IVS-01: Infrastructure and Virtualization Security Policy and Procedures

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following controls from the previous version: GRM-06: Policy, GRM-09: Policy Reviews.

Control Statement

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for infrastructure and virtualization security. Review and update the policies and procedures at least annually.

Implementation Guidance

Infrastructure Virtualization Security Policy and Procedures should include, but are not limited to:

  1. Governance and control VM lifecycle management.
  2. Storage restriction of VM images and snapshots.
  3. Backup and failover systems.
  4. Tagging for the VM based on sensitivity / risk level.
  5. A formal change management process for creation, storage, and use of VM images. Approve changes only when necessary.
  6. Consistent security policy and configuration across the physical/virtual network.
  7. Implementation of security technologies that span physical and virtual environments with a consistent policy management and enforcement framework.

To implement security technologies that span physical and virtual environments with a consistent policy management and enforcement framework.

  1. Firewalls, whether physical or virtual, to isolate groups of VMs from other hosted groups.
  2. Design and implementation access from each trust level to physical and virtual management and security systems.

Auditing Guidance

  1. Interview the team to determine if policy and procedures have been documented.
  2. Evaluate the documented policy to determine if it has been approved and communicated to the relevant internal and external teams.
  3. Determine if the policy has been applied to the infrastructure and virtualization security operations and if relevant procedures have been drafted.
  4. Determine if the procedures are periodically evaluated and if they are maintained, up to date, and relevant.
  5. Determine if policy and procedures are reviewed and updated on an annual basis. Policy may contain segregation of environments and roles, change management requirements and continuous exercising.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.