To address compliance requirements, an organization must evaluate VMware solutions against existing business processes and overlapping technology in support of audit and risk management.
Often called Governance, Risk, and Compliance, these audit and risk management processes look across the organization to consider, evaluate, and mitigate risk. Systems that are used in support of the business model of an organization are evaluated as part of an organization-wide process.
Controls are designed to mitigate risk. These are derived using a Risk Framework, such as the Guide for Applying the Risk Management Framework to Federal Information Systems published by NIST, publication number 800-37. VMware Validated Design Compliance Kit for NIST 800-53 used the catalog of controls outlined in NIST 800-53 R4 and compared them to the security capabilities available within the Software-Defined Data Center using the blueprint architecture of the VMware Validated Design. These security configurations must be evaluated and considered against an organization's risk management framework.
Configuration or Security Configuration
Configurations make up the building blocks that are used to identify product capabilities and their mapping to controls. In some cases, a configuration may mirror a control as with encryption. In other cases, multiple configurations may come together to form a control as with logical access. Although configuration and system configuration can be used interchangeably, a configuration may cover an area beyond simply security as with backups.
Type of Controls
Control classifications and frameworks vary. VMware Validated Design Compliance Kit uses the Classification of Controls with an emphasis on Core and Technology controls. Controls are mapped to one or more configurations to provide visibility.
It is the responsibility of each organization’s security, compliance, and audit teams to verify that configurations meet their compliance requirements. The attack vectors and compliance guidelines are constantly evolving, which requires constant monitoring and risk management processes.