Governance, Risk, and Compliance and
Mapping
This guidance describes the security configurations that can support Governance, Risk,
and Compliance (GRC) considerations. Due to the variety of compliance standards and different
organizational business needs, due care should be taken to identify and map VMware Cloud
Foundation configurations against a targeted regulation.
Where possible, examples of audit artifacts are
included as evidence in the
VMware Cloud Foundation Audit Guide Appendix
, focused
on compliance and producing evidence to meet controls. To map configurations across regulatory
standards, we use a third-party tool produced by the Unified Compliance Framework (UCF). This
removes a subjective, manual control cross-walk approach and replaces it with a repeatable and
data driven methodology. The crosswalk or reference across regulatory standards is not a
mapping matrix, but instead utilizes the UCF as a shared library of controls tied to the
underlying citation text within each standard. This removes the subjective mapping and
replaces it with a programmatic, software-driven mapping engine.In some cases, the regulation may be too generic
or too vague, which can reduce the mapping efficacy. In these cases, an additional review is
performed to isolate new citation text and then included in the engine through the
corresponding and newly identified UCF control. No mapping is provided with an accompany UCF
control and accompanying citation text for each regulation. If no mapping is identified, the
mapping uses
VMware Best Practice
text to clarify that mapping was not found
but to keep up with the security principles, the configuration is recommended.The compliance mapping is a subject of
expansion, as more security controls are evaluated, including additional compliance domains
and regulations.
Control Definition
Controls are designed to mitigate risk. These
are derived by using a Risk Framework, such as the
Guide for Applying the Risk
Management Framework to Federal Information Systems
published by NIST, publication
number 800-37. NIST 800-53 R4 control catalog is used to develop a baseline of controls
compared to the software-defined data center technical and security configurations. These
security configurations must be evaluated and considered against the risk management
framework used by your organization. Other frameworks such as ISO27001 can be coupled with
its Annex A, ISO27002, or ISO27005 to evaluate controls to mitigate risk.Cybersecurity Considerations
It is the responsibility of each security,
compliance, and audit teams in your organization to verify that configurations meet their
compliance requirements. The attack vectors and compliance guidelines are constantly
evolving, which requires constant monitoring and risk management processes.
Business Impact Assessment
Measuring risk and evaluating scope may
require performing a business impact assessment. This analysis can inform IT security and
audit professionals the areas of the Software-Defined Data Center that require more
controls, tightened access restrictions, micro-segmentation, enhanced disaster recovery, and
additional monitoring.