Professional Documents
Culture Documents
Scope
We have examined VMware Inc.’s accompanying description of its system titled “VMware Inc.’s
Description of its vRealize System” throughout the period October 1, 2020 to September 30, 2021,
(“description”) based on the criteria for a description of a service organization’s system in DC section 200,
2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2® Report
(AICPA, Description Criteria), (“description criteria”) and the suitability of the design and operating
effectiveness of controls stated in the description throughout the period October 1, 2020 to September 30,
2021 to provide reasonable assurance that VMware Inc.’s service commitments and system requirements
were achieved based on the trust services criteria relevant to security and availability (“applicable trust
services criteria”) set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability,
Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria).
VMware Inc. uses the subservice organization identified in Section III to provide cloud hosting services.
The description indicates that complementary subservice organization controls that are suitably designed
and operating effectively are necessary, along with controls at VMware Inc., to achieve VMware Inc.’s
service commitments and system requirements based on the applicable trust services criteria. The
description presents VMware Inc.’s controls, the applicable trust services criteria, and the types of
complementary subservice organization controls assumed in the design of VMware Inc.’s controls. The
description does not disclose the actual controls at the subservice organization. Our examination did not
include the services provided by the subservice organization, and we have not evaluated the suitability of
the design or operating effectiveness of such complementary subservice organization controls.
Our examination was conducted in accordance with attestation standards established by the American
Institute of CPAs (AICPA). Those standards require that we plan and perform our examination to obtain
reasonable assurance about whether, in all material respects, the description is presented in accordance
with the description criteria and the controls stated therein were suitably designed and operated
effectively to provide reasonable assurance that the service organization’s service commitments and
An examination of the description of a service organization’s system and the suitability of the design and
operating effectiveness of controls involves the following:
• Obtaining an understanding of the system and the service organization’s service commitments and
system requirements
• Assessing the risks that the description is not presented in accordance with the description criteria
and that controls were not suitably designed or did not operate effectively
• Performing procedures to obtain evidence about whether the description is presented in accordance
with the description criteria
• Performing procedures to obtain evidence about whether controls stated in the description were
suitably designed to provide reasonable assurance that the service organization would achieve its
service commitments and system requirements based on the applicable trust services criteria if those
controls operated effectively
• Testing the operating effectiveness of controls stated in the description to provide reasonable
assurance that the service organization achieved its service commitments and system requirements
based on the applicable trust services criteria
• Evaluating the overall presentation of the description.
Our examination also included performing such other procedures as we considered necessary in the
circumstances.
Inherent Limitations
The description is prepared to meet the common needs of a broad range of report users and may not,
therefore, include every aspect of the system that each individual report user may consider important to
meet their informational needs.
There are inherent limitations in the effectiveness of any system of internal control, including the
possibility of human error and the circumvention of controls.
Because of their nature, controls may not always operate effectively to provide reasonable assurance that
the service organization’s service commitments and system requirements are achieved based on the
applicable trust services criteria. Also, the projection to the future of any conclusions about the suitability
of the design and operating effectiveness of controls is subject to the risk that controls may become
inadequate because of changes in conditions or that the degree of compliance with the policies or
procedures may deteriorate.
Opinion
In our opinion, in all material respects,
a. the description presents VMware Inc.’s vRealize system that was designed and implemented
throughout the period October 1, 2020 to September 30, 2021 in accordance with the description
criteria.
b. the controls stated in the description were suitably designed throughout the period October 1, 2020 to
September 30, 2021 to provide reasonable assurance that VMware Inc.’s service commitments and
system requirements would be achieved based on the applicable trust services criteria, if its controls
3
operated effectively throughout that period and if the subservice organization applied the
complementary controls assumed in the design of VMware Inc.’s controls throughout that period.
c. the controls stated in the description operated effectively throughout the period October 1, 2020 to
September 30, 2021 to provide reasonable assurance that VMware Inc.’s service commitments and
system requirements were achieved based on the applicable trust services criteria, if complementary
subservice organization controls assumed in the design of VMware Inc.’s controls operated effectively
throughout that period.
Restricted Use
This report, including the description of tests of controls and results thereof in section IV, is intended
solely for the information and use of VMware Inc., user entities of VMware Inc.’s vRealize system during
some or all of the period October 1, 2020 to September 30, 2021, business partners of VMware Inc. that
were subject to risks arising from interactions with VMware Inc.’s vRealize system, and practitioners
providing services to such user entities and business partners, who have sufficient knowledge and
understanding of the following:
• The risks that may threaten the achievement of the service organization’s service commitments and
system requirements and how controls address those risks
This report is not intended to be and should not be used by anyone other than these specified parties.
4
Section I .
VMware, Inc.’s Assertion
We have prepared the accompanying description of VMware, Inc.’s system titled “VMware, Inc.’s
Description of its vRealize System” throughout the period October 1, 2020 to September 30, 2021
(“description”), based on the criteria for a description of a service organization’s system in DC section 200,
2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2® Report (AICPA,
Description Criteria) (“description criteria”). The description is intended to provide report users with
information about the vRealize system that may be useful when assessing the risks arising from interactions
with VMware, Inc.’s system, particularly information about system controls that VMware, Inc. has designed,
implemented, and operated to provide reasonable assurance that its service commitments and system
requirements were achieved based on the trust services criteria relevant to security and availability
(“applicable trust services criteria”) set forth in TSP section 100, 2017 Trust Services Criteria for Security,
Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria).
VMware, Inc. uses a subservice organization identified in section III to provide cloud hosting services. The
description indicates that complementary subservice organization controls that are suitably designed and
operating effectively are necessary, along with controls at VMware, Inc., to achieve VMware, Inc.’s service
commitments and system requirements based on the applicable trust services criteria. The description
presents VMware, Inc.’s controls, the applicable trust services criteria, and the types of complementary
subservice organization controls assumed in the design of VMware, Inc.’s controls. The description does
not disclose the actual controls at the subservice organizations.
a. the description presents VMware, Inc.’s vRealize system that was designed and implemented
throughout the period October 1, 2020 to September 30, 2021, in accordance with the description
criteria.
b. the controls stated in the description were suitably designed throughout the period October 1, 2020 to
September 30, 2021 to provide reasonable assurance that VMware, Inc.’s service commitments and
system requirements would be achieved based on the applicable trust services criteria, if its controls
operated effectively throughout that period, and if the subservice organizations applied the
complementary controls assumed in the design of VMware, Inc.’s controls throughout that period.
c. the controls stated in the description operated effectively throughout the period October 1, 2020 to
September 30, 2021, to provide reasonable assurance that VMware, Inc.’s service commitments and
system requirements were achieved based on the applicable trust services criteria, if complementary
subservice organization controls assumed in the design of VMware, Inc.’s controls, operated effectively
throughout that period.
VMware, Inc.
December 22, 2021
EXAMINATION SCOPE
The scope of this description is limited to vRealize, including the infrastructure, software, people,
procedures, and data that are managed by vRealize and excludes collector and proxy agents installed on
customer infrastructure.
In addition, there are certain controls that are operated and managed at the entity level by VMware
Corporate Operations (“Corporate Operations”). These Corporate Operations include relevant processes
and controls within the following domains:
◼ Access Control
◼ Asset Management
◼ Business Continuity Management
◼ Communications Security
◼ Compliance
◼ Human Resources
◼ Information Security Incident Management
◼ Organization of Information Security
◼ Physical and Environmental Security
◼ Risk Management
◼ Supplier Relationships
◼ System Acquisition, Development, and Maintenance
◼ System Monitoring
◼ Vulnerability Management
◼ VMware will protect the information systems used to deliver the service offering over which VMware
has sole administrative level control.
