SOC 2 Type 2 - VRealize Operations Cloud FY21

vRealize
System and Organization

Controls (SOC 2®) Type 2
Report on Management’s Description of
VMware, Inc.’s vRealize System and on the
Suitability of the Design of Controls and
Operating Effectiveness of Its Controls
Relevant to Security and Availability
For the period October 1, 2020 to

September 30, 2021
TABLE OF CONTENTS
Section I. Independent Service Auditor’s Report Provided by KPMG LLP ........................ 1
Section II. VMware, Inc.’s Assertion ........................................................................................ 5
Section III. VMware, Inc.’s Description of its vRealize System .............................................. 7
System Overview ..................................................................................................... 8
Company Background .......................................................................................... 8
The vRealize Service............................................................................................ 8
Examination Scope ............................................................................................... 9
Service Commitments and System Requirements ............................................ 10
Components of the System .................................................................................. 11
Infrastructure....................................................................................................... 11
Software.............................................................................................................. 12
People................................................................................................................. 14
Procedures ......................................................................................................... 15
Data .................................................................................................................... 16
Relevant Aspects of the Control Environment, Risk Management,
Monitoring, and Information and Communication ............................................. 17
Control Environment ........................................................................................... 17
Integrity and Ethical Values ........................................................................... 17
Board of Directors and Audit Committee Oversight ...................................... 17
Organizational Structure and Assignment of Authority and Responsibility ... 18
Commitments to Competence and Accountability......................................... 18
Policies and Procedures ................................................................................ 18
Risk Management ............................................................................................... 19
Organizational Risk Assessment ................................................................... 19
Cloud Services Risk Assessments ................................................................ 19
Monitoring ........................................................................................................... 19
Information and Communication ........................................................................ 19
Internal Communication ................................................................................. 19
External Communication ............................................................................... 20
Control Activities ................................................................................................. 20
Access Control............................................................................................... 20
Asset Management ........................................................................................ 21
Business Continuity Management ................................................................. 21
Communications Security .............................................................................. 22
Endpoint Security........................................................................................... 22
Physical and Environmental Security ............................................................ 22
System Acquisition, Development and Maintenance .................................... 23
VMware, Inc. Confidential - vRealize

System Monitoring ......................................................................................... 23
Security Incident Management ...................................................................... 24
System Availability ......................................................................................... 24
Supplier Relationships ................................................................................... 25
Vulnerability Management ............................................................................. 25
Complementary Subservice Organization Controls (CSOCS) .......................... 27
System Incidents ................................................................................................... 28
Trust Services Criteria That Are Not Relevant to the System........................... 28
Significant Changes to the System and Controls During the Period .............. 28
Trust Services Criteria and Related Controls ..................................................... 28
Section IV. Trust Services Categories, Criteria, VMware’s Related Controls and KPMG
LLP’s Tests of Controls and Results of Tests .................................................... 29
Security And Availability Categories, Related Trust Services Criteria, and
Controls Overview ................................................................................................. 30
Purpose .............................................................................................................. 30
Criteria and Controls........................................................................................... 30
CC 1.0 Common Criteria Related to the Control Environment ...................... 31
CC 2.0 Common Criteria Related to Communication and Information ......... 41
CC 3.0 Common Criteria Related to Risk Assessment ................................. 50
CC 4.0 Common Criteria Related to Monitoring Activities ............................ 60
CC 5.0 Common Criteria Related to Control Activities .................................. 64
CC 6.0 Common Criteria Related to Logical and Physical Access Controls 72
CC 7.0 Common Criteria Related to System Operations .............................. 93
CC 8.0 Common Criteria Related to Change Management ........................ 103
CC 9.0 Common Criteria Related to Risk Mitigation ................................... 106
A 1.0 Additional Criteria for Availability ....................................................... 110
VMware, Inc. Confidential - vRealize

Section I.
Independent Service Auditor’s
Report Provided by KPMG LLP
VMware, Inc. Confidential - vRealize / 1

KPMG LLP
Suite 900
10 South Broadway
St. Louis, MO 63102-1761
Independent Service Auditor’s Report
Board of Directors of VMware, Inc.:
Scope
We have examined VMware Inc.’s accompanying description of its system titled “VMware Inc.’s
Description of its vRealize System” throughout the period October 1, 2020 to September 30, 2021,
(“description”) based on the criteria for a description of a service organization’s system in DC section 200,
2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2® Report
(AICPA, Description Criteria), (“description criteria”) and the suitability of the design and operating
effectiveness of controls stated in the description throughout the period October 1, 2020 to September 30,
2021 to provide reasonable assurance that VMware Inc.’s service commitments and system requirements
were achieved based on the trust services criteria relevant to security and availability (“applicable trust
services criteria”) set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability,
Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria).
VMware Inc. uses the subservice organization identified in Section III to provide cloud hosting services.
The description indicates that complementary subservice organization controls that are suitably designed
and operating effectively are necessary, along with controls at VMware Inc., to achieve VMware Inc.’s
service commitments and system requirements based on the applicable trust services criteria. The
description presents VMware Inc.’s controls, the applicable trust services criteria, and the types of
complementary subservice organization controls assumed in the design of VMware Inc.’s controls. The
description does not disclose the actual controls at the subservice organization. Our examination did not
include the services provided by the subservice organization, and we have not evaluated the suitability of
the design or operating effectiveness of such complementary subservice organization controls.
Service organization’s responsibilities

VMware Inc. is responsible for its service commitments and system requirements and for designing,
implementing, and operating effective controls within the system to provide reasonable assurance that
VMware Inc.’s service commitments and system requirements were achieved. VMware Inc. has provided
the accompanying assertion titled “VMware Inc.’s Assertion” (“assertion”) about the description and the
suitability of design and operating effectiveness of controls stated therein. VMware Inc. is also
responsible for preparing the description and assertion, including the completeness, accuracy, and
method of presentation of the description and assertion; providing the services covered by the
description; selecting the applicable trust services criteria and stating the related controls in the
description; and identifying the risks that threaten the achievement of the service organization’s service
commitments and system requirements.
Service auditor’s responsibilities

Our responsibility is to express an opinion on the description and on the suitability of design and
operating effectiveness of controls stated in the description based on our examination.
Our examination was conducted in accordance with attestation standards established by the American
Institute of CPAs (AICPA). Those standards require that we plan and perform our examination to obtain
reasonable assurance about whether, in all material respects, the description is presented in accordance
with the description criteria and the controls stated therein were suitably designed and operated
effectively to provide reasonable assurance that the service organization’s service commitments and
KPMG LLP, a Delaware limited liability partnership and a member firm of

the KPMG global organization of independent member firms affiliated with
KPMG International Limited, a private English company limited by guarantee. 2
system requirements were achieved based on the applicable trust services criteria. We believe that the
evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.
An examination of the description of a service organization’s system and the suitability of the design and
operating effectiveness of controls involves the following:
• Obtaining an understanding of the system and the service organization’s service commitments and
system requirements
• Assessing the risks that the description is not presented in accordance with the description criteria
and that controls were not suitably designed or did not operate effectively
• Performing procedures to obtain evidence about whether the description is presented in accordance
with the description criteria
• Performing procedures to obtain evidence about whether controls stated in the description were
suitably designed to provide reasonable assurance that the service organization would achieve its
service commitments and system requirements based on the applicable trust services criteria if those
controls operated effectively
• Testing the operating effectiveness of controls stated in the description to provide reasonable
assurance that the service organization achieved its service commitments and system requirements
based on the applicable trust services criteria
• Evaluating the overall presentation of the description.
Our examination also included performing such other procedures as we considered necessary in the
circumstances.
Inherent Limitations
The description is prepared to meet the common needs of a broad range of report users and may not,
therefore, include every aspect of the system that each individual report user may consider important to
meet their informational needs.
There are inherent limitations in the effectiveness of any system of internal control, including the
possibility of human error and the circumvention of controls.
Because of their nature, controls may not always operate effectively to provide reasonable assurance that
the service organization’s service commitments and system requirements are achieved based on the
applicable trust services criteria. Also, the projection to the future of any conclusions about the suitability
of the design and operating effectiveness of controls is subject to the risk that controls may become
inadequate because of changes in conditions or that the degree of compliance with the policies or
procedures may deteriorate.
Description of Tests of Controls

The specific controls tested and the nature, timing, and results of those tests are listed in section IV.
Opinion
In our opinion, in all material respects,
a. the description presents VMware Inc.’s vRealize system that was designed and implemented
throughout the period October 1, 2020 to September 30, 2021 in accordance with the description
criteria.
b. the controls stated in the description were suitably designed throughout the period October 1, 2020 to
September 30, 2021 to provide reasonable assurance that VMware Inc.’s service commitments and
system requirements would be achieved based on the applicable trust services criteria, if its controls
3
operated effectively throughout that period and if the subservice organization applied the
complementary controls assumed in the design of VMware Inc.’s controls throughout that period.
c. the controls stated in the description operated effectively throughout the period October 1, 2020 to
September 30, 2021 to provide reasonable assurance that VMware Inc.’s service commitments and
system requirements were achieved based on the applicable trust services criteria, if complementary
subservice organization controls assumed in the design of VMware Inc.’s controls operated effectively
throughout that period.
Restricted Use
This report, including the description of tests of controls and results thereof in section IV, is intended
solely for the information and use of VMware Inc., user entities of VMware Inc.’s vRealize system during
some or all of the period October 1, 2020 to September 30, 2021, business partners of VMware Inc. that
were subject to risks arising from interactions with VMware Inc.’s vRealize system, and practitioners
providing services to such user entities and business partners, who have sufficient knowledge and
understanding of the following:
• The nature of the service provided by the service organization

• How the service organization’s system interacts with user entities, business partners, subservice
organizations, and other parties
• Internal control and its limitations
• Complementary user entity controls and complementary subservice organization controls and how
those controls interact with the controls at the service organization to achieve the service
organization’s service commitments and system requirements
• User entity responsibilities and how they may affect the user entity’s ability to effectively use the
service organization’s services
• The applicable trust services criteria
• The risks that may threaten the achievement of the service organization’s service commitments and
system requirements and how controls address those risks
This report is not intended to be and should not be used by anyone other than these specified parties.
December 22, 2021

St. Louis, Missouri
4
Section I .
VMware, Inc.’s Assertion

VMware, Inc. (877) 486-9273 toll free
3401 Hillview Ave. (650) 427-5000 main
Palo Alto, CA 94304 (650) 427-5001 fax www.vmware.com
VMware, Inc.’s Assertion
We have prepared the accompanying description of VMware, Inc.’s system titled “VMware, Inc.’s
Description of its vRealize System” throughout the period October 1, 2020 to September 30, 2021
(“description”), based on the criteria for a description of a service organization’s system in DC section 200,
2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2® Report (AICPA,
Description Criteria) (“description criteria”). The description is intended to provide report users with
information about the vRealize system that may be useful when assessing the risks arising from interactions
with VMware, Inc.’s system, particularly information about system controls that VMware, Inc. has designed,
implemented, and operated to provide reasonable assurance that its service commitments and system
requirements were achieved based on the trust services criteria relevant to security and availability
(“applicable trust services criteria”) set forth in TSP section 100, 2017 Trust Services Criteria for Security,
Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria).
VMware, Inc. uses a subservice organization identified in section III to provide cloud hosting services. The
description indicates that complementary subservice organization controls that are suitably designed and
operating effectively are necessary, along with controls at VMware, Inc., to achieve VMware, Inc.’s service
commitments and system requirements based on the applicable trust services criteria. The description
presents VMware, Inc.’s controls, the applicable trust services criteria, and the types of complementary
subservice organization controls assumed in the design of VMware, Inc.’s controls. The description does
not disclose the actual controls at the subservice organizations.
We confirm, to the best of our knowledge and belief, that:
a. the description presents VMware, Inc.’s vRealize system that was designed and implemented
throughout the period October 1, 2020 to September 30, 2021, in accordance with the description
criteria.
b. the controls stated in the description were suitably designed throughout the period October 1, 2020 to
September 30, 2021 to provide reasonable assurance that VMware, Inc.’s service commitments and
system requirements would be achieved based on the applicable trust services criteria, if its controls
operated effectively throughout that period, and if the subservice organizations applied the
complementary controls assumed in the design of VMware, Inc.’s controls throughout that period.
c. the controls stated in the description operated effectively throughout the period October 1, 2020 to
September 30, 2021, to provide reasonable assurance that VMware, Inc.’s service commitments and
system requirements were achieved based on the applicable trust services criteria, if complementary
subservice organization controls assumed in the design of VMware, Inc.’s controls, operated effectively
throughout that period.
VMware, Inc.
December 22, 2021

Section I I.
VMware, Inc.’s Description of its
vRealize System

SYSTEM OVERVIEW
COMPANY BACKGROUND
VMware, Inc. (“VMware”) was founded on January 1, 1998 and currently has more than 31,000 employees
worldwide. VMware software powers the world’s complex digital infrastructure. The company’s cloud, app
modernization, networking, security, and digital workspace offerings help customers deliver applications on
cloud environments. With more than 500,000 customers and 55,000 partners, VMware provides
infrastructure, services, and cloud solutions to organizations of all sizes. Headquartered in Palo Alto,
California, and strategic offices business offices around the globe, VMware is committed to being a force
for good, from its breakthrough technology innovations to its global impact.
THE vREALIZE SERVICE

VMware vRealize services are a set of Software-as-a-Service (SaaS) based services that enable
information technology (IT) administrators, DevOps engineers, and developers, the ability to provision,
automate, manage and optimize their applications and infrastructure availability, cost, security and
performance across any cloud, both private and public. The following list of services together form the set
of vRealize services.
◼ VMware vRealize Operations Cloud™ – Unified management platform powered by artificial

intelligence (AI) to optimize, plan and scale hybrid and multi-cloud deployments, from apps to
infrastructure. The service delivers continuous performance, capacity and cost optimization,
intelligent remediation and integrated compliance through AI/Machine Learning and predictive
analytics.
◼ VMware vRealize AI Cloud™ – A component service, VMware vRealize AI Cloud resides inside
vRealize Operations Cloud to continuously tune the necessary parameters in VMware
infrastructure to improve performance dynamically.
◼ VMware vRealize Automation Cloud™ consists of the following component services:
o VMware Cloud Assembly™ – Cloud automation service purpose-built for provisioning and
managing workloads in software-defined data centers (SDDCs), VMware Cloud on AWS–
based clouds, and public clouds. Cloud Assembly offers infrastructure-as-code capabilities
to build, deploy, and iterate on applications with agile governance.
o VMware Code Stream™ – SaaS-based application release automation offering that helps
customers automate their continuous integration and continuous delivery processes. Code
Stream focuses on ease of release pipeline modeling, deep integration with other VMware
and non- VMware products such as VMware Cloud Assembly™, source code control
systems, and reporting through dashboards to help DevOps teams with deep visibility and
automation of the software release process.
o VMware Service Broker™ – Storefront for self-service consumption of ready-to-use
templates and services with guardrails. This collection of ready-to-consume cloud services
and templates is aggregated from multiple cloud platforms and providers. Service Broker
offers IT organizations a maintainable and controlled platform for brokering cloud services
and templates. With Service Broker, developers can acquire the tools or managed services
they need (e.g., cloud database) on demand, freeing them from day-to-day management
of these services, and allowing them to focus on their applications.
◼ VMware vRealize Log Insight Cloud™ – Log-based monitoring and troubleshooting service
purpose-built for SDDCs, VMware Cloud on AWS based clouds, and public clouds. vRealize Log
Insight Cloud offers administrators rapid IT troubleshooting and operational visibility across multiple
cloud environments, enabling IT teams to solve issues.

