Title

No policy exists to assign virtual machines to personnel. (Cat III impact)

Discussion

In traditional computing environments, servers were usually assigned to various personnel for administration. For instance, the data server is administered by the database administrator; the domain controller is maintained by the network administrator, etc. Other methods include assigning the MAC address to specific personnel or identifying machines by Ethernet location or port number. All these approaches are impractical in the virtual machine environment. In the virtual environment, virtual machines may be moved or have MAC addresses that may change. These scenarios make it difficult to establish who owns the virtual machine running on a particular host. Therefore, a policy will need to be implemented to identify and assign virtual machines to the appropriate personnel.

Check Content

Request a copy of the policy that is used to assign virtual machines to personnel. If no policy or procedure exists, this is a finding.

Fix Text

Develop a policy for assigning virtual machines to the appropriate personnel.

Additional Identifiers

Rule ID: SV-16832r1_rule

Vulnerability ID: V-15891

Group Title: No policy exists to assign virtual machines

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.