◼ VMware will monitor for security events involving the underlying infrastructure servers, storage,
networks, and information systems used in the delivery of the service over which VMware has sole
administrative control. This responsibility stops at any point where the customer has some control,
permission, or access to modify an aspect of the service.
◼ VMware will maintain the systems used to deliver the service, including the application of patches
for the target systems.
◼ VMware will perform routine vulnerability scans to surface risk areas for the systems used to deliver
the service offering and address vulnerabilities in a timely manner.
◼ VMware will configure production systems to support continuous availability for the VMware
vRealize services system and will follow the pre-defined response commitments for the cloud
offerings.
In accordance with VMware’s assertion and the description criteria, the aforementioned service
commitments and requirements are those principal service commitments and requirements common to the
broad base of users of the system and may therefore not fully address the specific service commitments
and requirements made to individual system users.
In addition, VMware has its corporate headquarters and corporate data center in the following locations that
support, and are managed by, VMware Corporate Operations:
COMPONENT DESCRIPTION
Corporate Data Center VMware owned and managed data center supporting
Corporate Operations is in the following location:
Wenatchee, Washington
SOFTWARE
The following table details the key software and network components, which support vRealize:
COMPONENT DESCRIPTION
Jira A highly customizable tool for agile software development used to log and
track progress for bugs, tasks, features, and other projects.
Wavefront Application performance monitoring used for tracking and monitoring the
health of backend services by real-time monitoring of metrics and trigger
alerts for specific threshold.
Gerrit Highly extensible and configurable tool for web-based code review and
repository management for vRealize repositories. Serves as gated check-in
tool for vRealize services
VMware Code Stream™ VMware Code Stream is a continuous integration and continuous delivery
(CICD) tool, used to manage and deploy code.
COMPONENT DESCRIPTION
Active Directory Active Directory (AD) is a directory service used for VMware’s corporate
network domain.
AccessNow (Saviynt) AccessNow is a central ticketing system for tracking and documenting
access requests and approvals.
Hive Learning Hive is the learning management system (LMS) utilized to manage and
deliver educational courses as well as track training completion for
employees, contractors, and applicable third parties.
Palo Alto Networks Palo Alto Networks firewall systems are in place to filter and restrict
unauthorized inbound traffic to the corporate network.
RSA Archer Platform RSA Archer is a risk and compliance platform used to centrally store and
manage the regular review of VMware’s business continuity plans, risk
assessment results, and risk mitigation activities.
Splunk Splunk is a software platform used for monitoring, identifying, and tracking
security events.
VMware Carbon Black VMware Carbon Black provides enterprise endpoint detection and
response.
VMware Workspace ONE Workspace ONE UEM is the Mobile Device Management Solution installed
Unified Endpoint on corporate and personal mobile devices that access company
Management (UEM) information. Workspace ONE provides controls to manage mobile device
security and configuration management.
TEAM DESCRIPTION
vRealize Technical Responsible for managing the Platform infrastructure and leading the
Operations development and maintenance of system and network security. Provides
support for the Platform, first response for system and network issues, and
performance monitoring.
vRealize System Responsible for automation, development, system test plans and testing,
Engineering and risk analysis.
vRealize Support and Responsible for assisting vRealize’s customer experience and
Services implementation engagements, provides global 24x7 support and
professional services to vRealize customers.
TEAM DESCRIPTION
Human Resources Responsible for human resources (HR) policies, practices, and processes
with a focus on key HR department delivery areas (e.g. talent acquisitions,
pre-employment screening, employee retention, compensation, employee
benefits, performance management, employee relations and training, and
development).
Security and Resiliency Responsible for managing the enforcement, development, and
maintenance of information security policies and standards to help ensure
VMware Information Assets are preserved in a secure environment, in
accordance with generally accepted best practices, focusing on VMware
business and risk objectives.
Risk Management Responsible for managing the annual performance of risk assessments,
maintenance of a centralized risk register, and tracking and reporting of risk
mitigation activities throughout the organization.
Enterprise Resiliency Responsible for managing the organization’s overall approach to business
Business Continuity continuity, including the annual performance of Business Impact
Security Operations Responsible for intake of reported security events, including gathering,
Center triaging, and providing first response. Security incidents are escalated to
the VMware Security Incident Response Team.
Security Incident Responsible for centrally managing all information security incidents for
Response Team VMware, including ensuring proper collection of evidence, coordinating
cross-functional incident teams, and developing effective response
strategies for incident remediation.
Red Team Responsible for performing penetration testing for VMware products and
services, including tracking and escalation of remediation of test findings.
Data Center Operations Responsible for managing the operations of VMware data center facilities,
including reviewing and approving physical access and maintaining an
inventory of physical assets.
Facilities Team Responsible for performing regular equipment maintenance and managing
the building management system for VMware data center facilities.
Global Support Services Responsible for handling customer support issues and inquiries.
Colleague Support Team Responsible for the distribution, replacement, and collection of VMware-
issued end user devices.
PROCEDURES
VMware has established policies and procedures to support the achievement of its service commitments
and the applicable AICPA Trust Services Categories and Criteria for Security and Availability.1 These
include policies and procedures include guidance for how the service is designed and developed, how the
system is operated, how the internal business systems are managed, and how employees are hired and
trained. In addition to these policies, standard operating procedures have been documented on how to
carry out specific processes required in the operation and development of the service.
The Corporate Information Security Policies & Procedures are defined, approved, published, and
communicated to users and relevant third parties. These documents are stored in a central repository
accessible to employees and other appropriate staff and define the roles and responsibilities for the
information security program. The information security policies are reviewed, updated, and approved at
least annually to help ensure their continuing suitability and effectiveness.
1 The AICPA Trust Services Categories consist of Security, Availability, Confidentiality, Processing Integrity, and
Privacy. The Security Category provides criteria to assess whether information systems are protected against
unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise its
information or systems and affect the entity’s ability to meet its objectives. The Availability Category provides criteria to
assess whether information and systems are available for operation and use to meet the entity’s objectives.
The VMware vRealize Service processing of data is highly dependent on specific Controller configuration,
including but not limited to console configuration, integration of Controller maintained infrastructure,
connection to external VMware and other vendor’s systems, deployment of Controller procured/owned and
VMware mobile applications, etc. vRealize services collect various data attributes regarding a user entity’s
environment including but not limited to object host names, types, metrics, properties, tags, IP addresses,
etc. vRealize services do not retain customer data as it relates to personally identifiable information.
◼ Control Environment: This sets the tone of an organization, influencing the control consciousness
of its people. It is the foundation for all other components of internal control, providing discipline,
and structure.
◼ Risk Management: This is the entity’s identification and analysis of risks relevant to the
achievement of its objectives, forming a basis for determining how the risks should be managed.
◼ Monitoring: The entire internal control process must be monitored, and modifications are made as
necessary. To support modifications, the systems react dynamically and change as conditions
warrant.
◼ Information and Communication: Surrounding these activities are information and
communication systems. These enable the entity’s people to capture and exchange information
needed to conduct and control the entity’s operations.
◼ Control Activities: Control policies and procedures must be established and executed to help
ensure that the actions identified by management are completed as necessary to address risks for
achievement of the entity’s control objectives.
Set out below is a description of the components of internal control related to vRealize and VMware
Corporate Operations that may be relevant to customers.