◼ VMware vRealize Network Insight Cloud™ – Network and security analysis service purpose-built
for SDDCs and public clouds. Network Insight provides network visibility and understanding of
traffic flows between applications to enable cloud security planning and network troubleshooting.
Best practices check, intuitive user interface (UI), and search simplify VMware NSX and public
cloud monitoring and administration, allowing for cloud administrators to manage and troubleshoot
NSX and public cloud deployments at scale.
◼ VMware vRealize Subscription Manager™ – VRCSM service manages your license consumption
across on-premise and cloud services. For on-premise products, vRealize Cloud Subscription
Manager integrates with vRealize Suite Lifecycle Manager to monitor the license consumption for
the corresponding license keys, and provides billing services for your vRealize Suite of products.
EXAMINATION SCOPE
The scope of this description is limited to vRealize, including the infrastructure, software, people,
procedures, and data that are managed by vRealize and excludes collector and proxy agents installed on
customer infrastructure.
In addition, there are certain controls that are operated and managed at the entity level by VMware
Corporate Operations (“Corporate Operations”). These Corporate Operations include relevant processes
and controls within the following domains:
◼ Access Control
◼ Asset Management
◼ Business Continuity Management
◼ Communications Security
◼ Compliance
◼ Human Resources
◼ Information Security Incident Management
◼ Organization of Information Security
◼ Physical and Environmental Security
◼ Risk Management
◼ Supplier Relationships
◼ System Acquisition, Development, and Maintenance
◼ System Monitoring
◼ Vulnerability Management

SERVICE COMMITMENTS AND SYSTEM REQUIREMENTS
The processes and procedures managed by vRealize are implemented to help ensure the security and
availability of its service offering. VMware communicates its commitments through their master hosted
services terms with customers during the contractual agreement process. The master hosted services
terms are specific to services purchased by the customer. Additionally, system requirements and
associated details are published on the VMware’s website. VMware makes the following commitments
regarding the security and availability of information within service level agreements (“SLAs”) and the
system description posted on the VMware website:
◼ VMware will protect the information systems used to deliver the service offering over which VMware
has sole administrative level control.
◼ VMware will monitor for security events involving the underlying infrastructure servers, storage,
networks, and information systems used in the delivery of the service over which VMware has sole
administrative control. This responsibility stops at any point where the customer has some control,
permission, or access to modify an aspect of the service.
◼ VMware will maintain the systems used to deliver the service, including the application of patches
for the target systems.
◼ VMware will perform routine vulnerability scans to surface risk areas for the systems used to deliver
the service offering and address vulnerabilities in a timely manner.
◼ VMware will configure production systems to support continuous availability for the VMware
vRealize services system and will follow the pre-defined response commitments for the cloud
offerings.
In accordance with VMware’s assertion and the description criteria, the aforementioned service
commitments and requirements are those principal service commitments and requirements common to the
broad base of users of the system and may therefore not fully address the specific service commitments
and requirements made to individual system users.

COMPONENTS OF THE SYSTEM
INFRASTRUCTURE
The vRealize production system is operated by VMware but hosted in Amazon Web Services (“AWS”) in
the below locations. The production system includes the related AWS services as indicated below.
OPERATING SYSTEM PHYSICAL

KEY AWS SERVICES DESCRIPTION
PLATFORM LOCATION
Elastic Kubernetes SaaS based services that enable Linux

Service (EKS) IT administrators, DevOps
engineers, and developers, the
ability to provision, automate,
manage and optimize their
applications and infrastructure.
Elastic Compute Cloud Application, web, and bastion Linux

(EC2) host servers supporting the
vRealize services.
AWS
Relational Database Allows a user to set up, operate, N/A
Service (RDS) and scale a relational database
in the cloud while managing
database administration tasks.
Virtual Private Cloud Allows VMware to provision a N/A

(VPC) logically isolated section of the
AWS cloud where it can launch
AWS resources in a virtual
network.
AWS regions - us-west-2, ca-central-1, ap-southeast-1, ap-southeast-2, eu-central-1, eu-west-2, sa-

east-
In addition, VMware has its corporate headquarters and corporate data center in the following locations that
support, and are managed by, VMware Corporate Operations:
COMPONENT DESCRIPTION
Corporate Data Center VMware owned and managed data center supporting
Corporate Operations is in the following location:
Wenatchee, Washington
Operations Support The VMware global headquarters is located in Palo Alto,

California. Additional offices are located throughout North
America, Europe, Asia Pacific, Latin America, the Middle
East, and Africa.

The VMware owned data center host certain corporate infrastructure used to support VMware’s suite of
cloud services and products. This includes authentication and networking infrastructure such as Active
Directory as well as internal tooling supporting the central security monitoring function. In addition, VMware
make use of colocation data centers located globally to support their corporate infrastructure and provide
edge location and networking services. These global colocation data centers are not included in the scope
of this report.
SOFTWARE
The following table details the key software and network components, which support vRealize:
Jira A highly customizable tool for agile software development used to log and
track progress for bugs, tasks, features, and other projects.
GitLab Administers a complete continuous integration and deployment service that

is delivered as a singleapplication enabling DevOps to manage and
maintain the software development lifecycle.
Confluence Management tool for product and technical documentation.
ServiceDesk Ticket tracking system for any production requests/complaints from

customers.
Wavefront Application performance monitoring used for tracking and monitoring the
health of backend services by real-time monitoring of metrics and trigger
alerts for specific threshold.
DynaTrace AI-based application performance monitoring to track services and software

components health, performance and provide tracing to debug issues.
Incapsula Security monitoring application used to provide web application security,

distributed denial-of-service (DDoS) mitigation, content caching, application
delivery, load balancing and failover services.
Gerrit Highly extensible and configurable tool for web-based code review and
repository management for vRealize repositories. Serves as gated check-in
tool for vRealize services
VMware Code Stream™ VMware Code Stream is a continuous integration and continuous delivery
(CICD) tool, used to manage and deploy code.
Nirvana Resource management solution for monitoring vRealize Network insight

and automated access management.
LogInsight Log-based monitoring and troubleshooting service.

The following table details the key Corporate software and network components, which support vRealize
service:
Active Directory Active Directory (AD) is a directory service used for VMware’s corporate
network domain.
AccessNow (Saviynt) AccessNow is a central ticketing system for tracking and documenting
access requests and approvals.
VMware CloudGate VMware proprietary cloud delivered service orchestration and

authentication tool.
Confluence Confluence is a corporate wiki where internal personnel can collaboratively

store and share documents.
GlobalProtect The GlobalProtect VPN enables authorized personnel to remotely connect

to the internal corporate network.
HelpNow HelpNow is a homegrown internal ticketing system.
Hive Learning Hive is the learning management system (LMS) utilized to manage and
deliver educational courses as well as track training completion for
employees, contractors, and applicable third parties.
Nessus (Tenable, Inc.) Vulnerability scanning solution.
Nlyte Nlyte software is used to manage the inventory of physical assets in

VMware’s on-premise data centers.
Palo Alto Networks Palo Alto Networks firewall systems are in place to filter and restrict
unauthorized inbound traffic to the corporate network.
RSA Archer Platform RSA Archer is a risk and compliance platform used to centrally store and
manage the regular review of VMware’s business continuity plans, risk
assessment results, and risk mitigation activities.
Splunk Splunk is a software platform used for monitoring, identifying, and tracking
security events.
VMware Carbon Black VMware Carbon Black provides enterprise endpoint detection and
response.
VMware Workspace ONE Workspace ONE UEM is the Mobile Device Management Solution installed
Unified Endpoint on corporate and personal mobile devices that access company
Management (UEM) information. Workspace ONE provides controls to manage mobile device
security and configuration management.
Workday Workday is a human resource management (HRM) system utilized to

support recruiting, employee onboarding, talent management, and other
human resource functions.

PEOPLE
vRealize is managed by the following teams:
TEAM DESCRIPTION
vRealize Executive Responsible for overseeing company-wide activities, establishing, and

Management accomplishing goals, and overseeing objectives.
vRealize Technical Responsible for managing the Platform infrastructure and leading the
Operations development and maintenance of system and network security. Provides
support for the Platform, first response for system and network issues, and
performance monitoring.
vRealize System Responsible for automation, development, system test plans and testing,
Engineering and risk analysis.
vRealize Security Responsible for implementing, testing, and overseeing vRealize’s

Engineering information security program to protect information, prevent unauthorized
access, and respond to security incidents, vulnerabilities, and risks. Works
with VMware central security teams to perform an annual risk assessment.
vRealize Support and Responsible for assisting vRealize’s customer experience and
Services implementation engagements, provides global 24x7 support and
professional services to vRealize customers.
The vRealize service is supported by the following Corporate teams:
TEAM DESCRIPTION
Executive Management Responsible for overseeing company-wide activities, establishing and

accomplishing goals, and overseeing objectives.
Human Resources Responsible for human resources (HR) policies, practices, and processes
with a focus on key HR department delivery areas (e.g. talent acquisitions,
pre-employment screening, employee retention, compensation, employee
benefits, performance management, employee relations and training, and
development).
Security and Resiliency Responsible for managing the enforcement, development, and
maintenance of information security policies and standards to help ensure
VMware Information Assets are preserved in a secure environment, in
accordance with generally accepted best practices, focusing on VMware
business and risk objectives.
Risk Management Responsible for managing the annual performance of risk assessments,
maintenance of a centralized risk register, and tracking and reporting of risk
mitigation activities throughout the organization.
Enterprise Resiliency Responsible for managing the organization’s overall approach to business
Business Continuity continuity, including the annual performance of Business Impact

TEAM DESCRIPTION
Assessments and testing and maintenance of Business Continuity Plans for

VMware lines of business.
Security Operations Responsible for intake of reported security events, including gathering,
Center triaging, and providing first response. Security incidents are escalated to
the VMware Security Incident Response Team.
Security Incident Responsible for centrally managing all information security incidents for
Response Team VMware, including ensuring proper collection of evidence, coordinating
cross-functional incident teams, and developing effective response
strategies for incident remediation.
Red Team Responsible for performing penetration testing for VMware products and
services, including tracking and escalation of remediation of test findings.
Data Center Operations Responsible for managing the operations of VMware data center facilities,
including reviewing and approving physical access and maintaining an
inventory of physical assets.
Facilities Team Responsible for performing regular equipment maintenance and managing
the building management system for VMware data center facilities.
Global Support Services Responsible for handling customer support issues and inquiries.
Colleague Support Team Responsible for the distribution, replacement, and collection of VMware-
issued end user devices.
PROCEDURES
VMware has established policies and procedures to support the achievement of its service commitments
and the applicable AICPA Trust Services Categories and Criteria for Security and Availability.1 These
include policies and procedures include guidance for how the service is designed and developed, how the
system is operated, how the internal business systems are managed, and how employees are hired and
trained. In addition to these policies, standard operating procedures have been documented on how to
carry out specific processes required in the operation and development of the service.
The Corporate Information Security Policies & Procedures are defined, approved, published, and
communicated to users and relevant third parties. These documents are stored in a central repository
accessible to employees and other appropriate staff and define the roles and responsibilities for the
information security program. The information security policies are reviewed, updated, and approved at
least annually to help ensure their continuing suitability and effectiveness.
1 The AICPA Trust Services Categories consist of Security, Availability, Confidentiality, Processing Integrity, and
Privacy. The Security Category provides criteria to assess whether information systems are protected against
unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise its
information or systems and affect the entity’s ability to meet its objectives. The Availability Category provides criteria to
assess whether information and systems are available for operation and use to meet the entity’s objectives.

DATA
VMware has established a Data Classification Policy which documents the various data classification
criteria. This policy is reviewed and approved by management annually and communicated to internal
personnel. In addition, the Data Handling and Protection Standards define procedures for handling
information assets based on their classification, including requirements for media disposal.
The VMware vRealize Service processing of data is highly dependent on specific Controller configuration,
including but not limited to console configuration, integration of Controller maintained infrastructure,
connection to external VMware and other vendor’s systems, deployment of Controller procured/owned and
VMware mobile applications, etc. vRealize services collect various data attributes regarding a user entity’s
environment including but not limited to object host names, types, metrics, properties, tags, IP addresses,
etc. vRealize services do not retain customer data as it relates to personally identifiable information.

