Virtualization Compliance Assessment (ESX Server and PCI/DSS 1.1)

As a resource allocation mechanism, Virtualization tools handle all network data passing through guests to the outside world, memory and storage resource access the guest uses to service their application. This gateway function results in the Virtualization host being in scope of PCI/DSS compliance requirements within the definition of "transmitting" card holder data if one of the host’s guests is in scope of the standard. In this presentation each on the categories and requirements of the PCI/DSS standard 1.1 will be compared to settings within the Virtualization configuration of a VMware ESX Server 3.x machine.

Areas Covered in the seminar:

• The 12 domains of the PCI/DSS 1.1 standard will be mapped to the ESX Server configuration, where applicable. (Certain administrative and procedural areas, such as physical security are handled out side of the ESX Server 3.x configuration footprint.)
• Configuration settings to help bring the default ESX Server more compliant with the PCI standard will be shared.
• A checklist can be provided off-line detailing the over 100 sub-steps of the standard to ESX Server 3.X.
• Assessment techniques, command line, management server views, and on-host assessment tools will be discussed to enable gathering evidence of host compliance.

Who will benefit:

• Security professionals who wish to have a closer look at the security settings possible on a virtualization host for consideration when crafting detailed policies.
• Assessment, Examination, and Audit professionals who wish to have some hands-on guidance on how to collect compliance verification data from an ESX Server.
• System administrators who wish to perform a self-assessment of their ESX Servers to gauge compliance and plan any remediation efforts.

Instructor Profile:

Michael Hoesing, has over 30 years of experience in the areas of information systems audit and assurance, information systems implementation, and financial audit. His experiences span a variety of industries during his years with public accounting firms and his last 18 years has focused on the financial services with firms such as First Data Corp, First National Nebraska Inc., Pricewaterhouse Coopers, and American Express. Mike has been involved in both the external and internal audit processes and also has served as a software trainer. Mike has been a conference speaker on virtualization security, operating system assessments, eDiscovery, and PCI/DSS compliance at the Computer Security Conference, VMworld, ISACA’s CACS, IIA Midwest Regional, and the CERTconference and InfoTec conferences.

University involvement includes membership on the Creighton University and University of Nebraska at Omaha College of Business advisory boards, and facilitating sessions in Creighton

Follow us :