaster recovery, and additional monitoring.