RELEVANT ASPECTS OF THE CONTROL ENVIRONMENT, RISK
MANAGEMENT, MONITORING, AND INFORMATION AND COMMUNICATION
As defined by the American Institute of Certified Public Accountants (“AICPA”), internal control is a process
affected by an entity’s Board of Directors, management, and other personnel. Internal control consists of
five interrelated components:
◼ Control Environment: This sets the tone of an organization, influencing the control consciousness
of its people. It is the foundation for all other components of internal control, providing discipline,
and structure.
◼ Risk Management: This is the entity’s identification and analysis of risks relevant to the
achievement of its objectives, forming a basis for determining how the risks should be managed.
◼ Monitoring: The entire internal control process must be monitored, and modifications are made as
necessary. To support modifications, the systems react dynamically and change as conditions
warrant.
◼ Information and Communication: Surrounding these activities are information and
communication systems. These enable the entity’s people to capture and exchange information
needed to conduct and control the entity’s operations.
◼ Control Activities: Control policies and procedures must be established and executed to help
ensure that the actions identified by management are completed as necessary to address risks for
achievement of the entity’s control objectives.
Set out below is a description of the components of internal control related to vRealize and VMware
Corporate Operations that may be relevant to customers.
CONTROL ENVIRONMENT
The control environment at VMware is the foundation for the other areas of internal control. It sets the tone
of the organization and influences the control consciousness of its personnel. It includes standards for
integrity and ethical values, management’s commitment to competence and accountability, the
organizational structure, assignment of authority and responsibility, and the oversight and direction
provided by the Board of Directors and operations management.
Integrity and Ethical Values

The effectiveness of controls cannot rise above the integrity and ethical values of the people who create,
administer, and monitor them. Integrity and ethical behavior are the product of the company’s ethical and
behavioral standards as well as the communication and enforcement of the standards in practice.
Management has documented a code of business conduct and ethical standards, which includes a
sanctions policy for violations. Employment agreements and contractual agreements, which include
compliance with the code of business conduct, responsibilities for information security, and confidentiality
commitments, are communicated to and acknowledged by staff upon hire. Additionally, an ethics reporting
service is available to employees and the public for reporting suspected misconduct that is inconsistent
with the law or VMware’s policies and values.
Board of Directors and Audit Committee Oversight

The control consciousness of VMware is influenced significantly by the entity’s Board of Directors and the
Audit Committee. The Board of Directors consists of a majority of independent members with defined
qualifications and responsibilities as per the Board of Directors Corporate Governance Guidelines.

On a quarterly basis, senior management meets with the Board of Directors to review business objectives,
company initiatives, resource needs, and risk management activities, including results from internal and
external assessments. Additionally, on an annual basis, the Chief Security Officer (“CSO”) reports to the
Audit Committee on information security matters and concerns.
Organizational Structure and Assignment of Authority and Responsibility

The VMware organizational structure provides the framework within which its activities for achieving entity-
wide objectives are planned, executed, controlled, and monitored. Organizational charts are in place to
communicate the defined key areas of authority, responsibility, and lines of reporting to personnel related
to the design, development, implementation, operation, maintenance, and monitoring of the system. These
charts are communicated to employees via the company intranet and updated as needed.
Commitments to Competence and Accountability

Hiring Process and Background Checks
During the hiring process, job descriptions are defined to note the skills, responsibilities, and knowledge
levels required for the position. Defined hiring procedures include verification that candidates possess the
required qualifications to perform the duties defined in the relevant job description. Additionally, Global HR
Services helps ensure that background checks are performed for new hires in accordance with local and
regional laws and regulations, and the results of the screenings are evaluated to determined employment
eligibility.
Training & Awareness

Upon hire, VMware employees and contractors receive code of business conduct and security awareness
trainings. Refresher trainings are completed annually thereafter, and an escalation process is in place to
help ensure compliance with the training schedule. The security awareness program has been implemented
to equip personnel with the guidance necessary to support VMware security policies during the course of
their work. On an ongoing basis, continuing education and training are also provided to help ensure that
the skills and technical competency of employees and contractors are developed and maintained.
Performance Reviews
Management has developed a formal process to evaluate and discuss employee performance. In addition,
low performance is identified in performance reviews and plans to improve employee performance are
documented and tracked.
Policies and Procedures

Corporate policies and procedures are documented, reviewed, and communicated via internal sites
accessible to VMware personnel. Defined policies and procedures include but are not limited to:
◼ Information Security Governance Policy

◼ Human Resources Information Security Policy
◼ Board of Directors Corporate Governance Guidelines
◼ Code of Business Conduct
◼ Acceptable Use Policy
◼ Access Control Policy
◼ Authentication and Password Policy
◼ Security Incident Management Policy
◼ Third-Party Risk Management Policy

◼ Change Management Policy
◼ System Acquisition, Development & Maintenance Policy
◼ Physical Security Policy
◼ Asset Management Policy
◼ Data Classification Policy
◼ Data Handling and Protection Standards
◼ Encryption Policy
RISK MANAGEMENT
Organizational Risk Assessment
A framework is defined for VMware’s overall approach to IT risk and control, which includes a
comprehensive strategy to manage risk, implementation of the risk management strategy consistently
across the organization, regular review of the strategy to address organizational changes, and criteria for
determining whether risks can be accepted.
VMware considers significant interactions between itself and relevant external parties and risks that could
affect the company’s ability to provide reliable service to its user entities. Annually, key members of
management and operational teams perform a risk assessment, including consideration of fraud risk.
Overall risks to the organization are identified, ranked, and documented within a centralized risk register.
Risk mitigation strategies for the risks identified are assigned to mitigation owners and tracked to completion
by the Security and Resiliency Risk Management team.
Cloud Services Risk Assessments

Additionally, annual risk assessments are performed for each of VMware’s cloud services to identify risks
specific to the continued delivery of services to customers. Risk mitigation strategies are defined, assigned
to appropriate personnel, and tracked to completion.
MONITORING
VMware has defined an internal control framework to achieve its service commitments and the applicable
criteria related to security and availability. On an annual basis, management reviews and updates, as
necessary, the control framework to meet the applicable standards and requirements relevant to VMware.
To monitor the quality of internal control performance, management selects, develops, and performs
ongoing and/or separate internal evaluations to ascertain whether the components of internal control are
present and functioning. The organization’s approach to managing information security and its
implementation are further reviewed by an external, independent party at planned intervals or when
significant changes occur. The findings of these efforts are utilized to identify follow-up actions,
improvements, and modifications to subsequent evaluations as necessary.
INFORMATION AND COMMUNICATION

Internal Communication
VMware has implemented various methods of communication to help ensure that employees understand
their individual roles and responsibilities for the achievement of security and availability. Information security
policies and procedures, with defined roles and responsibilities, are reviewed by management on an annual
basis and stored in a central repository accessible to VMware internal personnel. Information is further
communicated via the annual security awareness training, email for time-sensitive information, the internal
wiki, posted organizational charts, and the public, external channels noted below.

External Communication
VMware has implemented various methods of communication to help ensure that customers understand
their roles and responsibilities for the achievement of security and availability. These methods include
service descriptions posted to the VMware website (https://www.vmware.com/download/eula.html) and the
use of email to communicate time-sensitive information. The status of services, scheduled maintenance,
and incidents are also communicated to customers via a VMware status page on the public website.
Similarly, release notes for new features, improvements, and bug fixes within major product releases are
published on the VMware website. If customers have inquiries or require additional support, customer
support lines are available 24/7 for severity 1 issues as well as online access to documentation, resources,
and discussion forums.
CONTROL ACTIVITIES
Access Control
A formal process has been established for managing user accounts and controlling access to the vRealize
production system. In the event that a new employee is hired, the hiring manager or an HR team member
completes a new user checklist to request user access for the new employee. Access is provisioned once
the checklist is reviewed and approved by IT personnel. Existing employees who require access changes
are required to ask their manager to submit an access authorization request for approval. Employees are
required to complete security awareness training upon hire in order to guide personnel to meet their
obligations and responsibilities in accordance with corporate and business unit security policies. Security
awareness training is repeated for active employees on an annual basis. VRealize uses AccessNow to
grant access to production systems.
Newly hired employees must also acknowledge their adherence to the VMware’s code of conduct on an
annual basis. Background checks are performed for employees during the onboarding process. Upon
notification of employee termination, an automated process revokes corporate system access for
employees as a component of the employee termination process. Production system access is revoked for
employees as a component of the employee termination process and is managed by the system owners.
Users accessing production systems are done through AccessNow which is integrated with VMware Active
Directory. User request access for appropriate role and there is an approval process in place to grant the
access.
The production environment is segmented from other non-critical environments to help ensure that
confidential data is isolated from unrelated networks. An encrypted VPN is required for remote access to
help ensure the security and integrity of the data passing over the public network. Security groups and
firewall rulesets are in place to filter unauthorized inbound network traffic from the Internet and configured
to deny any type of network connection that is not explicitly authorized by a rule. Web servers utilize
transport layer security (TLS) encryption for web communication sessions. An intrusion detection system
(IDS) is used to analyze and report network events and to block suspected or actual network security
breaches.
Access control policies and procedures are maintained to define responsibilities and actions for granting,
monitoring, and revoking account access and privileges to system resources. Requests for new or modified
access must be approved by authorized personnel before access is provisioned, and upon termination,
employee access to production systems is revoked via a formalized and documented process.
VMware Corporate Operations has deployed AccessNow (Saviynt) to manage user access and
authentication across various cloud services and products they offer. For onboarded systems, access
requests, approvals, and access revocation upon termination are tracked in this centralized access
management system which is integrated with Active Directory to provide role-based access to cloud

services’ infrastructure and resources based on group membership. All access provisioning requests are
approved by the associated application or environment owner. A daily job is configured to run between
AccessNow and WorkDay to revoke access to any users terminated from VMware.
VMware utilizes an internal application called CloudGate for users to authenticate to their cloud hosting
provider accounts, such as AWS. CloudGate is a single interface, providing access control and visibility
into VMware service teams’ cloud accounts. CloudGate provisions and centrally manages the cloud
account configurations through approved baseline scripts / templates and automated jobs that help ensure
that there is consistent configurations and security considerations (e.g. logging enabled, password
configurations etc.) orchestrated across the cloud accounts. CloudGate is also integrated with AccessNow
to map role-based access provisioned through AccessNow to roles that can be assumed in cloud accounts
by VMware service teams. The primary goal of CloudGate is to provide a better solution for access control
and inventory management across multiple cloud accounts.
Authentication and Passwords

The Authentication & Password Policy defines the essential authentication practices necessary to access
VMware Information Assets. Passwords must meet or exceed the following parameters:
◼ Passwords shall not repeat the last four previous passwords used.
◼ Passwords shall meet the criteria for “strong password” and be difficult for attackers to uncover.
Cryptographic techniques such as entropy shall be used as a basis for password strength (i.e.
contain a combination of letters, numbers, and symbols based on system functionality).
◼ User account passwords must have a minimum of 12 characters and are changed every 180 days.
◼ Service account or resource account passwords must have a minimum of 19 characters and are
changed every 365 days (90 days for FTP service accounts).
◼ Administrator or privileged account passwords must have a minimum of 19 characters and are
changed every 90 days.
◼ Customer account passwords must have a minimum of 8 characters.
Additionally, in order to remotely access the corporate VMware network and network services, personnel
must connect through the use of an encrypted VPN (virtual private network) and multi-factor authentication.
Asset Management
vRealize utilizes AWS services like EKS and EC2 for their service assets. The EKS and EC2 control planes
act as the most up to date inventory of these assets. Nirvana is also used for asset management. Assets
are assigned an owner.
Business Continuity Management

Business Impact Assessments (“BIA”) are performed on at least an annual basis for operational lines of
business to identify critical functions and requirements for business continuity. The results of the BIAs are
documented and used to inform the development of defined Business Continuity Plans (“BCP”) for each
operational line of business.
In July 2021, VMware approved a policy exception related to the testing of BCPs as a result of the continued
response to the COVID-19 pandemic. The policy exception reflected the fact that the company is operating
in a remote manner and exercising aspects of its BCP as part of the COVID-19 pandemic response.
Further, vRealize maintains disaster recovery plans for various scopes of potential disaster or failure
scenarios. VMware has implemented policies and procedures to guide personnel in recovering from a
disaster. Procedures document each step of the scheduling, monitoring, quality assurance (QA), and

restoration processes, as well as the roles and responsibilities. Plans are tested at various times throughout
the year, either through gameday exercises or geo expansions. Game-day activities consist of backup-
restores and planned fire drills. Geo-expansion activities consist of creating new environments in new AWS
regions.
Communications Security
vRealize utilizes AWS Key Management Services (“KMS”) to securely store and control access to
cryptographic keys. KMS is an AWS managed encryption service that securely generates and protects
cryptographic keys and allows other AWS services and applications to utilize those keys to encrypt data.
Customer data is stored in AWS RDS and is encrypted by AWS. Data backups are stored in encrypted
AWS S3 buckets.
For encryption in transit, web servers utilize transport layer security (“TLS”) encryption for web
communication sessions. Data is transmitted using TLS v1.2 or higher over public networks with valid
certificates that are signed by Certificate Authorities such as those provided by AWS. vRealize use a
combination of AWS Security Groups, AWS VPCs and AWS Network Access Control Lists to restrict traffic
inbound and outbound.
Corporate Firewall
Firewalls are configured to restrict inbound traffic to and outbound traffic from the corporate environment
using a central administration console.
Endpoint Security
The VMware Acceptable Use Policy defines employee responsibilities and boundaries regarding the use
of technology and information systems. To protect employee workstations with access to VMware
information and information systems, mobile device management and anti-malware software are installed
on corporate endpoints.
Mobile Device Management

Workspace ONE UEM is a mobile device management solution that is pre-installed on all corporate
endpoint devices with access to VMware information and information systems. Each system enrolled in
UEM is fully encrypted and can be wiped remotely by VMware IT if needed. The UEM software also enables
VMware IT to implement policies to secure, monitor, and manage end-user mobile devices.
Anti-Malware
Enterprise anti-malware (Carbon Black) is installed and maintained on all user endpoint devices to provide
protection against the installation of malicious software.
Physical and Environmental Security

Physical Access Control
Access to the VMware owned data center is managed through a centralized application and can only be
provisioned by authorized administrators. Upon termination, physical access to data center facilities is
deprovisioned in a timely manner. Additionally, the Data Center Operations team reviews physical access
to data center facilities for appropriateness on a quarterly basis. Access flagged for removal is revoked in
a timely manner. In addition, an automated job disables physical badge access to the data center for
employees terminated on Workday on at least a daily basis.
Security and Maintenance

The Physical Security Policy defines physical and environmental security measures to protect information
systems, personnel, and physical assets, including a clear desk and clear screen policy. At VMware data

center facilities, physical security measures have been implemented such as controlled badge access,
biometric readers, and video surveillance to restrict physical access to authorized individuals. To protect
the physical assets within data centers, environmental controls, including HVAC controls, fire detection and
suppression systems, and uninterruptible power supply (UPS) to provide protection from power failures.
Maintenance is performed by the Facilities team as needed and is documented to help ensure the continued
availability and integrity of equipment.
System Acquisition, Development and Maintenance

