VMware Tanzu Application Service Compliance

Impact analysis to determine potential security implications of system changes are the responsibility of the deployer. The operational consistency provided by Tanzu Application Service (TAS for VMs) helps to reduce the impact analysis of any planned changes. The use of TAS for VMs as a hosting environment enables organizations to achieve consistency in application deployment processes, reducing the need for extensive, application-specific impact analysis prior to application changes or upgrades. Changes to the TAS for VMs foundation itself are performed by an operator using BOSH or Tanzu Operations Manager, and these actions can be performed while applications remain available. Changes to application configuration are not expected to have any impact on the security posture of the TAS for VMs platform infrastructure. The application isolation guarantees provided by the TAS for VMs platform help to reduce the impact of any planned application changes, and reduce the scope of any required impact analysis.

Control Description

The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

Supplemental Guidance

Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems.