J6

Cyber criminals can exploit configuration errors or technical vulnerabilities in applications, firewalls, or networks to access our information.

An organization must use defense-in-depth technologies to protect against, detect, and respond to cyber-attacks. The techniques should be suitable for controlling physical, logical and administrative controls.

In environments that include virtual and physical layers, inconsistency of network policies can cause e.g. system outages or defective access control.

The organisation must ensure that the configuration of virtual networks is aligned with the policies for configuring physical networks. Network configuration should match the policy no matter what means are used to create the configuration.

The organization must use secure and encrypted connections to move servers, services, applications, or data to the cloud. Only the latest versions and approved protocols may be used for connections.

An organization needs to draw the high-risk network environments. The drawing should show:

• Network components (physical and logical)
• Hypervisors, servers, networks and other relevant elements
• Data flow between different components
• Different domains and related policies
• Interfaces between different network environments

The organization must have clear policies for developing virtualization security. The policy should be reviewed and updated at least annually.

The virtualization policy should consider at least:

• Virtual Machine Lifecycle Management
• Limiting the storage of virtual machine icons and snapshots
< li>Backup and fault tolerance
• Labeling virtual machines by risk level
• Change management process for creating, storing, and using virtual machine icons
• Using firewalls to separate virtual machine groups