Professional Documents
Culture Documents
APPLICATION
CONTAINERS
2 IS AUDIT/ASSURANCE PROGRAM: APPLICATION CONTAINERS
CONTENTS
4 Audit Subject: Application Containers
4 Audit Objectives
4 Audit Scope
5 Business Impact and Risk
5 Minimum Audit Skills
5 Testing Steps
6 Acknowledgments
ABSTRACT
The IS Audit/Assurance Program for Application Containers will assist IT auditors in their
assessments of application container deployments.
Audit Objectives
The primary purpose of this audit program is to assist IT • Safeguarding the host operating system by deactivating unnecessary
deployments. Accordingly, this audit program supports • Mitigating risks associated with use of a shared kernel, which is inherent
Audit Scope
The audit program addresses the host operating system, containers, including, but not limited to, Docker® and
network, container runtime and images of application Rocket®.
Testing Steps
Refer to the accompanying spreadsheet file.
1
US National Institute of Standards and Technology, Special Publication 800-190 Application Container Security Guide, September 2017,
https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-190.pdf
1
Acknowledgments
ISACA would like to recognize:
R.V. Raghu
CISA, CRISC
Versatilist Consulting India Pvt. Ltd., India
Gabriela Reynaga
CISA, CRISC, COBIT 5 Foundation, GRCP
Holistics GRC, Mexico
Gregory Touhill
CISM, CISSP
Cyxtera Federal Group, USA
Ted Wolff
CISA
Vanguard, Inc., USA
Tichaona Zororo
CISA, CRISC, CISM, CGEIT, COBIT 5
Assessor, CIA, CRMA
EGIT | Enterprise Governance of IT, South
Africa
Theresa Grafenstine
ISACA Board Chair, 2017-2018
CISA, CRISC, CGEIT, CGAP, CGMA, CIA,
CISSP, CPA
Deloitte & Touche LLP, USA
About ISACA
1700 E. Golf Road, Suite 400
Nearing its 50th year, ISACA® (isaca.org) is a global association helping
Schaumburg, IL 60173, USA
individuals and enterprises achieve the positive potential of technology.
Technology powers today’s world and ISACA equips professionals with the
Phone: +1.847.660.5505
knowledge, credentials, education and community to advance their careers
and transform their organizations. ISACA leverages the expertise of its half- Fax: +1.847.253.1755
million engaged professionals in information and cyber security, governance,
assurance, risk and innovation, as well as its enterprise performance Support: support.isaca.org
DISCLAIMER
Provide Feedback:
ISACA has designed and created the IS Audit/Assurance Program for
www.isaca.org/application-
Application Containers (the “Work”) primarily as an educational resource for IT
containers
audit professionals. ISACA makes no claim that use of any of the Work will
assure a successful outcome. The Work should not be considered inclusive of Participate in the ISACA
all proper information, procedures and tests or exclusive of other information, Knowledge Center:
procedures and tests that are reasonably directed to obtaining the same
www.isaca.org/knowledge-center
results. In determining the propriety of any specific information, procedure or
test, IT audit professionals should apply their own professional judgments to
Follow ISACA on Twitter:
the specific circumstances presented by the systems or information
technology environment. www.twitter.com/ISACANews
© 2018 ISACA. All rights reserved. No part of this publication may be used, www.linkd.in/ISACAOfficial
copied, reproduced, modified, distributed, displayed, stored in a retrieval
system or transmitted in any form by any means (electronic, mechanical, Like ISACA on Facebook:
photocopying, recording or otherwise) without the prior written authorization
www.facebook.com/ISACAHQ
of ISACA.