CONTROL ENVIRONMENT
The control environment at VMware is the foundation for the other areas of internal control. It sets the tone
of the organization and influences the control consciousness of its personnel. It includes standards for
integrity and ethical values, management’s commitment to competence and accountability, the
organizational structure, assignment of authority and responsibility, and the oversight and direction
provided by the Board of Directors and operations management.
Performance Reviews
Management has developed a formal process to evaluate and discuss employee performance. In addition,
low performance is identified in performance reviews and plans to improve employee performance are
documented and tracked.
RISK MANAGEMENT
Organizational Risk Assessment
A framework is defined for VMware’s overall approach to IT risk and control, which includes a
comprehensive strategy to manage risk, implementation of the risk management strategy consistently
across the organization, regular review of the strategy to address organizational changes, and criteria for
determining whether risks can be accepted.
VMware considers significant interactions between itself and relevant external parties and risks that could
affect the company’s ability to provide reliable service to its user entities. Annually, key members of
management and operational teams perform a risk assessment, including consideration of fraud risk.
Overall risks to the organization are identified, ranked, and documented within a centralized risk register.
Risk mitigation strategies for the risks identified are assigned to mitigation owners and tracked to completion
by the Security and Resiliency Risk Management team.
MONITORING
VMware has defined an internal control framework to achieve its service commitments and the applicable
criteria related to security and availability. On an annual basis, management reviews and updates, as
necessary, the control framework to meet the applicable standards and requirements relevant to VMware.
To monitor the quality of internal control performance, management selects, develops, and performs
ongoing and/or separate internal evaluations to ascertain whether the components of internal control are
present and functioning. The organization’s approach to managing information security and its
implementation are further reviewed by an external, independent party at planned intervals or when
significant changes occur. The findings of these efforts are utilized to identify follow-up actions,
improvements, and modifications to subsequent evaluations as necessary.
CONTROL ACTIVITIES
Access Control
A formal process has been established for managing user accounts and controlling access to the vRealize
production system. In the event that a new employee is hired, the hiring manager or an HR team member
completes a new user checklist to request user access for the new employee. Access is provisioned once
the checklist is reviewed and approved by IT personnel. Existing employees who require access changes
are required to ask their manager to submit an access authorization request for approval. Employees are
required to complete security awareness training upon hire in order to guide personnel to meet their
obligations and responsibilities in accordance with corporate and business unit security policies. Security
awareness training is repeated for active employees on an annual basis. VRealize uses AccessNow to
grant access to production systems.
Newly hired employees must also acknowledge their adherence to the VMware’s code of conduct on an
annual basis. Background checks are performed for employees during the onboarding process. Upon
notification of employee termination, an automated process revokes corporate system access for
employees as a component of the employee termination process. Production system access is revoked for
employees as a component of the employee termination process and is managed by the system owners.
Users accessing production systems are done through AccessNow which is integrated with VMware Active
Directory. User request access for appropriate role and there is an approval process in place to grant the
access.
The production environment is segmented from other non-critical environments to help ensure that
confidential data is isolated from unrelated networks. An encrypted VPN is required for remote access to
help ensure the security and integrity of the data passing over the public network. Security groups and
firewall rulesets are in place to filter unauthorized inbound network traffic from the Internet and configured
to deny any type of network connection that is not explicitly authorized by a rule. Web servers utilize
transport layer security (TLS) encryption for web communication sessions. An intrusion detection system
(IDS) is used to analyze and report network events and to block suspected or actual network security
breaches.
Access control policies and procedures are maintained to define responsibilities and actions for granting,
monitoring, and revoking account access and privileges to system resources. Requests for new or modified
access must be approved by authorized personnel before access is provisioned, and upon termination,
employee access to production systems is revoked via a formalized and documented process.
VMware Corporate Operations has deployed AccessNow (Saviynt) to manage user access and
authentication across various cloud services and products they offer. For onboarded systems, access
requests, approvals, and access revocation upon termination are tracked in this centralized access
management system which is integrated with Active Directory to provide role-based access to cloud
VMware utilizes an internal application called CloudGate for users to authenticate to their cloud hosting
provider accounts, such as AWS. CloudGate is a single interface, providing access control and visibility
into VMware service teams’ cloud accounts. CloudGate provisions and centrally manages the cloud
account configurations through approved baseline scripts / templates and automated jobs that help ensure
that there is consistent configurations and security considerations (e.g. logging enabled, password
configurations etc.) orchestrated across the cloud accounts. CloudGate is also integrated with AccessNow
to map role-based access provisioned through AccessNow to roles that can be assumed in cloud accounts
by VMware service teams. The primary goal of CloudGate is to provide a better solution for access control
and inventory management across multiple cloud accounts.
◼ Passwords shall not repeat the last four previous passwords used.
◼ Passwords shall meet the criteria for “strong password” and be difficult for attackers to uncover.
Cryptographic techniques such as entropy shall be used as a basis for password strength (i.e.
contain a combination of letters, numbers, and symbols based on system functionality).
◼ User account passwords must have a minimum of 12 characters and are changed every 180 days.
◼ Service account or resource account passwords must have a minimum of 19 characters and are
changed every 365 days (90 days for FTP service accounts).
◼ Administrator or privileged account passwords must have a minimum of 19 characters and are
changed every 90 days.
◼ Customer account passwords must have a minimum of 8 characters.
Additionally, in order to remotely access the corporate VMware network and network services, personnel
must connect through the use of an encrypted VPN (virtual private network) and multi-factor authentication.
Asset Management
vRealize utilizes AWS services like EKS and EC2 for their service assets. The EKS and EC2 control planes
act as the most up to date inventory of these assets. Nirvana is also used for asset management. Assets
are assigned an owner.
In July 2021, VMware approved a policy exception related to the testing of BCPs as a result of the continued
response to the COVID-19 pandemic. The policy exception reflected the fact that the company is operating
in a remote manner and exercising aspects of its BCP as part of the COVID-19 pandemic response.
Further, vRealize maintains disaster recovery plans for various scopes of potential disaster or failure
scenarios. VMware has implemented policies and procedures to guide personnel in recovering from a
disaster. Procedures document each step of the scheduling, monitoring, quality assurance (QA), and
Communications Security
vRealize utilizes AWS Key Management Services (“KMS”) to securely store and control access to
cryptographic keys. KMS is an AWS managed encryption service that securely generates and protects
cryptographic keys and allows other AWS services and applications to utilize those keys to encrypt data.
Customer data is stored in AWS RDS and is encrypted by AWS. Data backups are stored in encrypted
AWS S3 buckets.
For encryption in transit, web servers utilize transport layer security (“TLS”) encryption for web
communication sessions. Data is transmitted using TLS v1.2 or higher over public networks with valid
certificates that are signed by Certificate Authorities such as those provided by AWS. vRealize use a
combination of AWS Security Groups, AWS VPCs and AWS Network Access Control Lists to restrict traffic
inbound and outbound.
Corporate Firewall
Firewalls are configured to restrict inbound traffic to and outbound traffic from the corporate environment
using a central administration console.
Endpoint Security
The VMware Acceptable Use Policy defines employee responsibilities and boundaries regarding the use
of technology and information systems. To protect employee workstations with access to VMware
information and information systems, mobile device management and anti-malware software are installed
on corporate endpoints.
Anti-Malware
Enterprise anti-malware (Carbon Black) is installed and maintained on all user endpoint devices to provide
protection against the installation of malicious software.
The Agile methodology is utilized to govern change management procedures. Development and testing
efforts occur in a logically separate environment and are performed in scheduled sprints. Software and
infrastructure changes made to in-scope systems are authorized, tested, and approved prior to
implementation. An automated ticketing system and internal wiki pages are used to document and track
change efforts, milestones, and formal approvals.
