Recommended procedures and controls that minimize risk of virtualizing business critical systems
The use of virtualization technology provides a powerful evolution of computing resources. However, many IT organizations have concerns about moving virtualization into the production environment. Those who have not yet virtualized business critical systems in production ask – “What should we do to get comfortable moving virtualization into production?” Those that have overcome initial concerns and are aggressively pursuing server consolidation objectives ask “What changes to operating procedures and controls should I expect as we leverage our investments and pursue higher maturity objectives?”
We studied the procedures and controls that 323 IT organizations have implemented to optimize benefit and minimize risk of virtualized resources. Analysis revealed different levels of virtualization maturity related to different objectives, and different practices that impact risk and performance.
- The use of virtualization in production does change required operating procedures and controls in order to effectively manage operational risk.
- Baseline maturity practices identified in this should be considered by those looking to move virtualization into production, or virtualize business critical systems.
- The lists of recommended High Maturity Practices and Dynamic Computing Practices should be reviewed before expanding the scope of production virtualization objectives beyond consolidation.
- IT Audit can use these lists to evaluate the impact of production virtualization on audit checklist, as part a governance risk and compliance review process.
- Baseline Maturity Practices (11) – for those organizations virtualizing business critical systems in the production environment. Focus on host access and configuration controls, provisioning, and performance and capacity management.
- High Maturity Practices (25) – for those organizations expanding beyond server consolidation objectives. Incremental controls in all multiple functional areas.
- Dynamic Computing Practices (12) – for those organizations pursuing dynamic resource management objectives. Incremental controls primarily in area of configuration discovery and tracking, change management, and capacity management.