VMware has developed formal policies and procedures to guide personnel over the change management
process. Policies require that, as necessary, changes are documented, authorized, tested, and approved
prior to their implementation. Changes can consist of updates or modifications to the VMware vRealize
system or changes to the cloud hosting infrastructure. Changes to databases are made, as needed, as part
of the application change management process.
The Agile methodology is utilized to govern change management procedures. Development and testing
efforts occur in a logically separate environment and are performed in scheduled sprints. Software and
infrastructure changes made to in-scope systems are authorized, tested, and approved prior to
implementation. An automated ticketing system and internal wiki pages are used to document and track
change efforts, milestones, and formal approvals.
A source code repository is utilized to track change approvals and provide version control to help ensure
the ability to roll back to previous iterations. When ready, changes are compiled to await promotion to
production in a separate staging environment. Automated scripts are executed to promote changes to a
production repository which becomes the basis for new client environments or updates to existing
environments. Automated scripts are also used to pull from this production repository when making changes
to a client production environment. The ability to execute these scripts is restricted to authorized personnel.
Known issues and uptime status of the VMware vRealize system are communicated to internal and external
users through the company website and a public facing status page.
Server hardening is accomplished via the use of AWS Linux AMIs, which are hardened per industry
standards. The Kubernetes environment utilizes hardened Photon O/S images, which are also continually
updated through releases as new vulnerabilities are identified.
Configuration management is accomplished through the use of infrastructure as code, which helps ensure
that servers and containers are configured per hardening standards.
Corporate Change Management

Baseline server configuration is managed as code and through GPO policy and all changes follow
VMware’s change management procedures. This centralized management of server configurations help
ensure consistent builds and reconfigures servers that experience drifts in their configurations.
Infrastructure changes to corporate resources follow VMware’s Change Mangement Policy. These changes
are documented and approved prior to implementation into production.
System Monitoring
IT operations personnel utilize enterprise monitoring systems to monitor the performance and availability of
production systems and associated devices. The monitoring applications are configured to automatically
create incidents into the Jira ticketing system based on predefined security levels and configured to alert IT
operations personnel via e-mail and PagerDuty when predefined thresholds are exceeded. Management
holds a capacity management meeting on a weekly basis to review availability trends.
VMware has developed and implemented a formal incident management and resolution process used to
manage various types of incidents from customer complaints to security events. These processes are

documented in formal incident response and escalation policies and procedures which are posted on the
VMware intranet via the Atlassian Confluence tool for reference by personnel. Information security
personnel perform vulnerability assessments on at least a quarterly basis. Documented escalation
procedures are located on the intranet for reference by employees as needed. Operations personnel utilize
an automated ticketing system to manage system incidents, response, and resolution. Incidents requiring
a change to the system follow the standard change management process.
To further help ensure the security of the system, antivirus software is installed on workstations and
configured to scan and monitor for updates to virus definitions and update registered clients on a daily
basis. The antivirus software is also configured to perform on-demand scans (whenever users access files)
for any new files installed on workstations.
vRealize performs ongoing monitoring to help ensure that risks are evaluated on a continuous basis.
Specifically, administrative access is logged and monitored on production systems. These logs are
forwarded to a centralized monitoring tool for evaluation of malicious activity.
vRealize forwards all CloudTrail logs to both the VMware Security Operations Center (“SOC”) and to the
LogInsight tool for monitoring of malicious activity. Security events are triaged and tracked to remediation.
Any security event deemed to be a security incident is escalated to the SOC Team for formal investigation
and remediation.
Security Incident Management

Incident Management Policies and Procedures
An effective security incident management process is essential in order to manage security incidents,
determine their scope and risk, respond appropriately, communicate the results and risks to appropriate
stakeholders, and reduce the likelihood of the incident reoccurring. Incident response policies and
procedures are defined, reviewed, and approved by management at least annually, and communicated to
all employees. The policies and procedures include management responsibilities as well as procedures for
monitoring, detecting, analyzing, reporting, and responding to information security events.
Incident Reporting
Information security events are monitored 24/7 and reported to the central VMware SOC for triage.
Employees and contractors are made aware of their responsibility to report information security events in a
timely manner as documented in the Security Incident Management Policy. For both internal and external
personnel, reporting mechanisms exist to report vulnerabilities, weaknesses, or issues.
Incident Response
Cloud application logs (e.g. CloudTrail, GuardDuty, etc.) and corporate network logs (e.g. firewalls, IDS
etc.) are ingested into the centralized security monitoring solution. Alerts are configured to identify security
events which are assessed and assigned priority levels by the Security Operations Center and escalated
to the VMware Security Incident Response team (“vSIRT”) as needed. vSIRT will then manage information
security incidents in accordance with the defined Security Incident Management Procedures, ensuring that
they are responded to and investigated, tracked in an internal ticketing system until closure, and
communicated to appropriate personnel. Lessons learned summaries are documented and used to reduce
the likelihood or impact of future incidents.
System Availability
vRealize has implemented policies and procedures to guide personnel in performing data backups and
data restoration. Procedures document each step of the scheduling, monitoring, quality assurance (“QA”),
and restoration processes, as well as the roles and responsibilities. Production systems are configured to
support continuous availability through the use of multiple regions and availability zones.

VMware performs daily full backups of VMware vRealize system and data files to Amazon Simple Storage
Services (S3). The backup system records the results of each backup job as well as the associated date,
duration, and size of the data backup. The backup system is configured to automatically send e-mail
notifications to IT operations personnel for failed backup jobs via an automated tool. Further, data stored
within AWS includes cross-region replication which automatically replicates the data across different AWS
regions. If one availability zone were to fail, AWS has built-in redundancy to another zone within the same
or different region.
Additionally, the backup system simultaneously generates e-mail notifications and generates a ticket in the
Jira service management ticketing system to help ensure that issues are resolved and backups are
completed. Administrative access privileges to backup systems and data are restricted to user accounts
accessible by authorized personnel. The automated backup systems are configured to encrypt backup
media. IT operations personnel perform backup media restores on a quarterly basis to verify that system
components can be recovered from system backups.
Application and infrastructure metrics are captured. Scale-performance testing is performed for every
feature and infrastructure is provisioned to meet the requirements of scale.
Supplier Relationships
Third-Party Risk Management Policy
A Third-Party Risk Management Policy is documented and available to guide personnel to monitor and
review third-party service providers. The document is reviewed an annual basis.
Contract Terms and Review of Third-Party Examination Reports

Information security, availability, and confidentiality requirements, as required, are established and agreed
upon with each service provider that may access, process, store, communicate, or provide IT infrastructure
components for the organization’s information. Management reviews third-party examination reports for
subservice organizations.
Risk Assessment and Security Questionnaire

VMware conducts assessments of its service providers using a risk-based approach. Service providers are
assigned a criticality based on supplier category and other metrics. Critical service providers undergo
further evaluation utilizing a detailed security questionnaire that is reviewed and assessed by the Third-
Party Risk Management team. Open issues are tracked to resolution and the final assessment results are
communicated to the business owners. The status of the service provider assessments is reviewed and
communicated weekly.
Vulnerability Management
Penetration Testing - vRealize
Penetration tests are performed at least annually for the vRealize service. Upon completion of the
penetration test, a summary report is generated, and any findings identified are documented and tracked
to remediation.
Additionally, vRealize utilizes code scan software as part of their continuous integration pipelines that scans
code for vulnerabilities on every code commit. Any vulnerability found is addressed as a must-fix issue in
the monthly releases. EC2 nodes use the base Linux AMI from AWS and are subjected to hardening. EKS
containers use photon OS as the base image for which the vulnerabilities are routinely fixed.

Penetration Testing – Corporate Network
Penetration tests are performed at least annually for all VMware products and services by the centralized
VMware Red Team. Upon completion of the penetration test, the Red Team prepares a summary report
and assigns findings for remediation to appropriate product personnel. An escalation workflow is defined
and in place to help ensure timely remediation of vulnerabilities identified.
Vulnerability Ingestion and Remediation

Internal and external vulnerability scans are performed on VMware services on at least a monthly basis.
Results are generated and ingested by the central vulnerability scanning team into a ticketing system for
review and triage. Identified vulnerabilities are communicated to the asset owners and tracked to
remediation.

COMPLEMENTARY SUBSERVICE ORGANIZATION CONTROLS (CSOCS)
vRealize has contracted with AWS to provide cloud hosting services on behalf of VMware. AWS is
responsible for controls related to physical security, environmental protection, physical and logical access,
incident response, and backup and recovery of their environment.
Control activities performed by AWS noted above have been excluded from the scope of this report.
vRealize, through its operational activities, monitors the services performed by AWS to determine whether
operations and controls expected to be implemented are functioning effectively. Management also has
communication with AWS to monitor compliance with the service agreement, stay informed of changes
planned at the hosting facility, and relay issues or concerns to AWS management.
The following table identifies the applicable trust services criteria that are intended to be met by controls at
AWS and the type of controls expected to be implemented to meet the criteria:
TRUST SERVICES CRITERIA

INTENDED TO BE MET BY THE CONTROLS EXPECTED TO BE IMPLEMENTED AT THE
CONTROLS OF THE SUBSERVICE ORGANIZATION
SUBSERVICE ORGANIZATION
CC6.1
◼ Policies and mechanisms are in place to restrict
CC6.2 unauthorized system access. Access that is no longer
CC6.3 required is removed in a timely manner.
CC6.4 ◼ Data center access is restricted to authorized personnel

and monitored on a 24/7 basis.
CC6.5 ◼ Physical assets are wiped prior to disposal or re-use in

accordance with the policy.
◼ Policies and mechanisms have been implemented for

CC7.1 reporting security events and incidents.
CC7.2 ◼ Policies and mechanisms have been implemented to
identify and triage security events.
CC7.3
◼ An incident response process is documented and
CC7.4 established for the identification and response to security
events and incidents.
◼ Policies and mechanisms have been implemented to

CC8.1 document and control changes to infrastructure and
applications in accordance with a defined Change
Management Policy.
◼ Policies and mechanisms have been implemented to

A1.2 address system availability and recovery objectives,
including environmental protection mechanisms.

TRUST SERVICES CRITERIA
INTENDED TO BE MET BY THE CONTROLS EXPECTED TO BE IMPLEMENTED AT THE
CONTROLS OF THE SUBSERVICE ORGANIZATION
SUBSERVICE ORGANIZATION
◼ Business Continuity Plans are tested and updated at least

A1.3 annually or following significant organizational or
environmental changes.
SYSTEM INCIDENTS
There were no system incidents as of the date of the description that resulted in the failure to achieve one
or more service commitments and system requirements.
TRUST SERVICES CRITERIA THAT ARE NOT RELEVANT TO THE SYSTEM

There were no specific security or availability Trust Services Criteria as set forth in TSP section 100, 2017
Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA,
Trust Services Criteria) that were not relevant to the system as presented in this report.
SIGNIFICANT CHANGES TO THE SYSTEM AND CONTROLS DURING THE

PERIOD
There were no relevant changes to the components of the system that occurred during the examination
period under review.
TRUST SERVICES CRITERIA AND RELATED CONTROLS

Relevant trust services criteria and vRealize’s related controls are included in Section IV of this report, Trust
Services Categories, Criteria, VMware’s Related Controls and KPMG LLP’s Tests of Controls and Results
of Tests. Although the applicable trust services criteria and related controls are presented in Section IV,
they are, nevertheless, an integral part of vRealize’s system description.

Section IV.
Trust Services Categories, Criteria,
VMware’s Related Controls and
KPMG LLP’s Tests of Controls and
Results of Tests

SECURITY AND AVAILABILITY CATEGORIES, RELATED TRUST SERVICES
CRITERIA, AND CONTROLS OVERVIEW
PURPOSE
The following section describes the Security and Availability categories, related criteria, and controls related
to vRealize.
CRITERIA AND CONTROLS
CONTENT DESCRIPTION
The criteria represent the individual requirements for the in-scope categories of Security
and Availability within the Trust Services Categories and Criteria issued by the AICPA.
Security Category
Information systems are protected against unauthorized access, unauthorized disclosure
Criteria of information, and damage to systems that could compromise its information or systems
and affect the entity’s ability to meet its objectives.
Availability Category
Information and systems are available for operation and use to meet the entity’s
objectives.
The controls listed on the following pages depict the vRealize controls which are related
to the applicable criterion for Security and Availability.
Control domains are identified as follows:
Access Control (“AC”)
Asset Management (“AM”)
Business Continuity Management (“BCM”)
Communications Security (“CS”)
Compliance (“CM”)
Controls Human Resource Security (“HRS”)
Information Security Incident Management (“IM”)
Organization of Information Security (“OIS”)
Risk Management (“RM”)
Supplier Relationships (“SR”)
System Acquisition, Development, and Maintenance (“SDM”)
System Availability (“SA”)
System Monitoring (“SM”)
Vulnerability Management (“VM”)

CC 1.0 Common Criteria Related to the Control Environment
CRITERIA CRITERIA DESCRIPTION
CC1.1 The entity demonstrates a commitment to integrity and ethical values.
KPMG's Test
Control Control Activity KPMG's Test Procedures
Results
HRS-2 Management has Inspected the Business Conduct No exceptions

documented a code of Guidelines to determine whether a code noted.
business conduct and of business conduct and ethical
ethical standards, which standards were published and included a
includes a sanctions policy sanctions policy for violations.
for personnel who violate
the code of business Inspected the VMware public website to
conduct. determine whether the Business Conduct
Guidelines were published and available
to both internal and external personnel.
Observed documentation for a selection

of Business Conduct violations to
determine whether disciplinary action was
HRS-3 Employment agreements Inspected the Human Resources No exceptions

and contractual Information Security Policy to determine noted.
agreements, including whether requirements for new hire
responsibilities for employment agreements and contractual
information security, agreements were defined.
confidentiality, and the
code of conduct, are Inspected the signed employment
communicated to and agreements and contractual agreements
acknowledged by all staff for a selection of new hires to determine
upon hire. whether agreements regarding
responsibilities for information security,
confidentiality, and the code of conduct
were acknowledged upon hire.

KPMG's Test
Results
HRS-6 A formal and Inspected the Information Security No exceptions

communicated disciplinary Governance Policy and the Human noted.
process is documented to Resources Information Security Policy to
take action against determine whether a formal disciplinary
employees who violate process for violating the policies and
information security policies procedures was defined.
and procedures.
Observed the Case Management system
used to document and track disciplinary
actions and ethical hotline reports to
determine whether these cases were
documented, assigned owners, and
tracked to resolution.
Observed the quarterly disciplinary

actions and anonymous ethical hotline
reports communicated to Audit
Committee for a selection of quarters to
determine whether cases were
documented, categorized, and a status
assigned.
OIS-1 A set of policies for Inspected the Information Security No exceptions

information security are Governance Policy to determine whether noted.
defined and communicated a process for the review of information
to employees. Information security policies was defined.
security policies are
reviewed and approved by Inspected a selection of information
management at least security policies to determine whether
annually. policies were communicated to
employees and reviewed and approved
by management at least annually.