A source code repository is utilized to track change approvals and provide version control to help ensure
the ability to roll back to previous iterations. When ready, changes are compiled to await promotion to
production in a separate staging environment. Automated scripts are executed to promote changes to a
production repository which becomes the basis for new client environments or updates to existing
environments. Automated scripts are also used to pull from this production repository when making changes
to a client production environment. The ability to execute these scripts is restricted to authorized personnel.
Known issues and uptime status of the VMware vRealize system are communicated to internal and external
users through the company website and a public facing status page.
Server hardening is accomplished via the use of AWS Linux AMIs, which are hardened per industry
standards. The Kubernetes environment utilizes hardened Photon O/S images, which are also continually
updated through releases as new vulnerabilities are identified.
Configuration management is accomplished through the use of infrastructure as code, which helps ensure
that servers and containers are configured per hardening standards.
Infrastructure changes to corporate resources follow VMware’s Change Mangement Policy. These changes
are documented and approved prior to implementation into production.
System Monitoring
IT operations personnel utilize enterprise monitoring systems to monitor the performance and availability of
production systems and associated devices. The monitoring applications are configured to automatically
create incidents into the Jira ticketing system based on predefined security levels and configured to alert IT
operations personnel via e-mail and PagerDuty when predefined thresholds are exceeded. Management
holds a capacity management meeting on a weekly basis to review availability trends.
VMware has developed and implemented a formal incident management and resolution process used to
manage various types of incidents from customer complaints to security events. These processes are
To further help ensure the security of the system, antivirus software is installed on workstations and
configured to scan and monitor for updates to virus definitions and update registered clients on a daily
basis. The antivirus software is also configured to perform on-demand scans (whenever users access files)
for any new files installed on workstations.
vRealize performs ongoing monitoring to help ensure that risks are evaluated on a continuous basis.
Specifically, administrative access is logged and monitored on production systems. These logs are
forwarded to a centralized monitoring tool for evaluation of malicious activity.
vRealize forwards all CloudTrail logs to both the VMware Security Operations Center (“SOC”) and to the
LogInsight tool for monitoring of malicious activity. Security events are triaged and tracked to remediation.
Any security event deemed to be a security incident is escalated to the SOC Team for formal investigation
and remediation.
Incident Reporting
Information security events are monitored 24/7 and reported to the central VMware SOC for triage.
Employees and contractors are made aware of their responsibility to report information security events in a
timely manner as documented in the Security Incident Management Policy. For both internal and external
personnel, reporting mechanisms exist to report vulnerabilities, weaknesses, or issues.
Incident Response
Cloud application logs (e.g. CloudTrail, GuardDuty, etc.) and corporate network logs (e.g. firewalls, IDS
etc.) are ingested into the centralized security monitoring solution. Alerts are configured to identify security
events which are assessed and assigned priority levels by the Security Operations Center and escalated
to the VMware Security Incident Response team (“vSIRT”) as needed. vSIRT will then manage information
security incidents in accordance with the defined Security Incident Management Procedures, ensuring that
they are responded to and investigated, tracked in an internal ticketing system until closure, and
communicated to appropriate personnel. Lessons learned summaries are documented and used to reduce
the likelihood or impact of future incidents.
System Availability
vRealize has implemented policies and procedures to guide personnel in performing data backups and
data restoration. Procedures document each step of the scheduling, monitoring, quality assurance (“QA”),
and restoration processes, as well as the roles and responsibilities. Production systems are configured to
support continuous availability through the use of multiple regions and availability zones.
Additionally, the backup system simultaneously generates e-mail notifications and generates a ticket in the
Jira service management ticketing system to help ensure that issues are resolved and backups are
completed. Administrative access privileges to backup systems and data are restricted to user accounts
accessible by authorized personnel. The automated backup systems are configured to encrypt backup
media. IT operations personnel perform backup media restores on a quarterly basis to verify that system
components can be recovered from system backups.
Application and infrastructure metrics are captured. Scale-performance testing is performed for every
feature and infrastructure is provisioned to meet the requirements of scale.
Supplier Relationships
Third-Party Risk Management Policy
A Third-Party Risk Management Policy is documented and available to guide personnel to monitor and
review third-party service providers. The document is reviewed an annual basis.
Vulnerability Management
Penetration Testing - vRealize
Penetration tests are performed at least annually for the vRealize service. Upon completion of the
penetration test, a summary report is generated, and any findings identified are documented and tracked
to remediation.
Additionally, vRealize utilizes code scan software as part of their continuous integration pipelines that scans
code for vulnerabilities on every code commit. Any vulnerability found is addressed as a must-fix issue in
the monthly releases. EC2 nodes use the base Linux AMI from AWS and are subjected to hardening. EKS
containers use photon OS as the base image for which the vulnerabilities are routinely fixed.
Control activities performed by AWS noted above have been excluded from the scope of this report.
vRealize, through its operational activities, monitors the services performed by AWS to determine whether
operations and controls expected to be implemented are functioning effectively. Management also has
communication with AWS to monitor compliance with the service agreement, stay informed of changes
planned at the hosting facility, and relay issues or concerns to AWS management.
The following table identifies the applicable trust services criteria that are intended to be met by controls at
AWS and the type of controls expected to be implemented to meet the criteria:
CC6.1
◼ Policies and mechanisms are in place to restrict
CC6.2 unauthorized system access. Access that is no longer
CC6.3 required is removed in a timely manner.
SYSTEM INCIDENTS
There were no system incidents as of the date of the description that resulted in the failure to achieve one
or more service commitments and system requirements.
PURPOSE
The following section describes the Security and Availability categories, related criteria, and controls related
to vRealize.
CONTENT DESCRIPTION
The criteria represent the individual requirements for the in-scope categories of Security
and Availability within the Trust Services Categories and Criteria issued by the AICPA.
Security Category
Information systems are protected against unauthorized access, unauthorized disclosure
Criteria of information, and damage to systems that could compromise its information or systems
and affect the entity’s ability to meet its objectives.
Availability Category
Information and systems are available for operation and use to meet the entity’s
objectives.
The controls listed on the following pages depict the vRealize controls which are related
to the applicable criterion for Security and Availability.
Control domains are identified as follows:
Access Control (“AC”)
Asset Management (“AM”)
Business Continuity Management (“BCM”)
Communications Security (“CS”)
Compliance (“CM”)
Controls Human Resource Security (“HRS”)
Information Security Incident Management (“IM”)
Organization of Information Security (“OIS”)
Risk Management (“RM”)
Supplier Relationships (“SR”)
System Acquisition, Development, and Maintenance (“SDM”)
System Availability (“SA”)
System Monitoring (“SM”)
Vulnerability Management (“VM”)
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
CM-6 The Chief Security Officer Inspected communication from the Chief No exceptions
provides reports to the Security Officer to the Audit Committee to noted.
Audit Committee on determine whether the Chief Security
information security matters Officer reported to the Audit Committee
and concerns at least on information security matters and
annually. concerns at least annually.
Management establishes, with board oversight, structures, reporting lines, and appropriate
CC1.3
authorities and responsibilities in the pursuit of objectives.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
HRS-9 Position descriptions are Observed the system used to document No exceptions
documented to define the position descriptions and an example job noted.
role, skills, responsibilities, description to determine whether a
and knowledge levels process for documenting job descriptions,
required for particular jobs including the role, skills, responsibilities,
upon hire. and knowledge levels required for
particular jobs upon hire, was defined.
