IT Compliance and Controls

Converging Business, Information, and Controls

IT Compliance and Controls header image 2

How to meet the intent of Regulations in a Virtualized world…

December 3rd, 2008 · No Comments

Today I had an interesting question posted to me… Are we doing the right thing with regards to our virtualization environment and our business mandates?  This sparked several hours of discussion, but a few points arose that I thought worthy of passing along.

The first is recognition that a virtualized environment IS in fact different then a physical environment.  Once this is accepted the next premise to be considered is the business mandates of the organization and the team.  This is where the rubber meets the road – smashing together professional knowledge with the “intent” of contracts, laws, and mandates.  Together these pave a path to truly operate a virtualized environment under any set of business conditions.

A great deal of people today consider a virtualized system the same as a physical system.  This is a mistake – there are different risks, threats, attack vectors, and such within a virtualized space that do not exist or are not satisfied by the same safeguards.

Business Mandates (my catch all for contracts, regulations, and directives) are written with the intent of preventing, minimizing, or safeguarding something.  Professionals must recognize the intent and satisfy these within the virtualized space.  It is criminal and fraudulent to pass on a virtualized system as a physical system for the sake of an auditor’s check box or other safety precaution – the simple defense that ‘they didn’t know’ is insufficient and reckless.

Now in the past when the Internet was born regulations and enforcement bodies tried to use existing laws to prosecute and demand appropriate safeguards.  For the most part these old laws did provide financial damages, but did support the government and industry to meet the new standards given the new technology.  Today our laws and the auditor check lists do not sufficiently address virtualization, but that does not eliminate the risk or need to operate securely and in line with our customer’s expectations.

This is a very complex area and I look forward to additional thoughts.  Look for a future ‘Insider Perspective’ breaking out greater facts from the field.

Kind regards,

James DeLuccia iV

Tags: iso27001 · Risk Awareness · Technology Intelligence

0 responses so far ↓

  • There are no comments yet...Kick things off by filling out the form below.

Leave a Comment