The board of directors demonstrates independence from management and exercises

CC1.2
oversight of the development and performance of internal control.
KPMG's Test
Results
CM-4 The Board of Directors Inspected the Board of Directors' No exceptions

consists of a majority of Corporate Governance Guidelines to noted.
independent members as determine whether requirements
per the Board of Directors' regarding the independence,
Corporate Governance qualifications, and responsibilities of the
Guidelines to maintain Board of Directors were defined.
independence from
management. The Board of Inspected the Board of Directors
Directors' Corporate members to determine whether the Board
Governance Guidelines of Directors consists of a majority of
includes qualifications and independent members.
responsibilities of Board
members.
CM-5 Senior management meets Inspected the Board of Directors' No exceptions

with the Board of Directors Corporate Governance Guidelines to noted.
quarterly to review determine whether the guidelines for the
business objectives, Board of Directors meetings with senior
company initiatives, management were defined.
resource needs, and risk
management activities, Inspected meeting invites and meeting
including results from minutes for a selection of quarters to
internal and external determine whether the Board of Directors
assessments. met with senior management at least
quarterly to review business objectives,
company initiatives, resource needs, and
risk management activities, including
results from internal and external
assessments.
CM-6 The Chief Security Officer Inspected communication from the Chief No exceptions
provides reports to the Security Officer to the Audit Committee to noted.
Audit Committee on determine whether the Chief Security
information security matters Officer reported to the Audit Committee
and concerns at least on information security matters and
annually. concerns at least annually.

Management establishes, with board oversight, structures, reporting lines, and appropriate
CC1.3
authorities and responsibilities in the pursuit of objectives.
KPMG's Test
Results
CM-4 The Board of Directors Inspected the Board of Directors' No exceptions

consists of a majority of Corporate Governance Guidelines to noted.
independent members as determine whether requirements
per the Board of Directors' regarding the independence,
Corporate Governance qualifications, and responsibilities of the
Guidelines to maintain Board of Directors were defined.
independence from
management. The Board of Inspected the Board of Directors
Directors' Corporate members to determine whether the Board
Governance Guidelines of Directors consists of a majority of
includes qualifications and independent members.
responsibilities of Board
members.
HRS-8 Organizational charts are in Inspected organizational charts to No exceptions

place to communicate the determine whether key areas of authority, noted.
defined key areas of responsibility, and lines of reporting were
authority, responsibility, communicated to employees via the
and lines of reporting to company intranet.
personnel. These charts
are communicated to
employees via the
company intranet.
HRS-9 Position descriptions are Observed the system used to document No exceptions
documented to define the position descriptions and an example job noted.
role, skills, responsibilities, description to determine whether a
and knowledge levels process for documenting job descriptions,
required for particular jobs including the role, skills, responsibilities,
upon hire. and knowledge levels required for
particular jobs upon hire, was defined.
Inspected job descriptions for a selection

of new hires to determine whether job
descriptions were documented.

KPMG's Test
Results
OIS-2 Information security roles Inspected the Information Security No exceptions

and responsibilities are Governance Policy to determine whether noted.
communicated to information security roles were defined
employees and defined in and reviewed and approved by
the Information Security management at least annually.
Governance Policy, which
is reviewed and approved
by management at least
annually.

The entity demonstrates a commitment to attract, develop, and retain competent individuals
CC1.4
in alignment with objectives.
KPMG's Test
Results
HRS-1 Continued employment for Inspected the Human Resources No exceptions

new hires is dependent on Information Security Policy to determine noted.
successful completion of a whether requirements for new hire
background check. background checks were defined.
Inspected the standard agreement with

suppliers providing contractor resources
to determine whether responsibility of
background checks was defined.
Inspected background check records for

a selection of new hires to determine
whether successful background checks
were completed.
HRS-4 Employees and contractors Inspected the Information Security No exceptions

are required to complete Governance Policy to determine whether noted.
security awareness training requirements for security awareness
and acknowledgement of training were defined.
policies upon hire and
annually thereafter. Inspected the training portal and the
contents of the security awareness
training to determine whether security
and compliance requirements were
documented.
Inspected the notification configurations

for security awareness training to
determine whether employees and
contractors were notified of upcoming due
dates and past due trainings.
Inspected security awareness training

completion records for new hires and
active employees to determine whether
security awareness training and
acknowledgement of policies was
completed upon hire and annually
thereafter.

KPMG's Test
Results
HRS-5 Training programs are Inspected the training portal available to No exceptions
provided, including internal personnel to determine whether noted.
continuing education and training programs were provided to
training, to help ensure skill develop and maintain the skill sets and
sets and technical technical competency of employees and
competency of employees contractors.
and contractors are
developed and maintained.
HRS-7 A process to evaluate and Inspected the performance review No exceptions

discuss employee guidelines to determine whether a noted.
performance is defined as process to evaluate and discuss
well as a process to identify employee performance was defined.
and manage low
performance. Observed the process for tracking
employee performance to determine
whether low performance was identified
and tracked by the company.


The entity holds individuals accountable for their internal control responsibilities in the pursuit
CC1.5
of objectives.
KPMG's Test
Results
CM-2 The organization selects, Inspected the procedure documents to No exceptions

develops, and performs determine whether a process for internal noted.
ongoing and/or separate assessments was defined.
internal evaluations to
ascertain whether the Inspected the internal assessment
components of internal schedule to determine whether internal
control are present and evaluations were planned and tracked to
functioning. Corrective completion.
action is initiated and
tracked to completion for Inspected internal assessment
issues identified. documentation to determine whether
ongoing and/or separate internal
evaluations of the components of internal
control were performed.
Inspected the issues identified in the

internal evaluations to determine whether
corrective action was initiated and tracked
to completion.
HRS-2 Management has Inspected the Business Conduct No exceptions

documented a code of Guidelines to determine whether a code noted.
business conduct and of business conduct and ethical
ethical standards, which standards were published and included a
includes a sanctions policy sanctions policy for violations.
for personnel who violate
the code of business Inspected the VMware public website to
conduct. determine whether the Business Conduct
Guidelines were published and available
to both internal and external personnel.
Observed documentation for a selection

of Business Conduct violations to
determine whether disciplinary action was

KPMG's Test
Results
HRS-6 A formal and Inspected the Information Security No exceptions

communicated disciplinary Governance Policy and the Human noted.
process is documented to Resources Information Security Policy to
take action against determine whether a formal disciplinary
employees who violate process for violating the policies and
information security policies procedures was defined.
and procedures.
Observed the Case Management system
used to document and track disciplinary
actions and ethical hotline reports to
determine whether these cases were
documented, assigned owners, and

assigned.
HRS-7 A process to evaluate and Inspected the performance review No exceptions

discuss employee guidelines to determine whether a noted.
performance is defined as process to evaluate and discuss
well as a process to identify employee performance was defined.
and manage low
performance. Observed the process for tracking
employee performance to determine
whether low performance was identified
and tracked by the company.


KPMG's Test
Results

annually.

CC 2.0 Common Criteria Related to Communication and Information
The entity obtains or generates and uses relevant, quality information to support the
CC2.1
functioning of internal control.
KPMG's Test
Results
AM-4 Management maintains an Inspected the Asset Management Policy No exceptions

inventory of service assets to determine whether requirements for noted.
with assigned business maintaining an asset inventory were
owners. defined.
Inspected the asset inventory to

determine whether an inventory of service
assets with assigned business owners
was maintained.
BCM-1 Business Impact Inspected the Business Continuity Policy No exceptions

Assessments ("BIAs") are to determine whether guidelines for noted.
performed annually for performing Business Impact
operational lines of Assessments were defined.
business to identify critical
functions and requirements Inspected the Business Impact
for business continuity. Assessments ("BIAs") to determine
whether assessments for business units
were performed annually to identify
critical functions and requirements for
business continuity.
CM-1 Management reviews the Inspected the Information Security No exceptions

results of external Governance Policy to determine whether noted.
assessments performed. requirements for an independent review
Corrective action is initiated of information security were defined.
and tracked to completion
for issues identified. Inspected the procedure document to
determine whether findings identified from
external assessments were tracked.
Inspected a recent external assessment

performed to determine whether the it
was documented, and issues identified
were communicated through a formal
report.
Inspected the issues identified from the

external assessments performed to
determine whether corrective action was
initiated and tracked to completion.

KPMG's Test
Results


to completion.
RM-1 A framework is defined for Inspected the risk management manual No exceptions
the organization's overall to determine whether a framework was noted.
approach to IT risk and defined for the organization's overall
control. The organization: approach to IT risk and control.
a. Develops a
comprehensive strategy to
manage risk,
b. Implements the risk

management strategy
consistently across the
organization,
c. Reviews and updates the

risk management strategy
periodically, or as required,
to address organizational
changes, and
d. Establishes criteria for

determining whether or not
risks can be accepted.

The entity internally communicates information, including objectives and responsibilities for
CC2.2
internal control, necessary to support the functioning of internal control.
KPMG's Test
Results
CM-3 A formal service description Inspected the VMware public-facing No exceptions

is documented and publicly website to determine whether a formal noted.
available on the company service description was documented to
website to communicate communicate information about the
information about the design and operation of the system, the
design and operation of the entity’s commitments, and the
system, the entity’s responsibilities of internal and external
commitments, and the users.
responsibilities of internal
and external users.

assessments.
CM-9 On an annual basis, Inspected the VMware control framework No exceptions

management reviews and to determine whether the framework was noted.
updates, as necessary, a reviewed and updated on an annual
control framework to meet basis.
the applicable standards
and requirements relevant
to VMware.

KPMG's Test
Results
HRS-10 A confidential ethics Inspected the VMware Ethics & No exceptions

reporting service is Compliance Helpline to determine noted.
available to employees and whether a confidential ethics reporting
the public for reporting service was available to employees and
suspected conduct the public for reporting suspected conduct
inconsistent with law, rules, inconsistent with law, rules, policies, or
policies, or VMware's VMware's values.
values. Information on
reporting issues is available Observed the Case Management system
to employees in the used to document and track disciplinary
Business Code of Conduct actions and ethical hotline reports to
and publicly on VMware’s determine whether these cases were
website. documented, assigned owners, and
tracked.

assigned.
HRS-3 Employment agreements Inspected the Human Resources No exceptions

and contractual Information Security Policy to determine noted.
agreements, including whether requirements for new hire
responsibilities for employment agreements and contractual
information security, agreements were defined.
confidentiality, and the
code of conduct, are Inspected the signed employment
communicated to and agreements and contractual agreements
acknowledged by all staff for a selection of new hires to determine
upon hire. whether agreements regarding
responsibilities for information security,
confidentiality, and the code of conduct
were acknowledged upon hire.

KPMG's Test
Results
HRS-4 Employees and contractors Inspected the Information Security No exceptions

are required to complete Governance Policy to determine whether noted.
security awareness training requirements for security awareness
and acknowledgement of training were defined.
policies upon hire and
annually thereafter. Inspected the training portal and the
contents of the security awareness
training to determine whether security
and compliance requirements were
documented.
Inspected the notification configurations

for security awareness training to
determine whether employees and
contractors were notified of upcoming due
dates and past due trainings.
Inspected security awareness training

completion records for new hires and
active employees to determine whether
security awareness training and
acknowledgement of policies was
completed upon hire and annually
thereafter.

IM-2 Employees and contractors Inspected the Security Incident No exceptions

are made aware of their Management Policy to determine whether noted.
responsibility to report employees and contractors were made
information security events aware of their responsibility to report
in a timely manner as information security events in a timely
documented in the Security manner.
Incident Management
Policy.

KPMG's Test
Results
IM-3 Reporting mechanisms Inspected the reporting mechanisms in No exceptions

exist for internal personnel place to determine whether noted.
and customers to report communication channels were available
vulnerabilities, for internal personnel and customers to
weaknesses, or issues. report vulnerabilities, weaknesses, or
Reported issues are issues.
documented and tracked to
resolution. Inspected the tickets created during the
examination period to determine whether
reported issues were documented and


The entity communicates with external parties regarding matters affecting the functioning of
CC2.3
internal control.
KPMG's Test
Results
CM-3 A formal service description Inspected the VMware public-facing No exceptions

is documented and publicly website to determine whether a formal noted.
available on the company service description was documented to
website to communicate communicate information about the
information about the design and operation of the system, the
design and operation of the entity’s commitments, and the
system, the entity’s responsibilities of internal and external
commitments, and the users.
responsibilities of internal
and external users.

assessments.
CM-8 Customer support is Inspected the VMware public-facing No exceptions

available 24/7 for Severity 1 website to determine whether customer noted.
issues as well as online support was available 24/7 for Severity 1
access to documentation, issues and whether documentation,
resources, and discussion resources, and discussion forums were
forums. Severity 1 issues available.
are documented and
tracked to resolution. Inspected customer support cases for the
Severity 1 issues were tracked to
completion.

KPMG's Test
Results
HRS-10 A confidential ethics Inspected the VMware Ethics & No exceptions

reporting service is Compliance Helpline to determine noted.
available to employees and whether a confidential ethics reporting
the public for reporting service was available to employees and
suspected conduct the public for reporting suspected conduct
inconsistent with law, rules, inconsistent with law, rules, policies, or
policies, or VMware's VMware's values.
values. Information on
reporting issues is available Observed the Case Management system
to employees in the used to document and track disciplinary
Business Code of Conduct actions and ethical hotline reports to
and publicly on VMware’s determine whether these cases were
website. documented, assigned owners, and
tracked.

assigned.
IM-3 Reporting mechanisms Inspected the reporting mechanisms in No exceptions

exist for internal personnel place to determine whether noted.
and customers to report communication channels were available
vulnerabilities, for internal personnel and customers to
weaknesses, or issues. report vulnerabilities, weaknesses, or
Reported issues are issues.
documented and tracked to
resolution. Inspected the tickets created during the
reported issues were documented and


KPMG's Test
Results
OIS-4 The status of services, Inspected the VMware public website to No exceptions
scheduled maintenance, determine whether the status of services, noted.
and incidents are scheduled maintenance, and incidents
communicated to were communicated to customers.
customers via the public
website.
SDM-8 Release notes are Inspected the VMware public-facing No exceptions

documented and published website to determine whether release noted.
online to communicate new notes were documented and
features, improvements, communicated to customers.
and bug fixes within major
product releases.