The entity demonstrates a commitment to attract, develop, and retain competent individuals
CC1.4
in alignment with objectives.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
HRS-5 Training programs are Inspected the training portal available to No exceptions
provided, including internal personnel to determine whether noted.
continuing education and training programs were provided to
training, to help ensure skill develop and maintain the skill sets and
sets and technical technical competency of employees and
competency of employees contractors.
and contractors are
developed and maintained.
HRS-9 Position descriptions are Observed the system used to document No exceptions
documented to define the position descriptions and an example job noted.
role, skills, responsibilities, description to determine whether a
and knowledge levels process for documenting job descriptions,
required for particular jobs including the role, skills, responsibilities,
upon hire. and knowledge levels required for
particular jobs upon hire, was defined.
The entity holds individuals accountable for their internal control responsibilities in the pursuit
CC1.5
of objectives.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
HRS-9 Position descriptions are Observed the system used to document No exceptions
documented to define the position descriptions and an example job noted.
role, skills, responsibilities, description to determine whether a
and knowledge levels process for documenting job descriptions,
required for particular jobs including the role, skills, responsibilities,
upon hire. and knowledge levels required for
particular jobs upon hire, was defined.
The entity obtains or generates and uses relevant, quality information to support the
CC2.1
functioning of internal control.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
RM-1 A framework is defined for Inspected the risk management manual No exceptions
the organization's overall to determine whether a framework was noted.
approach to IT risk and defined for the organization's overall
control. The organization: approach to IT risk and control.
a. Develops a
comprehensive strategy to
manage risk,
The entity internally communicates information, including objectives and responsibilities for
CC2.2
internal control, necessary to support the functioning of internal control.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
CM-6 The Chief Security Officer Inspected communication from the Chief No exceptions
provides reports to the Security Officer to the Audit Committee to noted.
Audit Committee on determine whether the Chief Security
information security matters Officer reported to the Audit Committee
and concerns at least on information security matters and
annually. concerns at least annually.
HRS-9 Position descriptions are Observed the system used to document No exceptions
documented to define the position descriptions and an example job noted.
role, skills, responsibilities, description to determine whether a
and knowledge levels process for documenting job descriptions,
required for particular jobs including the role, skills, responsibilities,
upon hire. and knowledge levels required for
particular jobs upon hire, was defined.
The entity communicates with external parties regarding matters affecting the functioning of
CC2.3
internal control.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
OIS-4 The status of services, Inspected the VMware public website to No exceptions
scheduled maintenance, determine whether the status of services, noted.
and incidents are scheduled maintenance, and incidents
communicated to were communicated to customers.
customers via the public
website.
The entity specifies objectives with sufficient clarity to enable the identification and
CC3.1
assessment of risks relating to objectives.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
RM-1 A framework is defined for Inspected the risk management manual No exceptions
the organization's overall to determine whether a framework was noted.
approach to IT risk and defined for the organization's overall
control. The organization: approach to IT risk and control.
a. Develops a
comprehensive strategy to
manage risk,
The entity identifies risks to the achievement of its objectives across the entity and analyzes
CC3.2
risks as a basis for determining how the risks should be managed.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
RM-1 A framework is defined for Inspected the risk management manual No exceptions
the organization's overall to determine whether a framework was noted.
approach to IT risk and defined for the organization's overall
control. The organization: approach to IT risk and control.
a. Develops a
comprehensive strategy to
manage risk,
RM-2 Product risk assessments Inspected the product risk assessment No exceptions
are performed on an annual schedule to determine whether product noted.
basis. Risk mitigation risk assessments were tracked.
strategies are defined and
tracked to completion. Inspected the risks identified in the
product risk assessments for a selection
of services to determine whether risk
mitigation strategies were defined and
tracked to completion.
RM-3 A risk assessment process, Inspected the risk management manual No exceptions
including the consideration to determine whether the risk assessment noted.
of fraud risk, is in place to process was defined to assess risk and
regularly assess the risk mitigation plans.
and mitigation plans.
Periodic reporting to risk Inspected the most recent risk
owners and executives assessment to determine whether a risk
takes place to review the assessment was performed and reported
risks and mitigation to relevant risk owners and executives.
strategies.
Inspected the centralized risk register to
determine whether a centralized risk
register was maintained to track overall
risks to the organization.
RM-4 A program is established to Inspected the Build and Operate SAAS No exceptions
assess and monitor guide to determine whether a program is noted.
security and risks during documented for assessing and monitoring
the service design and security risks for onboarded cloud
onboarding process. services.
SR-5 Management reviews third- Inspected the Third Party Risk No exceptions
party examination reports Management Policy to determine whether noted.
for subservice guidelines for reviewing subservice
organizations to assess organization examination reports were
subservice organization's defined.
achievement of controls
relevant to the entity's Inspected third-party examination report
commitments. reviews for in-scope subservice
organizations to determine whether
subservice organization achievement of
controls relevant to the entity's
commitments was assessed.
The entity considers the potential for fraud in assessing risks to the achievement of
CC3.3
objectives.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
RM-1 A framework is defined for Inspected the risk management manual No exceptions
the organization's overall to determine whether a framework was noted.
approach to IT risk and defined for the organization's overall
control. The organization: approach to IT risk and control.
a. Develops a
comprehensive strategy to
manage risk,
RM-3 A risk assessment process, Inspected the risk management manual No exceptions
including the consideration to determine whether the risk assessment noted.
of fraud risk, is in place to process was defined to assess risk and
regularly assess the risk mitigation plans.
and mitigation plans.
Periodic reporting to risk Inspected the most recent risk
owners and executives assessment to determine whether a risk
takes place to review the assessment was performed and reported
risks and mitigation to relevant risk owners and executives.
strategies.
Inspected the centralized risk register to
determine whether a centralized risk
register was maintained to track overall
risks to the organization.
The entity identifies and assesses changes that could significantly impact the system of
CC3.4
internal control.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
RM-1 A framework is defined for Inspected the risk management manual No exceptions
the organization's overall to determine whether a framework was noted.
approach to IT risk and defined for the organization's overall
control. The organization: approach to IT risk and control.
a. Develops a
comprehensive strategy to
manage risk,
RM-2 Product risk assessments Inspected the product risk assessment No exceptions
are performed on an annual schedule to determine whether product noted.
basis. Risk mitigation risk assessments were tracked.
strategies are defined and
tracked to completion. Inspected the risks identified in the
product risk assessments for a selection
of services to determine whether risk
mitigation strategies were defined and
tracked to completion.
RM-3 A risk assessment process, Inspected the risk management manual No exceptions
including the consideration to determine whether the risk assessment noted.
of fraud risk, is in place to process was defined to assess risk and
regularly assess the risk mitigation plans.
and mitigation plans.
Periodic reporting to risk Inspected the most recent risk
owners and executives assessment to determine whether a risk
takes place to review the assessment was performed and reported
risks and mitigation to relevant risk owners and executives.
strategies.
Inspected the centralized risk register to
determine whether a centralized risk
register was maintained to track overall
risks to the organization.
SR-5 Management reviews third- Inspected the Third Party Risk No exceptions
party examination reports Management Policy to determine whether noted.
for subservice guidelines for reviewing subservice
organizations to assess organization examination reports were
subservice organization's defined.
achievement of controls
relevant to the entity's Inspected third-party examination report
commitments. reviews for in-scope subservice
organizations to determine whether
subservice organization achievement of
controls relevant to the entity's
commitments was assessed.
