A quarterly access review audit is performed to ensure certification of entitlements for all VMware Cloud services, critical system users, and administrators.

All entitlement actions including remediations and certifications for inappropriate entitlements are recorded in the systems used to grant or revoke access.

The annual independent third-party assessments help in the audit and review of user access and user entitlement remediations and certifications. Reports are shared when these assessments are made available to our customers. Third-party auditors perform reviews against industry-standards including ISO 27001. VMware furnishes audit reports under the non-disclosure agreement (NDA).

If there is a user access revocation or modification, a timely de-provisioning of the user access is made to the following aspects:
  • Organization systems
  • Information assets
  • Data implemented upon any change in status of employees
  • Contractors
  • Customers
  • Business partners
  • Third parties involved

VMware has HR systems, policies, and procedures to guide management during termination or change of the employment status. Access privileges to systems are removed with a status change. Employees or contractors who change roles within the organization are provided access according to their new position.

Any change in the user access status is intended to include termination of employment, contract, or agreement, change of employment, or transfer within the organization. A quarterly access review audit is performed to ensure that access is appropriate. Regular internal audits are conducted to confirm that access control changes are implemented on critical systems.