CC 3.0 Common Criteria Related to Risk Assessment
The entity specifies objectives with sufficient clarity to enable the identification and
CC3.1
assessment of risks relating to objectives.
KPMG's Test
Results

assessments.

to VMware.

KPMG's Test
Results
a. Develops a
manage risk,

management strategy
organization,

changes, and


The entity identifies risks to the achievement of its objectives across the entity and analyzes
CC3.2
risks as a basis for determining how the risks should be managed.
KPMG's Test
Results



to completion.

KPMG's Test
Results

assessments.
a. Develops a
manage risk,

management strategy
organization,

changes, and

RM-2 Product risk assessments Inspected the product risk assessment No exceptions
are performed on an annual schedule to determine whether product noted.
basis. Risk mitigation risk assessments were tracked.
strategies are defined and
tracked to completion. Inspected the risks identified in the
product risk assessments for a selection
of services to determine whether risk
mitigation strategies were defined and
tracked to completion.

KPMG's Test
Results
RM-3 A risk assessment process, Inspected the risk management manual No exceptions
including the consideration to determine whether the risk assessment noted.
of fraud risk, is in place to process was defined to assess risk and
regularly assess the risk mitigation plans.
and mitigation plans.
Periodic reporting to risk Inspected the most recent risk
owners and executives assessment to determine whether a risk
takes place to review the assessment was performed and reported
risks and mitigation to relevant risk owners and executives.
strategies.
Inspected the centralized risk register to
determine whether a centralized risk
register was maintained to track overall
risks to the organization.
RM-4 A program is established to Inspected the Build and Operate SAAS No exceptions
assess and monitor guide to determine whether a program is noted.
security and risks during documented for assessing and monitoring
the service design and security risks for onboarded cloud
onboarding process. services.
Inspected the questionnaire and tickets

tracked for a selection of services to
determine whether tickets were assessed
and monitored for security risks.

KPMG's Test
Results
SR-4 Service providers are Inspected the Third-Party Risk No exceptions

subject to a risk-based Management Policy to determine whether noted.
security assessment. guidelines for performing service provider
Significant issues identified risk assessments were defined.
are tracked to resolution
and the results are Inspected the third-party risk assessment
communicated to relevant tracking document to determine whether
business owners. service provider onboarding and periodic
assessments were tracked.
Inspected an example Third-Party Risk

Assessment weekly update deck to
determine whether assessments’
statuses were communicated.
Inspected an example third-party risk

assessment to determine whether a
security questionnaire was completed,
and issues identified were documented.
Inspected risk assessment

documentation and tracking for a
selection of service providers to
determine whether the third-party risk
management team were tracking and
performing assessments based on
criticality.
SR-5 Management reviews third- Inspected the Third Party Risk No exceptions
party examination reports Management Policy to determine whether noted.
for subservice guidelines for reviewing subservice
organizations to assess organization examination reports were
subservice organization's defined.
achievement of controls
relevant to the entity's Inspected third-party examination report
commitments. reviews for in-scope subservice
organizations to determine whether
subservice organization achievement of
controls relevant to the entity's
commitments was assessed.

The entity considers the potential for fraud in assessing risks to the achievement of
CC3.3
objectives.
KPMG's Test
Results
a. Develops a
manage risk,

management strategy
organization,

changes, and

strategies.

The entity identifies and assesses changes that could significantly impact the system of
CC3.4
internal control.
KPMG's Test
Results


to VMware.
a. Develops a
manage risk,

management strategy
organization,

changes, and


KPMG's Test
Results
strategies.

KPMG's Test
Results




criticality.

CC 4.0 Common Criteria Related to Monitoring Activities
The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain
CC4.1
whether the components of internal control are present and functioning.
KPMG's Test
Results


report.



to completion.

KPMG's Test
Results
RM-4 A program is established to Inspected the Build and Operate SAAS No exceptions
assess and monitor guide to determine whether a program is noted.
security and risks during documented for assessing and monitoring
the service design and security risks for onboarded cloud
onboarding process. services.
Inspected the questionnaire and tickets

tracked for a selection of services to
determine whether tickets were assessed
and monitored for security risks.

The entity evaluates and communicates internal control deficiencies in a timely manner to
CC4.2 those parties responsible for taking corrective action, including senior management and the
board of directors, as appropriate.
KPMG's Test
Results


report.



to completion.

KPMG's Test
Results

assessments.

CC 5.0 Common Criteria Related to Control Activities
The entity selects and develops control activities that contribute to the mitigation of risks to
CC5.1
the achievement of objectives to acceptable levels.
KPMG's Test
Results


to VMware.

OIS-3 Role-based access is Inspected role-based access groups and No exceptions

utilized to restrict access to permissions to determine whether role- noted.
system resources. based access was implemented to restrict
access to system resources.

KPMG's Test
Results
a. Develops a
manage risk,

management strategy
organization,

changes, and

strategies.

The entity also selects and develops general control activities over technology to support the
CC5.2
achievement of objectives.
KPMG's Test
Results


to completion.

to VMware.


KPMG's Test
Results
SDM-1 Requirements for the Inspected the Change Management No exceptions

development of software Policy and the System Acquisition, noted.
and systems are Development & Maintenance Policy to
established in the Change determine whether requirements for the
Management Policy and secure development of software and
the System Acquisition, systems were established.
Development &
Maintenance Policy.

The entity deploys control activities through policies that establish what is expected and in
CC5.3
procedures that put policies into action.
KPMG's Test
Results
AC-1 The Access Control Policy Inspected the Access Control Policy to No exceptions
is maintained to define determine whether responsibilities and noted.
responsibilities and actions actions for granting, monitoring, and
for granting, monitoring, revoking account access and privileges to
and revoking account system resources were defined and
access and privileges to approved annually.
system resources.
AM-1 Data classification criteria Inspected the Data Classification Policy No exceptions
are documented, reviewed to determine whether data classification noted.
and approved by criteria were documented, reviewed, and
management, and approved by management.
communicated to internal
personnel. Inspected the Data Classification Policy
published on the internal network to
determine whether data classification
criteria were communicated to internal
personnel.
AM-2 The Data Handling and Inspected the Data Handling and No exceptions
Protection Standards define Protection Standards to determine noted.
procedures for handling whether procedures for handling
information assets based information assets based on their
on their classification, classification, including requirements for
including requirements for media disposal, were defined.
media disposal.
AM-3 The Acceptable Use Policy Inspected the Acceptable Use Policy to No exceptions
defines employee determine whether employee noted.
responsibilities and responsibilities and boundaries regarding
boundaries regarding the the use of technology and information
use of technology and systems were defined.
information systems.

KPMG's Test
Results
BCM-2 Business Continuity Plans Inspected the Business Continuity Policy No exceptions
for operational lines of to determine whether guidelines for noted.
business are defined, defining, reviewing, and testing Business
reviewed, and tested on at Continuity Plans were defined.
least an annual basis.
Inspected the Business Continuity Plans
for business units to determine whether
the plans were defined and reviewed on
at least an annual basis.
Inspected the policy exception filed

related to VMware’s Business Continuity
Program to determine whether it was
reasonable, contained a remediation and
action plan to address any delayed
reviews and testing, and was approved
by management.
BCM-3 Disaster Recovery Plans Inspected the Disaster Recovery Plans to No exceptions
are defined, reviewed, and determine whether the plans were noted.
tested on at least an annual defined and reviewed on at least an
basis. annual basis.
Inspected test documentation to

determine whether Disaster Recovery
Plans were tested on at least an annual
basis.
CS-1 A policy on the use, Inspected the Encryption Policy to No exceptions

protection, and lifetime of determine whether requirements for the noted.
cryptographic keys is use, protection, and lifetime of
defined. cryptographic keys were defined.
IM-1 Incident response policies Inspected the Security Incident No exceptions

and procedures are Management Policy and the Incident noted.
defined, reviewed and Response Plan to determine whether
approved by management procedures for monitoring, detecting,
at least annually, and analyzing, reporting, and responding to
communicated to internal security events were defined and
personnel. The policies and approved at least annually.
procedures include
management Inspected the VMware internal site to
responsibilities as well as determine whether the Security Incident
procedures for monitoring, Management Policy was communicated
detecting, analyzing, to internal personnel.
reporting, and responding
to information security
events.

KPMG's Test
Results


annually.
PES-1 The Physical Security Inspected the Physical Security Policy to No exceptions
Policy defines physical and determine whether physical and noted.
environmental security environmental security measures,
measures to protect including a clear desk and clear screen
information systems, policy, were defined.
personnel, and physical
assets, including a clear
desk and clear screen
policy.

Development &
Maintenance Policy.
SDM-11 Server hardening Inspected baseline requirements to No exceptions

procedures are defined for determine whether server hardening noted.
the installation and procedures were defined for the
maintenance of production installation and maintenance of
servers. production servers.

KPMG's Test
Results
SDM-2 Formal change control Inspected change management No exceptions

procedures are defined. procedures to determine whether formal noted.
change control procedures, including
requirements for change approvals and
change testing, were defined.
SR-2 A Third-Party Risk Inspected the Third-Party Risk No exceptions

Management Policy is Management Policy to determine whether noted.
documented and available guidance for monitoring and reviewing
to guide personnel to third-party service providers was defined
monitor and review third- and whether the document was reviewed
party service providers. The at least annually.
document is reviewed at
least annually. Inspected the Third-Party Risk
Management Policy published on the
internal network to determine whether it
was available to internal personnel.

CC 6.0 Common Criteria Related to Logical and Physical Access Controls
The entity implements logical access security software, infrastructure, and architectures over
CC6.1 protected information assets to protect them from security events to meet the entity's
objectives.
KPMG's Test
Results
AC-11 Remote access to the Inspected the Authentication and No exceptions

network and network Password Policy to determine whether noted.
services is controlled requirements for the use of an encrypted
through the use of an VPN and multi-factor authentication were
encrypted VPN and multi- defined.
factor authentication.
Inspected the VPN and password
configuration to determine whether an
encrypted VPN and multi-factor
authentication were enforced.
AC-12 Access to secret Inspected the Authentication and No exceptions

authentication information Password Policy to determine whether a noted.
is controlled through a formal management process to control
formal management allocation of secret authentication
process as defined in the information was defined.
Authentication and
Password Policy. Inspected employment status and job title
for a selection of users with access to the
secret authentication information
manager to determine whether access
was limited to appropriate individuals.
AC-13 Access to program source Inspected the Source Code Management No exceptions
code is limited to Standards to determine whether noted.
appropriate personnel. guidelines for limiting access to program
source code were defined.
Inspected employment status and job title

for a selection of users with access to
source code to determine whether access
was restricted to appropriate individuals.

KPMG's Test
Results
AC-14 Access to configuration Inspected the Access Control Policy to No exceptions

management tools is determine whether guidelines for limiting noted.
limited to appropriate access to configuration management
personnel. tools to appropriate personnel were
defined.

configuration management tools to
determine whether access was limited to
appropriate personnel.
AC-15 Administrative access to Inspected the Access Control Policy to No exceptions

infrastructure and determine whether guidelines for limiting noted.
applications is limited to administrative access to appropriate
appropriate personnel. personnel were defined.
Inspected employment status and job

titles for a selection of users with
administrative access to production
systems to determine whether
administrative access was limited to
AC-8 Password parameters for Inspected the Authentication and No exceptions

Active Directory are Password Policy to determine whether noted.
configured to meet password requirements were defined.
minimum requirements as
per the Authentication and Inspected the password configuration for
Password Policy. Active Directory to determine whether
password parameters were configured in
accordance with the Authentication and
Password Policy.
AM-1 Data classification criteria Inspected the Data Classification Policy No exceptions
are documented, reviewed to determine whether data classification noted.
and approved by criteria were documented, reviewed, and
management, and approved by management.
communicated to internal
personnel. Inspected the Data Classification Policy
published on the internal network to
determine whether data classification
criteria were communicated to internal
personnel.

KPMG's Test
Results
media disposal.

owners. defined.

was maintained.
CS-2 Cryptographic keys are Inspected the Encryption Policy to No exceptions

stored securely, and determine whether requirements for key noted.
access is limited to management were defined.
Inspected the key management system to
determine whether cryptographic keys
were protected.

for a selection of users with access to the
key management system to determine
whether access was limited to
appropriate individuals.
CS-3 Customer data is encrypted Inspected the Encryption Policy and the No exceptions
at rest. Data Classification Policy to determine noted.
whether requirements for encrypting data
at rest were defined.
Inspected configurations for a selection of

databases to determine whether
customer data was encrypted at rest.

KPMG's Test
Results
CS-4 Transmission of customer Inspected the Encryption Policy, the Data No exceptions
data over public networks is Classification Policy, and the SSL noted.
encrypted. Certificate Standards to determine
in transit were defined.
Inspected SSL certificates and encryption

settings for public facing websites to
determine whether the transmission of
customer data over public networks was
encrypted.
CS-5 Firewalls and/or security Inspected the Infrastructure Security No exceptions

groups are configured to Policy to determine whether requirements noted.
restrict inbound and for restricting inbound and outbound
outbound traffic into the traffic were defined.
production environment.
Administrative access is Inspected firewall rules and/or security
limited to appropriate group configurations to determine
personnel. whether firewalls and/or security groups
were in place to restrict inbound and
outbound traffic into the production
environment.

firewalls and/or security groups to
SM-3 Access to logging systems Inspected the Security Logging Standards No exceptions
and log information is to determine whether guidelines for noted.
limited to appropriate restricting access to logging systems and
personnel. log information were defined.

logging systems and log information to
determine whether access was restricted
to appropriate personnel.

KPMG's Test
Results
SM-6 A mobile device Inspected the End User Device Security No exceptions
management solution is Policy and Workspace ONE Standards to noted.
installed on corporate determine whether the use of a mobile
endpoint devices with device management solution on
access to VMware endpoints was defined.
information and information
systems. Inspected the Mobile Device
Management solution to determine
whether it maintained a list of authorized
applications that allowed access to
corporate data through managed mobile
devices.
Inspected the Mobile Device

whether access to VMware data was
limited to VMware users with a valid
authentication certificate.
VM-9 Administrative access to Inspected the Access Control Policy to No exceptions

vulnerability scanning tools determine whether guidelines for limiting noted.
is limited to appropriate administrative access to appropriate
personnel. personnel were defined.

for a selection of users with administrative
access to vulnerability scanning tools to
determine whether administrative access
was limited to appropriate personnel.