The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain
CC4.1
whether the components of internal control are present and functioning.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
RM-4 A program is established to Inspected the Build and Operate SAAS No exceptions
assess and monitor guide to determine whether a program is noted.
security and risks during documented for assessing and monitoring
the service design and security risks for onboarded cloud
onboarding process. services.
SR-5 Management reviews third- Inspected the Third Party Risk No exceptions
party examination reports Management Policy to determine whether noted.
for subservice guidelines for reviewing subservice
organizations to assess organization examination reports were
subservice organization's defined.
achievement of controls
relevant to the entity's Inspected third-party examination report
commitments. reviews for in-scope subservice
organizations to determine whether
subservice organization achievement of
controls relevant to the entity's
commitments was assessed.
The entity evaluates and communicates internal control deficiencies in a timely manner to
CC4.2 those parties responsible for taking corrective action, including senior management and the
board of directors, as appropriate.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
CM-6 The Chief Security Officer Inspected communication from the Chief No exceptions
provides reports to the Security Officer to the Audit Committee to noted.
Audit Committee on determine whether the Chief Security
information security matters Officer reported to the Audit Committee
and concerns at least on information security matters and
annually. concerns at least annually.
The entity selects and develops control activities that contribute to the mitigation of risks to
CC5.1
the achievement of objectives to acceptable levels.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
RM-1 A framework is defined for Inspected the risk management manual No exceptions
the organization's overall to determine whether a framework was noted.
approach to IT risk and defined for the organization's overall
control. The organization: approach to IT risk and control.
a. Develops a
comprehensive strategy to
manage risk,
RM-2 Product risk assessments Inspected the product risk assessment No exceptions
are performed on an annual schedule to determine whether product noted.
basis. Risk mitigation risk assessments were tracked.
strategies are defined and
tracked to completion. Inspected the risks identified in the
product risk assessments for a selection
of services to determine whether risk
mitigation strategies were defined and
tracked to completion.
RM-3 A risk assessment process, Inspected the risk management manual No exceptions
including the consideration to determine whether the risk assessment noted.
of fraud risk, is in place to process was defined to assess risk and
regularly assess the risk mitigation plans.
and mitigation plans.
Periodic reporting to risk Inspected the most recent risk
owners and executives assessment to determine whether a risk
takes place to review the assessment was performed and reported
risks and mitigation to relevant risk owners and executives.
strategies.
Inspected the centralized risk register to
determine whether a centralized risk
register was maintained to track overall
risks to the organization.
The entity also selects and develops general control activities over technology to support the
CC5.2
achievement of objectives.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
The entity deploys control activities through policies that establish what is expected and in
CC5.3
procedures that put policies into action.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
AC-1 The Access Control Policy Inspected the Access Control Policy to No exceptions
is maintained to define determine whether responsibilities and noted.
responsibilities and actions actions for granting, monitoring, and
for granting, monitoring, revoking account access and privileges to
and revoking account system resources were defined and
access and privileges to approved annually.
system resources.
AM-1 Data classification criteria Inspected the Data Classification Policy No exceptions
are documented, reviewed to determine whether data classification noted.
and approved by criteria were documented, reviewed, and
management, and approved by management.
communicated to internal
personnel. Inspected the Data Classification Policy
published on the internal network to
determine whether data classification
criteria were communicated to internal
personnel.
AM-2 The Data Handling and Inspected the Data Handling and No exceptions
Protection Standards define Protection Standards to determine noted.
procedures for handling whether procedures for handling
information assets based information assets based on their
on their classification, classification, including requirements for
including requirements for media disposal, were defined.
media disposal.
AM-3 The Acceptable Use Policy Inspected the Acceptable Use Policy to No exceptions
defines employee determine whether employee noted.
responsibilities and responsibilities and boundaries regarding
boundaries regarding the the use of technology and information
use of technology and systems were defined.
information systems.
BCM-2 Business Continuity Plans Inspected the Business Continuity Policy No exceptions
for operational lines of to determine whether guidelines for noted.
business are defined, defining, reviewing, and testing Business
reviewed, and tested on at Continuity Plans were defined.
least an annual basis.
Inspected the Business Continuity Plans
for business units to determine whether
the plans were defined and reviewed on
at least an annual basis.
BCM-3 Disaster Recovery Plans Inspected the Disaster Recovery Plans to No exceptions
are defined, reviewed, and determine whether the plans were noted.
tested on at least an annual defined and reviewed on at least an
basis. annual basis.
PES-1 The Physical Security Inspected the Physical Security Policy to No exceptions
Policy defines physical and determine whether physical and noted.
environmental security environmental security measures,
measures to protect including a clear desk and clear screen
information systems, policy, were defined.
personnel, and physical
assets, including a clear
desk and clear screen
policy.
The entity implements logical access security software, infrastructure, and architectures over
CC6.1 protected information assets to protect them from security events to meet the entity's
objectives.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
AC-13 Access to program source Inspected the Source Code Management No exceptions
code is limited to Standards to determine whether noted.
appropriate personnel. guidelines for limiting access to program
source code were defined.
AM-1 Data classification criteria Inspected the Data Classification Policy No exceptions
are documented, reviewed to determine whether data classification noted.
and approved by criteria were documented, reviewed, and
management, and approved by management.
communicated to internal
personnel. Inspected the Data Classification Policy
published on the internal network to
determine whether data classification
criteria were communicated to internal
personnel.
AM-2 The Data Handling and Inspected the Data Handling and No exceptions
Protection Standards define Protection Standards to determine noted.
procedures for handling whether procedures for handling
information assets based information assets based on their
on their classification, classification, including requirements for
including requirements for media disposal, were defined.
media disposal.
CS-3 Customer data is encrypted Inspected the Encryption Policy and the No exceptions
at rest. Data Classification Policy to determine noted.
whether requirements for encrypting data
at rest were defined.
CS-4 Transmission of customer Inspected the Encryption Policy, the Data No exceptions
data over public networks is Classification Policy, and the SSL noted.
encrypted. Certificate Standards to determine
whether requirements for encrypting data
in transit were defined.
SM-3 Access to logging systems Inspected the Security Logging Standards No exceptions
and log information is to determine whether guidelines for noted.
limited to appropriate restricting access to logging systems and
personnel. log information were defined.
SM-6 A mobile device Inspected the End User Device Security No exceptions
management solution is Policy and Workspace ONE Standards to noted.
installed on corporate determine whether the use of a mobile
endpoint devices with device management solution on
access to VMware endpoints was defined.
information and information
systems. Inspected the Mobile Device
Management solution to determine
whether it maintained a list of authorized
applications that allowed access to
corporate data through managed mobile
devices.
Prior to issuing system credentials and granting system access, the entity registers and
authorizes new internal and external users whose access is administered by the entity. For
CC6.2
those users whose access is administered by the entity, user system credentials are removed
when user access is no longer authorized.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
AC-1 The Access Control Policy Inspected the Access Control Policy to No exceptions
is maintained to define determine whether responsibilities and noted.
responsibilities and actions actions for granting, monitoring, and
for granting, monitoring, revoking account access and privileges to
and revoking account system resources were defined and
access and privileges to approved annually.
system resources.
AC-3 New and modified user Inspected the Access Control Policy to No exceptions
access to production determine whether a process for noted.
systems is provisioned provisioning access to production
based on an approved systems was defined.
access request that
delineates the access Inspected tickets for a selection of new or
levels that the user should modified access requests in CloudGate to
be granted. determine whether access was approved
prior to provisioning and whether
requests delineated the access levels to
be granted.
