Nothing is more dreaded in the IT world than audits and taxes. We can't do much to help on the taxes front, but there is no need to fear an IT audit, even in a virtual desktop
There are many types of audits that can happen in your organization, whether it's an internal or external one, or for security or other investigative reasons. But there is one rule of thumb that follows all of these situations: When it comes to conducting an IT audit within your VDI environment, the best defense is a strong offense.
Ensure that a comprehensive process exists to gather, store and protect any relevant VDI log files or other operational data that might be included in an internal or external audit. There may also be business-related data in your VDI environment that must be stored and protected to support an outside compliance audit. Most experts recommend -- and various governmental guidelines require -- that you retain all pertinent data and records for at least seven years, in case audits ever become necessary.
Who's auditing whom?
The first consideration when an audit of your VDI environment is scheduled is to figure out who is doing the audit and what its goals should be. Most large companies have internal auditors who are responsible for ensuring that all internal policies and procedures are being followed.
Considering that IT is a world with its own cryptic lexicon and processes, your company may have auditors who are specially trained in auditing IT systems and operations. Your VDI environment may also be the subject of an external audit, whether from an independent accounting firm your company hires or, in very rare cases, by a governmental, regulatory or law enforcement organization. Knowing who's asking the questions and why is important. Thorough preparation for an audit will protect IT and the company as a whole.
Types of IT audits
SOX compliance audits. Passed by Congress in 2002, the Sarbanes-Oxley Act (SOX) says that the CEOs and CFOs of publicly traded companies with $75 million or more of annual revenues are personally responsible for the accuracy of all quarterly and annual financial reports released to the public or filed with the government.
So, IT is responsible for making sure the proper records are archived so they're prepared for a SOX compliance audit, should that come along. SOX transformed the importance of retaining audit information from a nice-to-have afterthought to a legal requirement. SOX specifies that all company "records" be retained for at least seven years. It defines a record as almost any document or data that contains information about the financial health of the company, including the spreadsheets and accounting systems that are used to generate financial reports, any internal emails related to financial performance, and the financial reports themselves.
More IT audit resources
Guide to network security auditing
Understanding database auditing and its tools
The difference between audits and assessments
Server log file audits. If your VDI runs on Hyper-V servers, you need to consider which Windows Server Event Logs you need to archive for auditing purposes. On Linux or Unix servers, you must evaluate the standard server log files to retain relevant data and comply with future audit requests. Plus, closely consider which virtual machines (VMs) and users' desktop data you need to archive. For instance, if your CEO and CFO use virtual desktops in their day-to-day jobs and your company is required to adhere to SOX, make sure to regularly archive their desktops and all associated data in case of an external audit or lawsuit.
There are software tools that can help your company maintain compliance with governmental regulations, as well as log consolidation tools that can gather logs from disparate sources and archive them onto long-term storage.
Security audits. Aside from internal or external SOX compliance audits, security audits are the most critical to prepare for. Recent high-profile security breaches, such as credit card numbers stolen from a number of national retailers and the disclosure of classified data at the NSA, underscore what's at stake for companies that do not properly protect their data.
Server and application security logs were undoubtedly critical to the investigations of those breaches; those logs are the only reason that the loss of data could be verified and the source of the breaches identified. Security logs in your VDI environment can be just as crucial to future investigations if a breach occurs. That may include server logs from the underlying hypervisor platform and logs from VMs supporting the VDI environment, as well as data associated with individual user desktops.
Disaster recovery audits. A disaster recovery audit is typically conducted after a DR test or a real-world DR event to determine whether your disaster recovery plans are solid and up-to-date. Someone on the VDI administration team should be part of the DR planning team and be represented in all DR plans, tests and real-world outage responses. Make sure your DR plan includes all recovery steps required to rebuild the VDI environment within the identified disaster recovery-time objectives. Use company DR tests as an opportunity to verify that your recovery plan works and that user desktops are back up and running in the shortest possible time.
Gathering, organizing and archiving all possible targets of future IT audits is a full-time, mission-critical job. And it's not a task to be taken lightly; the stakes can be huge.
This was first published in January 2014