Prior to issuing system credentials and granting system access, the entity registers and
authorizes new internal and external users whose access is administered by the entity. For
CC6.2
those users whose access is administered by the entity, user system credentials are removed
when user access is no longer authorized.
KPMG's Test
Results
AC-1 The Access Control Policy Inspected the Access Control Policy to No exceptions
is maintained to define determine whether responsibilities and noted.
responsibilities and actions actions for granting, monitoring, and
for granting, monitoring, revoking account access and privileges to
and revoking account system resources were defined and
access and privileges to approved annually.
system resources.
AC-3 New and modified user Inspected the Access Control Policy to No exceptions
access to production determine whether a process for noted.
systems is provisioned provisioning access to production
based on an approved systems was defined.
access request that
delineates the access Inspected tickets for a selection of new or
levels that the user should modified access requests in CloudGate to
be granted. determine whether access was approved
prior to provisioning and whether
requests delineated the access levels to
be granted.
Inspected the audit trail logs for a

selection of applications in AccessNow to
determine whether access was approved
be granted.
Inspected tickets for a selection of user

access provisioned outside of
AccessNow to determine whether access
was approved prior to provisioning and
whether requests delineated the access
levels to be granted.

KPMG's Test
Results
AC-6 A formal user access de- Inspected the Access Control Policy to No exceptions
provisioning process is determine whether a process for noted.
implemented in the removing access through the corporate
corporate access access management system was defined.
management system to
revoke access rights to Inspected access removal logs for a
production systems for selection of terminated employees to
terminated employees. determine whether access was removed
through the corporate access
management system in a timely manner.
AC-7 User access is reviewed for Inspected the Access Control Policy to No exceptions
appropriateness on a determine whether user access review noted.
periodic basis. Access requirements were defined.
flagged for removal is
revoked in a timely manner. Inspected access review completion
records for a selection of user access
reviews to determine whether user
access reviews were performed on a
periodic basis.

The entity authorizes, modifies, or removes access to data, software, functions, and other
protected information assets based on roles, responsibilities, or the system design and
CC6.3
changes, giving consideration to the concepts of least privilege and segregation of duties, to
meet the entity’s objectives.
KPMG's Test
Results
AC-13 Access to program source Inspected the Source Code Management No exceptions
code is limited to Standards to determine whether noted.
appropriate personnel. guidelines for limiting access to program
source code were defined.

source code to determine whether access
was restricted to appropriate individuals.
AC-14 Access to configuration Inspected the Access Control Policy to No exceptions

management tools is determine whether guidelines for limiting noted.
limited to appropriate access to configuration management
personnel. tools to appropriate personnel were
defined.

configuration management tools to
AC-15 Administrative access to Inspected the Access Control Policy to No exceptions

infrastructure and determine whether guidelines for limiting noted.
applications is limited to administrative access to appropriate
appropriate personnel. personnel were defined.

titles for a selection of users with
administrative access to production
administrative access was limited to

KPMG's Test
Results
AC-3 New and modified user Inspected the Access Control Policy to No exceptions
access to production determine whether a process for noted.
systems is provisioned provisioning access to production
based on an approved systems was defined.
access request that
delineates the access Inspected tickets for a selection of new or
levels that the user should modified access requests in CloudGate to
be granted. determine whether access was approved
be granted.
Inspected the audit trail logs for a

selection of applications in AccessNow to
determine whether access was approved
be granted.
Inspected tickets for a selection of user

access provisioned outside of
AccessNow to determine whether access
was approved prior to provisioning and
whether requests delineated the access
levels to be granted.
AC-6 A formal user access de- Inspected the Access Control Policy to No exceptions
provisioning process is determine whether a process for noted.
implemented in the removing access through the corporate
corporate access access management system was defined.
management system to
revoke access rights to Inspected access removal logs for a
production systems for selection of terminated employees to
terminated employees. determine whether access was removed
through the corporate access
management system in a timely manner.
AC-7 User access is reviewed for Inspected the Access Control Policy to No exceptions
appropriateness on a determine whether user access review noted.
periodic basis. Access requirements were defined.
flagged for removal is
revoked in a timely manner. Inspected access review completion
records for a selection of user access
reviews to determine whether user
access reviews were performed on a
periodic basis.

KPMG's Test
Results
OIS-3 Role-based access is Inspected role-based access groups and No exceptions

utilized to restrict access to permissions to determine whether role- noted.
system resources. based access was implemented to restrict
access to system resources.
SM-3 Access to logging systems Inspected the Security Logging Standards No exceptions
and log information is to determine whether guidelines for noted.
limited to appropriate restricting access to logging systems and
personnel. log information were defined.

logging systems and log information to
determine whether access was restricted
to appropriate personnel.
VM-9 Administrative access to Inspected the Access Control Policy to No exceptions

vulnerability scanning tools determine whether guidelines for limiting noted.
is limited to appropriate administrative access to appropriate
personnel. personnel were defined.

for a selection of users with administrative
access to vulnerability scanning tools to
determine whether administrative access
was limited to appropriate personnel.

The entity restricts physical access to facilities and protected information assets (for example,
CC6.4 data center facilities, back-up media storage, and other sensitive locations) to authorized
personnel to meet the entity’s objectives.
KPMG's Test
Results
PES-1 The Physical Security Inspected the Physical Security Policy to No exceptions
Policy defines physical and determine whether physical and noted.
environmental security environmental security measures,
measures to protect including a clear desk and clear screen
information systems, policy, were defined.
personnel, and physical
assets, including a clear
desk and clear screen
policy.
PES-2 Requests for new or Inspected the Physical Security Policy to No exceptions
modified physical access to determine whether guidelines for noted.
data center facilities are provisioning physical access were
approved prior to defined.
provisioning.
Inspected the audit logs for a selection of
personnel granted new or modified
physical access to determine whether
physical access was approved prior to
provisioning.
PES-3 Physical access to data Inspected the Physical Security Policy to No exceptions
center facilities is determine whether guidelines for noted.
deprovisioned in a timely deprovisioning physical access were
manner upon termination. defined.
Inspected the configuration between the

physical badge access system and the
human resource management system to
determine whether physical badge
access was configured to automatically
disable after an employee is terminated
within the human resource management
system.
Inspected the data center user access

listing to determine whether users with
access to the data center were active
employees and not on the termination list.

KPMG's Test
Results
PES-4 Physical access to data Inspected the Physical Security Policy to No exceptions
center facilities is reviewed determine whether physical access noted.
for appropriateness on a review requirements were defined.
quarterly basis. Access
flagged for removal is Inspected the configuration between the
revoked in a timely manner. physical badge access system and the
human resource management system to
determine whether physical badge
access was configured to automatically
disable after an employee is terminated
within the human resource management
system.
Inspected access review completion

evidence for a selection of quarters to
determine whether user access reviews
were performed on a quarterly basis.
PES-5 Physical security controls Inspected the Physical Security Policy to No exceptions
for data center facilities determine whether physical security noted.
such as controlled badge control procedures for data center
access and video facilities were defined.
surveillance have been
implemented to restrict Observed controlled badge access and
physical access to video surveillance in data center facilities
authorized individuals. to determine whether physical security
controls were implemented to restrict
physical access to authorized individuals.

The entity discontinues logical and physical protections over physical assets only after the
CC6.5 ability to read or recover data and software from those assets has been diminished and is no
longer required to meet the entity’s objectives.
KPMG's Test
Results
media disposal.

owners. defined.

was maintained.
AM-5 Physical assets are wiped Inspected the Asset Management Policy No exceptions
prior to disposal or re-use to determine whether requirements for noted.
in accordance with media media disposal were defined.
disposal requirements.
Inspected certificates of destruction for a
selection of assets marked for disposal or
re-use to determine whether assets were
wiped prior to disposal or re-use in
accordance with media disposal
requirements.

The entity implements logical access security measures to protect against threats from
CC6.6
sources outside its system boundaries.
KPMG's Test
Results
AC-11 Remote access to the Inspected the Authentication and No exceptions

network and network Password Policy to determine whether noted.
services is controlled requirements for the use of an encrypted
through the use of an VPN and multi-factor authentication were
encrypted VPN and multi- defined.
factor authentication.
Inspected the VPN and password
configuration to determine whether an
encrypted VPN and multi-factor
authentication were enforced.

environment.


The entity restricts the transmission, movement, and removal of information to authorized
CC6.7 internal and external users and processes, and protects it during transmission, movement,
or removal to meet the entity’s objectives.
KPMG's Test
Results
CS-4 Transmission of customer Inspected the Encryption Policy, the Data No exceptions
data over public networks is Classification Policy, and the SSL noted.
encrypted. Certificate Standards to determine
in transit were defined.
Inspected SSL certificates and encryption

settings for public facing websites to
determine whether the transmission of
customer data over public networks was
encrypted.

environment.


KPMG's Test
Results
devices.


The entity implements controls to prevent or detect and act upon the introduction of
CC6.8
unauthorized or malicious software to meet the entity’s objectives.
KPMG's Test
Results
AM-3 The Acceptable Use Policy Inspected the Acceptable Use Policy to No exceptions
defines employee determine whether employee noted.
responsibilities and responsibilities and boundaries regarding
boundaries regarding the the use of technology and information
use of technology and systems were defined.
information systems.

Development &
Maintenance Policy.
SDM-10 Developers cannot deploy Inspected the Change Management No exceptions

their own changes to the Policy to determine whether requirements noted.
production environment. for segregation of duties were defined.
Inspected approval configurations for in-

scope repositories to determine whether
approvals were enforced prior to
deployment into production.
Inspected a selection of application

changes to determine whether
segregation of duties was in place for
development, approval, and deployment
tasks.


KPMG's Test
Results
SDM-15 Configuration management Inspected the configuration of production No exceptions

is utilized to help ensure code to determine whether configuration noted.
production systems adhere management is utilized to help ensure
to defined server hardening production systems adhered to defined
procedures. server hardening procedures.
Inspected the image builds for a selection

of servers to determine if production
systems adhered to defined server
hardening procedures.

SDM-3 Infrastructure changes are Inspected the Change Management No exceptions

documented, approved, Policy to determine whether requirements noted.
and tested, where for approvals were defined.
applicable, prior to
implementation into Inspected a selection of infrastructure
production. changes to determine whether changes
were documented, approved, and tested,
where applicable, prior to implementation
into production.
SDM-5 Application changes are Inspected the Change Management No exceptions

approved prior to Policy to determine whether requirements noted.
deployment into production. for approvals were defined.


changes to determine whether changes
were approved prior to deployment into
production.

KPMG's Test
Results
devices.

SM-7 Software is installed on Inspected the Production Control Policy No exceptions

user endpoints to protect to determine whether guidelines to noted.
against unauthorized protect against unauthorized software
software installation. installation were defined.

whether it was configured to assign the
Carbon Black agent on all endpoints as
well as reinstall / configure the agent
periodically, as needed.
Inspected the Carbon Black console to

determine whether it was configured to
protect against unauthorized software
installation through whitelisting and
blocking of malware and known threats.

KPMG's Test
Results
VM-1 External and internal Inspected the Vulnerability Management No exceptions

vulnerability scans are Standards to determine whether a noted.
performed on at least a process for external and internal
monthly basis. vulnerability scanning and remediation
was defined.
Inspected vulnerability scan

configurations to determine whether
vulnerability scans were performed on at
least a monthly basis.
Inspected external and internal

vulnerability scan results for a selection of
months to determine whether external
and internal scans were performed on at
VM-10 Vulnerabilities identified in Inspected the Vulnerability Management No exceptions

vulnerability scans are Standards and escalation procedure noted.
documented and tracked to documents to determine whether a
remediation. process for vulnerability remediation and
escalation was defined.
Inspected the vulnerability management

tracking dashboard to determine whether
vulnerabilities identified were being
Inspected remediation activities for a

selection of vulnerabilities identified to
determine whether vulnerabilities were
documented and tracked to remediation.
VM-4 Patches for production Inspected the Vulnerability Management No exceptions

servers are deployed on a Standards to determine whether a noted.
periodic basis. process for patching production servers
was defined.
Inspected patch logs for a selection of

production servers to determine whether
patches were deployed on a periodic
basis.

KPMG's Test
Results
VM-5 Patches for corporate Inspected the Vulnerability Management No exceptions

servers are deployed on a Standards to determine whether a noted.
periodic basis. process for patching production servers
was defined.
Inspected patch tickets for a selection of

months to determine whether patches
were deployed on a periodic basis for
Windows systems.
Inspected patch tickets for a selection of

quarters to determine whether patches
were deployed on a periodic basis for
Linux systems.
VM-7 Enterprise anti-malware Inspected the Operations Security Policy No exceptions

software is installed and to determine whether requirements for noted.
maintained on corporate installing anti-malware software on
endpoint devices. corporate endpoint devices were defined.



CC 7.0 Common Criteria Related to System Operations
To meet its objectives, the entity uses detection and monitoring procedures to identify (1)
CC7.1 changes to configurations that result in the introduction of new vulnerabilities, and (2)
susceptibilities to newly discovered vulnerabilities.
KPMG's Test
Results

SDM-15 Configuration management Inspected the configuration of production No exceptions

is utilized to help ensure code to determine whether configuration noted.
production systems adhere management is utilized to help ensure
to defined server hardening production systems adhered to defined
procedures. server hardening procedures.
Inspected the image builds for a selection

of servers to determine if production
systems adhered to defined server
hardening procedures.

was defined.



KPMG's Test
Results



VM-2 Penetration tests are Inspected the Vulnerability Management No exceptions

performed on at least an Standards to determine whether a noted.
annual basis. process for penetration testing and
Vulnerabilities identified are remediation was defined.
documented and tracked
for remediation. Inspected penetration tests for production
penetration tests were performed on an
annual basis.
Inspected tickets created for a selection

of findings identified to determine whether
findings were documented and tracked
for remediation.
VM-7 Enterprise anti-malware Inspected the Operations Security Policy No exceptions

software is installed and to determine whether requirements for noted.
maintained on corporate installing anti-malware software on
endpoint devices. corporate endpoint devices were defined.