AC-6 A formal user access de- Inspected the Access Control Policy to No exceptions
provisioning process is determine whether a process for noted.
implemented in the removing access through the corporate
corporate access access management system was defined.
management system to
revoke access rights to Inspected access removal logs for a
production systems for selection of terminated employees to
terminated employees. determine whether access was removed
through the corporate access
management system in a timely manner.
AC-7 User access is reviewed for Inspected the Access Control Policy to No exceptions
appropriateness on a determine whether user access review noted.
periodic basis. Access requirements were defined.
flagged for removal is
revoked in a timely manner. Inspected access review completion
records for a selection of user access
reviews to determine whether user
access reviews were performed on a
periodic basis.
The entity authorizes, modifies, or removes access to data, software, functions, and other
protected information assets based on roles, responsibilities, or the system design and
CC6.3
changes, giving consideration to the concepts of least privilege and segregation of duties, to
meet the entity’s objectives.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
AC-13 Access to program source Inspected the Source Code Management No exceptions
code is limited to Standards to determine whether noted.
appropriate personnel. guidelines for limiting access to program
source code were defined.
AC-3 New and modified user Inspected the Access Control Policy to No exceptions
access to production determine whether a process for noted.
systems is provisioned provisioning access to production
based on an approved systems was defined.
access request that
delineates the access Inspected tickets for a selection of new or
levels that the user should modified access requests in CloudGate to
be granted. determine whether access was approved
prior to provisioning and whether
requests delineated the access levels to
be granted.
AC-6 A formal user access de- Inspected the Access Control Policy to No exceptions
provisioning process is determine whether a process for noted.
implemented in the removing access through the corporate
corporate access access management system was defined.
management system to
revoke access rights to Inspected access removal logs for a
production systems for selection of terminated employees to
terminated employees. determine whether access was removed
through the corporate access
management system in a timely manner.
AC-7 User access is reviewed for Inspected the Access Control Policy to No exceptions
appropriateness on a determine whether user access review noted.
periodic basis. Access requirements were defined.
flagged for removal is
revoked in a timely manner. Inspected access review completion
records for a selection of user access
reviews to determine whether user
access reviews were performed on a
periodic basis.
SM-3 Access to logging systems Inspected the Security Logging Standards No exceptions
and log information is to determine whether guidelines for noted.
limited to appropriate restricting access to logging systems and
personnel. log information were defined.
The entity restricts physical access to facilities and protected information assets (for example,
CC6.4 data center facilities, back-up media storage, and other sensitive locations) to authorized
personnel to meet the entity’s objectives.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
PES-1 The Physical Security Inspected the Physical Security Policy to No exceptions
Policy defines physical and determine whether physical and noted.
environmental security environmental security measures,
measures to protect including a clear desk and clear screen
information systems, policy, were defined.
personnel, and physical
assets, including a clear
desk and clear screen
policy.
PES-2 Requests for new or Inspected the Physical Security Policy to No exceptions
modified physical access to determine whether guidelines for noted.
data center facilities are provisioning physical access were
approved prior to defined.
provisioning.
Inspected the audit logs for a selection of
personnel granted new or modified
physical access to determine whether
physical access was approved prior to
provisioning.
PES-3 Physical access to data Inspected the Physical Security Policy to No exceptions
center facilities is determine whether guidelines for noted.
deprovisioned in a timely deprovisioning physical access were
manner upon termination. defined.
PES-4 Physical access to data Inspected the Physical Security Policy to No exceptions
center facilities is reviewed determine whether physical access noted.
for appropriateness on a review requirements were defined.
quarterly basis. Access
flagged for removal is Inspected the configuration between the
revoked in a timely manner. physical badge access system and the
human resource management system to
determine whether physical badge
access was configured to automatically
disable after an employee is terminated
within the human resource management
system.
PES-5 Physical security controls Inspected the Physical Security Policy to No exceptions
for data center facilities determine whether physical security noted.
such as controlled badge control procedures for data center
access and video facilities were defined.
surveillance have been
implemented to restrict Observed controlled badge access and
physical access to video surveillance in data center facilities
authorized individuals. to determine whether physical security
controls were implemented to restrict
physical access to authorized individuals.
SR-5 Management reviews third- Inspected the Third Party Risk No exceptions
party examination reports Management Policy to determine whether noted.
for subservice guidelines for reviewing subservice
organizations to assess organization examination reports were
subservice organization's defined.
achievement of controls
relevant to the entity's Inspected third-party examination report
commitments. reviews for in-scope subservice
organizations to determine whether
subservice organization achievement of
controls relevant to the entity's
commitments was assessed.
The entity discontinues logical and physical protections over physical assets only after the
CC6.5 ability to read or recover data and software from those assets has been diminished and is no
longer required to meet the entity’s objectives.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
AM-2 The Data Handling and Inspected the Data Handling and No exceptions
Protection Standards define Protection Standards to determine noted.
procedures for handling whether procedures for handling
information assets based information assets based on their
on their classification, classification, including requirements for
including requirements for media disposal, were defined.
media disposal.
AM-5 Physical assets are wiped Inspected the Asset Management Policy No exceptions
prior to disposal or re-use to determine whether requirements for noted.
in accordance with media media disposal were defined.
disposal requirements.
Inspected certificates of destruction for a
selection of assets marked for disposal or
re-use to determine whether assets were
wiped prior to disposal or re-use in
accordance with media disposal
requirements.
SR-5 Management reviews third- Inspected the Third Party Risk No exceptions
party examination reports Management Policy to determine whether noted.
for subservice guidelines for reviewing subservice
organizations to assess organization examination reports were
subservice organization's defined.
achievement of controls
relevant to the entity's Inspected third-party examination report
commitments. reviews for in-scope subservice
organizations to determine whether
subservice organization achievement of
controls relevant to the entity's
commitments was assessed.
The entity implements logical access security measures to protect against threats from
CC6.6
sources outside its system boundaries.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
The entity restricts the transmission, movement, and removal of information to authorized
CC6.7 internal and external users and processes, and protects it during transmission, movement,
or removal to meet the entity’s objectives.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
CS-4 Transmission of customer Inspected the Encryption Policy, the Data No exceptions
data over public networks is Classification Policy, and the SSL noted.
encrypted. Certificate Standards to determine
whether requirements for encrypting data
in transit were defined.
SM-6 A mobile device Inspected the End User Device Security No exceptions
management solution is Policy and Workspace ONE Standards to noted.
installed on corporate determine whether the use of a mobile
endpoint devices with device management solution on
access to VMware endpoints was defined.
information and information
systems. Inspected the Mobile Device
Management solution to determine
whether it maintained a list of authorized
applications that allowed access to
corporate data through managed mobile
devices.
The entity implements controls to prevent or detect and act upon the introduction of
CC6.8
unauthorized or malicious software to meet the entity’s objectives.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
AM-3 The Acceptable Use Policy Inspected the Acceptable Use Policy to No exceptions
defines employee determine whether employee noted.
responsibilities and responsibilities and boundaries regarding
boundaries regarding the the use of technology and information
use of technology and systems were defined.
information systems.
SM-6 A mobile device Inspected the End User Device Security No exceptions
management solution is Policy and Workspace ONE Standards to noted.
installed on corporate determine whether the use of a mobile
endpoint devices with device management solution on
access to VMware endpoints was defined.
information and information
systems. Inspected the Mobile Device
Management solution to determine
whether it maintained a list of authorized
applications that allowed access to
corporate data through managed mobile
devices.
