Pub. 7 2016 Issue 3

FALL 2016 21 West Virginia Banker Trista Cline is a Supervisor of Arnett Carbis Toothman LLP, Certified Public Accountants, in the Charleston, West Virginia office. Ms. Cline has over eight years of experience in information technology audit and security services in the financial institutions industry. In addition, Ms. Cline has extensive experience in database analysis and the use of database analysis tools. security risks in the hypervisor could put the entire virtual environment at risk. The hypervisor or virtual machine manager (VMM) is a computer software, firmware or hard- ware that creates or runs a virtual machine. • Configuration risks – Cloning and copying of images are extremely easy in the virtual environment. Monitoring the configuration is extremely important to ensure there are no configuration drifts. A configuration drift is inconsistent configuration across computers or devices. Controls. As in physical environments, controls are critical to address the potential risks of implementing a virtual environ- ment. The controls for a virtual environment are different from the controls for a physical server. Bank Management needs to be knowledgeable of every aspect of the virtual environment and understand all of the risks associated. Bank Management should also become familiar with the process of creating, deploying, and change management of the virtual environment. The hypervisor again is the most important aspect of the virtual environment and all security measures for the hypervisor should be evaluated. The following controls should be in place. 1. Obtain a detailed understanding of the virtual environ- ment including the hardware and supporting network infrastructure. A network diagram that includes the virtual environment could be beneficial to obtaining and docu- menting this understanding. 2. Ensure that the software version of the hypervisor com- plies with the policy requirements. Confirm that the soft- ware vendor supports the software version. 3. Ensure that patching of the virtual environments is in accordance with the Bank’s policy and procedures. The policy and procedures should document the identification, evaluation, and application procedures for the patch man- agement process. 4. Understand the services and features that are enabled on the system and validate their necessity with the system administrator. A list should be maintained and updated as the services and features change. 5. Evaluate the procedures for creating the administrative accounts and ensuring that accounts that are created have a legitimate business need. Ensure that the accounts are removed or disabled in a timely manner. 6. Evaluate the appropriate management of provisioning and de-provisioning of new virtual machines, including appropriate operating systems and application licens- es. Document the policies and procedures related to the “cleaning up” or removing of virtual machines, rights, and / or licenses that are no longer needed when a project is completed. 7. Evaluate that the hardware capacity is managed for the virtualized environment to support existing and future requirements. Gain an understanding of the hypervisor of the virtual machine to identify the specific amount of storage, processor, and memory allocated to each host. 8. Evaluate how performance is managed and monitored for the virtual environment to support existing and anticipat- ed business requirements. Perform periodic performance reviews of the processor, memory, and bandwidth loads on the virtual architecture performed to identify growing stresses. 9. Evaluate the policies, processes, and controls for data backup frequency, handling, and offsite management. Review policy requirements for meeting Recovery Point Objectives (RPOs) which affect how much data might be lost from a disaster, and Recovery Time Objectives (RTOs) which affect how long it will take to restore data after a disaster occurs. 10. Gain an understanding of the security of your remote hypervisor management. 11. Evaluate the security around the storage of virtual ma- chines. 12. Ensure that the network encryption of data-in-motion is implemented where appropriate. 13. Gain an understanding of the low-level and technical controls in place to segregate or firewall highly sensitive data on critical virtual machines from the rest of the virtu- alization. 14. Understand the system administrator procedures for security monitoring. 15. Evaluate the use of baseline templates and security of hosted virtual machines as appropriate. 16. Ensure that the appropriate environmental controls are in place to provide for system protections and availability. Conclusion. A virtual environment can provide many benefits to a Bank. The first step is to evaluate if a virtual environment is best for your network infrastructure. Then weigh all of the potential risks and benefits to ensure that a virtual environment will fit your IT strategic plan. If you conclude to implement a virtual environment, ensure to have adequate policies and procedures in place to support the virtual environment created. Evaluate and document the virtual environments network infra- structure the Bank has a working knowledge on how it functions. The virtual environment is ever growing and will need constant monitoring to ensure that all security measures are in placed to reduce the risk of realizing potential vulnerabilities. n

RkJQdWJsaXNoZXIy OTM0Njg2