The entity monitors system components and the operation of those components for
anomalies that are indicative of malicious acts, natural disasters, and errors affecting the
CC7.2
entity's ability to meet its objectives; anomalies are analyzed to determine whether they
represent security events.
KPMG's Test
Results

procedures include
events.
SA-5 Availability alerts are Inspected availability alerting No exceptions

configured to notify configurations to determine whether noted.
appropriate personnel. availability alerts were configured to notify
Alerts are triaged to appropriate personnel.
resolution.
of availability alerts to determine whether
alerts were triaged to resolution.

KPMG's Test
Results
SM-1 Logging, including logging Inspected the Security Logging Standards No exceptions
of administrator activities, is to determine whether requirements for noted.
configured on production logging and log forwarding were defined.
systems. Logs are
forwarded to a centralized Inspected logging configurations for a
monitoring tool. selection of production systems to
determine whether logs, including logs of
administrator activities, were configured
to be forwarded to a centralized
monitoring tool.
Inspected CloudGate baseline scripts to

determine whether CloudTrail and
GuardDuty logging were configured for
CloudGate-managed environments and
forwarded to the central monitoring tool.
Inspected periodic releases to the

terraform repository to determine whether
the CloudGate-managed accounts were
reconfigured periodically to align with the
baseline scripts.
Inspected Linux baseline scripts to

determine whether logging was
configured and forwarded to the central
monitoring tool.
Inspected the corporate firewall

management console to determine
whether logging was configured and
forwarded to the central monitoring tool.
SM-2 Alerts are configured to Inspected the Security Logging Standards No exceptions
notify appropriate to determine whether a process for noted.
personnel of anomalous reviewing centralized logs and configuring
activity for further security alerts was defined.
investigation. Alerts are
triaged to resolution. Observed the central security monitoring
solution to determine whether alerts
generated were triaged and tracked to
resolution.
Inspected a selection of alert

appropriate personnel were notified of
anomalous activity for further
investigation.

KPMG's Test
Results
SM-7 Software is installed on Inspected the Production Control Policy No exceptions

user endpoints to protect to determine whether guidelines to noted.
against unauthorized protect against unauthorized software
software installation. installation were defined.



was defined.



for remediation. Inspected penetration tests for in-scope
services to determine whether
annual basis.

for remediation.

The entity evaluates security events to determine whether they could or have resulted in a
CC7.3 failure of the entity to meet its objectives (security incidents) and, if so, takes actions to
prevent or address such failures.
KPMG's Test
Results

procedures include
events.
IM-4 Information security Inspected the Security Incident No exceptions

incidents are responded to Management Policy and the Incident noted.
and tracked until closure in Response Plan to determine whether
accordance with defined requirements for responding to and
incident response tracking security incidents were defined.
procedures.
Observed the security event dashboards
and aging to determine whether security
events identified were triaged.
Observed the security incident

dashboards and aging to determine
whether security incidents identified were

KPMG's Test
Results
SM-2 Alerts are configured to Inspected the Security Logging Standards No exceptions
notify appropriate to determine whether a process for noted.
personnel of anomalous reviewing centralized logs and configuring
activity for further security alerts was defined.
investigation. Alerts are
triaged to resolution. Observed the central security monitoring
solution to determine whether alerts
generated were triaged and tracked to
resolution.
Inspected a selection of alert

appropriate personnel were notified of
anomalous activity for further
investigation.




for remediation. Inspected penetration tests for in-scope
services to determine whether
annual basis.

for remediation.

The entity responds to identified security incidents by executing a defined incident response
CC7.4 program to understand, contain, remediate, and communicate security incidents, as
appropriate.
KPMG's Test
Results

procedures include
events.

procedures.

website.

The entity identifies, develops, and implements activities to recover from identified security
CC7.5
incidents.
KPMG's Test
Results

procedures include
events.

procedures.

IM-5 Lessons learned Inspected the Security Incident No exceptions

summaries are Management Policy to determine whether noted.
documented to reduce the requirements for performing lessons
likelihood and impact of learned exercises were defined.
future security incidents.
Inspected the lessons learned summary
document to determine whether lessons
learned from security incidents were

KPMG's Test
Results
website.

CC 8.0 Common Criteria Related to Change Management
The entity authorizes, designs, develops or acquires, configures, documents, tests,

CC8.1 approves, and implements changes to infrastructure, data, software, and procedures to meet
its objectives.
KPMG's Test
Results
AC-13 Access to program source Inspected the Source Code No exceptions

code is limited to Management Standards to determine noted.
appropriate personnel. whether guidelines for limiting access to
program source code were defined.

title for a selection of users with access
to source code to determine whether
access was restricted to appropriate
individuals.

Development &
Maintenance Policy.
SDM-10 Developers cannot deploy Inspected the Change Management No exceptions

their own changes to the Policy to determine whether noted.
production environment. requirements for segregation of duties
were defined.


changes to determine whether
segregation of duties was in place for
development, approval, and deployment
tasks.


KPMG's Test
Results

SDM-3 Infrastructure changes are Inspected the Change Management No exceptions

documented, approved, Policy to determine whether noted.
and tested, where requirements for approvals were
applicable, prior to defined.
implementation into
production. Inspected a selection of infrastructure
were documented, approved, and
tested, where applicable, prior to
implementation into production.
SDM-4 Production code is Inspected code hosting platforms used No exceptions

managed using a version for managing source code to determine noted.
control repository system whether rollback capabilities were in
with rollback capabilities. place to revert to previous versions of
code.

approved prior to Policy to determine whether noted.
deployment into requirements for approvals were
production. defined.


were approved prior to deployment into
production.

tested, including testing of Policy to determine whether noted.
security functionality, prior requirements for change testing were
to deployment into defined.
production.
Inspected tests completed for a
selection of application changes to
determine whether changes were tested,
including testing of security functionality,
prior to deployment into production.

KPMG's Test
Results
SDM-7 Non-production data is Inspected the Production Control Policy No exceptions

used in development to determine whether guidelines for noted.
environments for testing using test data were defined.
purposes.
Observed the process for creation of test
data to determine whether non-
production data was used in the
development environments.
SDM-9 Development, testing, and Inspected the Production Control Policy No exceptions
production environments to determine whether guidelines for noted.
are segregated. separating development, testing, and
operational environments were defined.
Inspected the development, testing, and

production environments to determine
whether environments were separated.

CC 9.0 Common Criteria Related to Risk Mitigation
The entity identifies, selects, and develops risk mitigation activities for risks arising from
CC9.1
potential business disruptions.
KPMG's Test
Results


by management.

KPMG's Test
Results

procedures include
events.
strategies.

CC9.2 The entity assesses and manages risks associated with vendors and business partners.
KPMG's Test
Results
SR-1 Information security, Inspected the Third-Party Risk No exceptions

availability, and Management Policy and procedure noted.
confidentiality requirements documents to determine whether
as required are established guidelines for establishing service
and agreed with each provider agreements were defined.
service provider that may
access, process, store, Inspected the baseline supplier
communicate, or provide IT agreements to determine whether
infrastructure components information security, availability, and
for the organization’s confidentiality requirements are
information. established and agreed with each service
provider that may access, process, store,
communicate, or provide IT infrastructure
components for the organization’s
information.
Inspected agreements for a selection of

service providers to determine whether
security, availability, and confidentiality
requirements were established with each
provider as required.
SR-2 A Third-Party Risk Inspected the Third-Party Risk No exceptions

Management Policy is Management Policy to determine whether noted.
documented and available guidance for monitoring and reviewing
to guide personnel to third-party service providers was defined
monitor and review third- and whether the document was reviewed
party service providers. The at least annually.
document is reviewed at
least annually. Inspected the Third-Party Risk
Management Policy published on the
internal network to determine whether it
was available to internal personnel.

KPMG's Test
Results




criticality.

A 1.0 Additional Criteria for Availability
The entity maintains, monitors, and evaluates current processing capacity and use of system
A1.1 components (infrastructure, data, and software) to manage capacity demand and to enable
the implementation of additional capacity to help meet its objectives.
KPMG's Test
Results

SA-4 Production systems are Inspected the Business Continuity Policy No exceptions
configured to support to determine whether requirements for noted.
continuous availability. configuring information processing
facilities to support continuous availability
were defined.
Inspected high availability configurations

for a selection of databases to determine
information processing facilities were
configured to support continuous
availability.

for a selection of servers to determine
whether information processing facilities
were configured to support continuous
availability.
SA-5 Availability alerts are Inspected availability alerting No exceptions

configured to notify configurations to determine whether noted.
appropriate personnel. availability alerts were configured to notify
Alerts are triaged to appropriate personnel.
resolution.
of availability alerts to determine whether
alerts were triaged to resolution.

The entity authorizes, designs, develops or acquires, implements, operates, approves,

A1.2 maintains, and monitors environmental protections, software, data back-up processes, and
recovery infrastructure to meet its objectives.
KPMG's Test
Results

by management.

basis.
PES-6 Environmental controls, Inspected the Physical Security Policy to No exceptions

including HVAC controls, determine whether environmental control noted.
fire detection and procedures for data center facilities were
suppression systems, and defined.
protection from power
failures, are in place to Observed HVAC controls, fire detection
protect information systems and suppression systems, and protection
in data centers. from power failures to determine whether
environmental controls were in place to
protect information systems in data
centers.

KPMG's Test
Results
PES-7 Equipment maintenance is Inspected the equipment maintenance No exceptions

performed and documented logs to determine whether maintenance noted.
to help ensure the was performed and documented.
continued availability and
integrity of equipment.
SA-1 Backups of information, Inspected the Backup Policy and Data No exceptions
software, and system Backup Schedule to determine whether noted.
images are performed backup procedures were defined.
regularly and retained in
accordance with a defined Inspected backup configurations for a
backup policy. selection of databases to determine
whether backups were performed and
retained in accordance with backup
procedures.
SA-2 Scheduled backups are Inspected the Backup Policy to determine No exceptions
monitored, and failures are whether a process for addressing backup noted.
addressed to help ensure failures was defined.
completeness of backups
according to the backup Inspected alerting configurations in place
policy. for databases to determine whether
appropriate personnel were alerted of
backup failures.
Inspected tickets generated for a

selection of backup failures to determine
whether failures were addressed
according to the backup policy.
SA-3 Backup restoration tests Inspected the Backup Policy to determine No exceptions
are performed on at least whether requirements for backup noted.
an annual basis to verify restoration tests were defined.
the completeness and
integrity of backups. Inspected the results of the most recent
backup restoration test to determine
whether restoration procedures were
tested on at least an annual basis.

KPMG's Test
Results
SA-4 Production systems are Inspected the Business Continuity Policy No exceptions
configured to support to determine whether requirements for noted.
continuous availability. configuring information processing
facilities to support continuous availability
were defined.

for a selection of databases to determine
information processing facilities were
configured to support continuous
availability.

for a selection of servers to determine
whether information processing facilities
were configured to support continuous
availability.

A1.3 The entity tests recovery plan procedures supporting system recovery to meet its objectives.
KPMG's Test
Results


by management.

basis.

KPMG's Test
Results
SA-3 Backup restoration tests Inspected the Backup Policy to determine No exceptions
are performed on at least whether requirements for backup noted.
an annual basis to verify restoration tests were defined.
the completeness and
integrity of backups. Inspected the results of the most recent
backup restoration test to determine
whether restoration procedures were
tested on at least an annual basis.

SOC 2 Type 2 - VRealize Operations Cloud FY21

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SOC 2 Type 2 - VRealize Operations Cloud FY21

Uploaded by

Copyright:

Available Formats

vRealize

System and Organization

For the period October 1, 2020 to

VMware, Inc. Confidential - vRealize

VMware, Inc. Confidential - vRealize

VMware, Inc. Confidential - vRealize / 1

Independent Service Auditor’s Report

Board of Directors of VMware, Inc.:

Service organization’s responsibilities

Service auditor’s responsibilities

KPMG LLP, a Delaware limited liability partnership and a member firm of

Description of Tests of Controls

• The nature of the service provided by the service organization

December 22, 2021

VMware, Inc. Confidential - vRealize / 5

VMware, Inc.’s Assertion

We confirm, to the best of our knowledge and belief, that:

VMware, Inc. Confidential - vRealize / 6

VMware, Inc. Confidential - vRealize / 7

THE vREALIZE SERVICE

◼ VMware vRealize Operations Cloud™ – Unified management platform powered by artificial

VMware, Inc. Confidential - vRealize / 8

VMware, Inc. Confidential - vRealize / 9

VMware, Inc. Confidential - vRealize / 10

OPERATING SYSTEM PHYSICAL

Elastic Kubernetes SaaS based services that enable Linux

Elastic Compute Cloud Application, web, and bastion Linux

Virtual Private Cloud Allows VMware to provision a N/A

AWS regions - us-west-2, ca-central-1, ap-southeast-1, ap-southeast-2, eu-central-1, eu-west-2, sa-

Operations Support The VMware global headquarters is located in Palo Alto,

VMware, Inc. Confidential - vRealize / 11

GitLab Administers a complete continuous integration and deployment service that

Confluence Management tool for product and technical documentation.

ServiceDesk Ticket tracking system for any production requests/complaints from

DynaTrace AI-based application performance monitoring to track services and software

Incapsula Security monitoring application used to provide web application security,

Nirvana Resource management solution for monitoring vRealize Network insight

LogInsight Log-based monitoring and troubleshooting service.

VMware, Inc. Confidential - vRealize / 12

VMware CloudGate VMware proprietary cloud delivered service orchestration and

Confluence Confluence is a corporate wiki where internal personnel can collaboratively

GlobalProtect The GlobalProtect VPN enables authorized personnel to remotely connect

HelpNow HelpNow is a homegrown internal ticketing system.

Nessus (Tenable, Inc.) Vulnerability scanning solution.

Nlyte Nlyte software is used to manage the inventory of physical assets in

Workday Workday is a human resource management (HRM) system utilized to

VMware, Inc. Confidential - vRealize / 13

vRealize Executive Responsible for overseeing company-wide activities, establishing, and

vRealize Security Responsible for implementing, testing, and overseeing vRealize’s

The vRealize service is supported by the following Corporate teams:

Executive Management Responsible for overseeing company-wide activities, establishing and

VMware, Inc. Confidential - vRealize / 14

Assessments and testing and maintenance of Business Continuity Plans for

VMware, Inc. Confidential - vRealize / 15

VMware, Inc. Confidential - vRealize / 16

Integrity and Ethical Values

Board of Directors and Audit Committee Oversight

VMware, Inc. Confidential - vRealize / 17

Organizational Structure and Assignment of Authority and Responsibility

Commitments to Competence and Accountability

Training & Awareness

Policies and Procedures

◼ Information Security Governance Policy