To meet its objectives, the entity uses detection and monitoring procedures to identify (1)
CC7.1 changes to configurations that result in the introduction of new vulnerabilities, and (2)
susceptibilities to newly discovered vulnerabilities.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
The entity monitors system components and the operation of those components for
anomalies that are indicative of malicious acts, natural disasters, and errors affecting the
CC7.2
entity's ability to meet its objectives; anomalies are analyzed to determine whether they
represent security events.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
SM-1 Logging, including logging Inspected the Security Logging Standards No exceptions
of administrator activities, is to determine whether requirements for noted.
configured on production logging and log forwarding were defined.
systems. Logs are
forwarded to a centralized Inspected logging configurations for a
monitoring tool. selection of production systems to
determine whether logs, including logs of
administrator activities, were configured
to be forwarded to a centralized
monitoring tool.
SM-2 Alerts are configured to Inspected the Security Logging Standards No exceptions
notify appropriate to determine whether a process for noted.
personnel of anomalous reviewing centralized logs and configuring
activity for further security alerts was defined.
investigation. Alerts are
triaged to resolution. Observed the central security monitoring
solution to determine whether alerts
generated were triaged and tracked to
resolution.
The entity evaluates security events to determine whether they could or have resulted in a
CC7.3 failure of the entity to meet its objectives (security incidents) and, if so, takes actions to
prevent or address such failures.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
SM-2 Alerts are configured to Inspected the Security Logging Standards No exceptions
notify appropriate to determine whether a process for noted.
personnel of anomalous reviewing centralized logs and configuring
activity for further security alerts was defined.
investigation. Alerts are
triaged to resolution. Observed the central security monitoring
solution to determine whether alerts
generated were triaged and tracked to
resolution.
The entity responds to identified security incidents by executing a defined incident response
CC7.4 program to understand, contain, remediate, and communicate security incidents, as
appropriate.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
OIS-4 The status of services, Inspected the VMware public website to No exceptions
scheduled maintenance, determine whether the status of services, noted.
and incidents are scheduled maintenance, and incidents
communicated to were communicated to customers.
customers via the public
website.
The entity identifies, develops, and implements activities to recover from identified security
CC7.5
incidents.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
OIS-4 The status of services, Inspected the VMware public website to No exceptions
scheduled maintenance, determine whether the status of services, noted.
and incidents are scheduled maintenance, and incidents
communicated to were communicated to customers.
customers via the public
website.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
SDM-9 Development, testing, and Inspected the Production Control Policy No exceptions
production environments to determine whether guidelines for noted.
are segregated. separating development, testing, and
operational environments were defined.
The entity identifies, selects, and develops risk mitigation activities for risks arising from
CC9.1
potential business disruptions.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
BCM-2 Business Continuity Plans Inspected the Business Continuity Policy No exceptions
for operational lines of to determine whether guidelines for noted.
business are defined, defining, reviewing, and testing Business
reviewed, and tested on at Continuity Plans were defined.
least an annual basis.
Inspected the Business Continuity Plans
for business units to determine whether
the plans were defined and reviewed on
at least an annual basis.
RM-2 Product risk assessments Inspected the product risk assessment No exceptions
are performed on an annual schedule to determine whether product noted.
basis. Risk mitigation risk assessments were tracked.
strategies are defined and
tracked to completion. Inspected the risks identified in the
product risk assessments for a selection
of services to determine whether risk
mitigation strategies were defined and
tracked to completion.
RM-3 A risk assessment process, Inspected the risk management manual No exceptions
including the consideration to determine whether the risk assessment noted.
of fraud risk, is in place to process was defined to assess risk and
regularly assess the risk mitigation plans.
and mitigation plans.
Periodic reporting to risk Inspected the most recent risk
owners and executives assessment to determine whether a risk
takes place to review the assessment was performed and reported
risks and mitigation to relevant risk owners and executives.
strategies.
Inspected the centralized risk register to
determine whether a centralized risk
register was maintained to track overall
risks to the organization.
CC9.2 The entity assesses and manages risks associated with vendors and business partners.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
SR-5 Management reviews third- Inspected the Third Party Risk No exceptions
party examination reports Management Policy to determine whether noted.
for subservice guidelines for reviewing subservice
organizations to assess organization examination reports were
subservice organization's defined.
achievement of controls
relevant to the entity's Inspected third-party examination report
commitments. reviews for in-scope subservice
organizations to determine whether
subservice organization achievement of
controls relevant to the entity's
commitments was assessed.
The entity maintains, monitors, and evaluates current processing capacity and use of system
A1.1 components (infrastructure, data, and software) to manage capacity demand and to enable
the implementation of additional capacity to help meet its objectives.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
SA-4 Production systems are Inspected the Business Continuity Policy No exceptions
configured to support to determine whether requirements for noted.
continuous availability. configuring information processing
facilities to support continuous availability
were defined.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
BCM-2 Business Continuity Plans Inspected the Business Continuity Policy No exceptions
for operational lines of to determine whether guidelines for noted.
business are defined, defining, reviewing, and testing Business
reviewed, and tested on at Continuity Plans were defined.
least an annual basis.
Inspected the Business Continuity Plans
for business units to determine whether
the plans were defined and reviewed on
at least an annual basis.
BCM-3 Disaster Recovery Plans Inspected the Disaster Recovery Plans to No exceptions
are defined, reviewed, and determine whether the plans were noted.
tested on at least an annual defined and reviewed on at least an
basis. annual basis.
SA-1 Backups of information, Inspected the Backup Policy and Data No exceptions
software, and system Backup Schedule to determine whether noted.
images are performed backup procedures were defined.
regularly and retained in
accordance with a defined Inspected backup configurations for a
backup policy. selection of databases to determine
whether backups were performed and
retained in accordance with backup
procedures.
SA-2 Scheduled backups are Inspected the Backup Policy to determine No exceptions
monitored, and failures are whether a process for addressing backup noted.
addressed to help ensure failures was defined.
completeness of backups
according to the backup Inspected alerting configurations in place
policy. for databases to determine whether
appropriate personnel were alerted of
backup failures.
SA-3 Backup restoration tests Inspected the Backup Policy to determine No exceptions
are performed on at least whether requirements for backup noted.
an annual basis to verify restoration tests were defined.
the completeness and
integrity of backups. Inspected the results of the most recent
backup restoration test to determine
whether restoration procedures were
tested on at least an annual basis.
SA-4 Production systems are Inspected the Business Continuity Policy No exceptions
configured to support to determine whether requirements for noted.
continuous availability. configuring information processing
facilities to support continuous availability
were defined.
A1.3 The entity tests recovery plan procedures supporting system recovery to meet its objectives.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
BCM-2 Business Continuity Plans Inspected the Business Continuity Policy No exceptions
for operational lines of to determine whether guidelines for noted.
business are defined, defining, reviewing, and testing Business
reviewed, and tested on at Continuity Plans were defined.
least an annual basis.
Inspected the Business Continuity Plans
for business units to determine whether
the plans were defined and reviewed on
at least an annual basis.
BCM-3 Disaster Recovery Plans Inspected the Disaster Recovery Plans to No exceptions
are defined, reviewed, and determine whether the plans were noted.
tested on at least an annual defined and reviewed on at least an
basis. annual basis.
SA-3 Backup restoration tests Inspected the Backup Policy to determine No exceptions
are performed on at least whether requirements for backup noted.
an annual basis to verify restoration tests were defined.
the completeness and
integrity of backups. Inspected the results of the most recent
backup restoration test to determine
whether restoration procedures were
tested on at least an annual basis.