Fixed Table of Contents and Drift Rules

baselines/Common Controls Minimum Viable Secure Configuration Baseline v0.1.md

@@ -17,15 +17,13 @@ This baseline is based on Google documentation and addresses the following:
 - [Highly Privileged Accounts](#6-highly-privileged-accounts)
 - [Conflicting Account Management](#7-conflicting-account-management)
 - [Catastrophic Recovery Options](#8-catastrophic-recovery-options-for-super-admins)
-- [GWS Advanced Protection Program](#10-gws-advanced-protection-program)
-- [App Access to Google APIs](#11-app-access-to-google-apis)
-- [Authorized Marketplace Apps](#12-authorized-google-marketplace-apps)
-- [Less Secure Apps](#13-less-secure-apps)
-- [Google Takeout Service](#14-google-takeout-services-for-users)
-- [System-Defined Rules](#15-system-defined-rules)
-- [Google Workspace Logs](#16-google-workspace-logs)
-- [Data Regions](#17-data-regions)
-- [Supplemental Data Storage](#18-supplemental-data-storage)
+- [GWS Advanced Protection Program](#9-gws-advanced-protection-program)
+- [App Access to Google APIs](#10-app-access-to-google-apis)
+- [Authorized Marketplace Apps](#11-authorized-google-marketplace-apps)
+- [Google Takeout Service](#12-google-takeout-services-for-users)
+- [System-Defined Rules](#13-system-defined-rules)
+- [Google Workspace Logs](#14-google-workspace-logs)
+- [Data Regions](#15-data-regions)
 
 ## Assumptions
 
@@ -1121,7 +1119,7 @@ The following critical logs SHALL be sent at a minimum.
 5.  Click **Save**.
 
 
-## 15. Data Regions
+## 15. Data Regions and Storage
 
 Google Workspace administrators can choose to store data in a specific geographic region (currently the United States or Europe) by using a data region policy. The policy can be applied to a specific organizational unit (OU) in a tenant or at the parent OU. For the interests of Federal agencies, the best practice is to restrict stored data for all users to the U.S. This means applying this setting at the parent OU. Data region storage covers the primary data-at-rest (including backups) for Google Workspace core services (see resources section for services in scope).
 

drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv

@@ -12,31 +12,25 @@ GWS.COMMONCONTROLS.5.2v0.1,User password length SHALL be at least 12 characters.
 GWS.COMMONCONTROLS.5.3v0.1,Password policy SHALL be enforced at next sign-in.,Admin Log Event,Change Application Setting,Password Management - Enforce password policy at next login,true,rules/00gjdgxs0p7tza1,JK 08-02-23 @ 09:00
 GWS.COMMONCONTROLS.5.4v0.1,User passwords SHALL NOT be reused.,Admin Log Event,Change Application Setting,Password Management - Enable password reuse,false,rules/00gjdgxs0tbqklj,JK 08-02-23 @ 09:05
 GWS.COMMONCONTROLS.5.5v0.1,User passwords SHALL NOT expire.,Admin Log Event,Change Application Setting,Password Management - Password reset frequency,0,rules/00gjdgxs1k1llys,JK 08-02-23 @ 09:09
-GWS.COMMONCONTROLS.6.1v0.1,"Agencies SHALL ensure that all accounts with highly privileged roles are separate administrative accounts, distinct from the ordinary day to day accounts of those personnel.",N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.COMMONCONTROLS.6.2v0.1,All highly privileged accounts SHALL leverage Google Account authentication with phishing-resistant MFA and not the agency’s authoritative on-premises or federated identity system.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.COMMONCONTROLS.7.1v0.1,A minimum of two and maximum of four separate and distinct Super Admin users SHALL be configured.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.COMMONCONTROLS.8.1v0.1,Account conflict management SHALL be configured to replace conflicting unmanaged accounts with managed ones.,N/A,N/A,N/A,N/A,N/A,Not Alertable due to no log event being produced
-GWS.COMMONCONTROLS.9.1v0.1,"A second, “break-glass” Super Admin account SHALL be created and physically secured for each individual Super Admin user to mitigate account access issues resulting from catastrophic credential loss or compromise.",N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.COMMONCONTROLS.9.2v0.1,"Account self-recovery for Super Admins SHALL be disabled, forcing Super Admin users who have lost their login credentials to contact another Super Admin to recover their account.",Admin Log Event,Change Application Setting,AdminAccountRecoverySettingsProto Enable admin account recovery,false,rules/00gjdgxs2rlm6cr,JK 08-02-23 @ 09:16
-GWS.COMMONCONTROLS.9.3v0.1,“Break-glass” account credentials SHALL be used only if all Super Admins have lost their credentials.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.COMMONCONTROLS.9.4v0.1,A geographically separate and secure location SHOULD be planned and implemented to store “break-glass” account credentials for Super Admins.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.COMMONCONTROLS.10.1v0.1,Highly privileged accounts SHALL be enrolled in the GWS Advanced Protection Program.,Admin Log Event,Change Application Setting,Advanced Protection Program Settings - Enable user enrollment,true,rules/00gjdgxs2mq8dv5,JK 08-02-23 @ 09:20
-GWS.COMMONCONTROLS.10.2v0.1,All sensitive user accounts SHOULD be enrolled into the GWS Advanced Protection Program. This control enforces more secure protection of sensitive user accounts from targeted attacks. Sensitive user accounts include political appointees and other Senior Executive Service (SES) officials whose account compromise would pose a level of risk prohibitive to agency mission fulfillment.,Admin Log Event,Change Application Setting,Advanced Protection Program Settings - Enable user enrollment,true,rules/00gjdgxs2mq8dv6,JK 08-02-23 @ 09:21
-GWS.COMMONCONTROLS.11.1v0.1,Agencies SHALL develop and implement a process to explicitly allow-list (trust) third-party app access to GWS services.,Admin Log Event,API Access Allowed,No Setting Name,No Value,rules/00gjdgxs1qiup12,
-GWS.COMMONCONTROLS.11.2v0.1,Agencies SHALL use GWS application access control policies to restrict access to all GWS services by third party apps.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.COMMONCONTROLS.11.3v0.1,Agencies SHALL NOT allow users to consent to access to low-risk scopes.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.COMMONCONTROLS.11.4v0.1,Agencies SHALL NOT trust unconfigured internal apps.,Admin Log Event,"Allow Google Sign-in only third party API access
+GWS.COMMONCONTROLS.6.1v0.1,All highly privileged accounts SHALL leverage Google Account authentication with phishing-resistant MFA and not the agency’s authoritative on-premises or federated identity system.,N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.COMMONCONTROLS.6.2v0.1,A minimum of two and maximum of four separate and distinct Super Admin users SHALL be configured.,N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.COMMONCONTROLS.7.1v0.1,Account conflict management SHALL be configured to replace conflicting unmanaged accounts with managed ones.,N/A,N/A,N/A,N/A,N/A,Not Alertable due to no log event being produced
+GWS.COMMONCONTROLS.8.1v0.1,"Account self-recovery for Super Admins SHALL be disabled, forcing Super Admin users who have lost their login credentials to contact another Super Admin to recover their account.",Admin Log Event,Change Application Setting,AdminAccountRecoverySettingsProto Enable admin account recovery,false,rules/00gjdgxs2rlm6cr,JK 08-02-23 @ 09:16
+GWS.COMMONCONTROLS.9.1v0.1,Highly privileged accounts SHALL be enrolled in the GWS Advanced Protection Program.,Admin Log Event,Change Application Setting,Advanced Protection Program Settings - Enable user enrollment,true,rules/00gjdgxs2mq8dv5,JK 08-02-23 @ 09:20
+GWS.COMMONCONTROLS.9.2v0.1,All sensitive user accounts SHOULD be enrolled into the GWS Advanced Protection Program. This control enforces more secure protection of sensitive user accounts from targeted attacks. Sensitive user accounts include political appointees and other Senior Executive Service (SES) officials whose account compromise would pose a level of risk prohibitive to agency mission fulfillment.,Admin Log Event,Change Application Setting,Advanced Protection Program Settings - Enable user enrollment,true,rules/00gjdgxs2mq8dv6,JK 08-02-23 @ 09:21
+GWS.COMMONCONTROLS.10.1v0.1,Agencies SHALL develop and implement a process to explicitly allow-list (trust) third-party app access to GWS services.,Admin Log Event,API Access Allowed,No Setting Name,No Value,rules/00gjdgxs1qiup12,
+GWS.COMMONCONTROLS.10.2v0.1,Agencies SHALL use GWS application access control policies to restrict access to all GWS services by third party apps.,N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.COMMONCONTROLS.10.3v0.1,Agencies SHALL NOT allow users to consent to access to low-risk scopes.,N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.COMMONCONTROLS.10.4v0.1,Agencies SHALL NOT trust unconfigured internal apps.,Admin Log Event,"Allow Google Sign-in only third party API access
 OR
         All third party API access unblocked",No Setting Name,No Value,rules/00gjdgxs0xcbmu1,
-GWS.COMMONCONTROLS.11.5v0.1(a),Agencies SHALL NOT allow users to access unconfigured third-party apps.,Admin Log Event,All third party API access unblocked,No Setting Name,No Value,rules/00gjdgxs0zd46an,JK 09-22-23 @ 14:15 (works only from Don't allow)
-GWS.COMMONCONTROLS.11.5v0.1(b),Agencies SHALL NOT allow users to access unconfigured third-party apps.,Admin Log Event,Allow Google Sign-in only third party API access,No Setting Name,No Value,rules/00gjdgxs3b25o0w,JK 09-22-23 @ 14:15 (works only from Don't allow)
-GWS.COMMONCONTROLS.12.1v0.1,Policy SHOULD be established dictating the app review and approval process.,N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.COMMONCONTROLS.12.2v0.1(a),Only approved Google Workspace Marketplace applications SHOULD be allowed for installation.,Admin Log Event,Change Application Setting,Apps Access Setting Allowlist access,ALLOW_SPECIFIED,rules/00gjdgxs0o3dzli,JK 09-12-23 @ 13:33
-GWS.COMMONCONTROLS.12.2v0.2(b),Only approved Google Workspace Marketplace applications SHOULD be allowed for installation.,Admin Log Event,Change Application Setting,Apps Access Setting allow_all_internal_apps,false,rules/00gjdgxs3f0ca00,JK 11-14-23 @ 07:37
-GWS.COMMONCONTROLS.13.1v0.1,Access to Google Workspace applications by less secure apps that do not meet security standards for authentication SHALL be prevented.,Admin Log Event,Less Secure Apps Access Setting Changed,No Setting Name,DISABLED,rules/00gjdgxs2y7rekk,JK 09-20-23 @ 06:51
-GWS.COMMONCONTROLS.14.1v0.1,Google Takeout services SHALL be disabled for users.,Admin Log Event,Toggle Service Enabled,N/A,false,rules/00gjdgxs3wksszz,JK 09-12-23 @ 13:19
-GWS.COMMONCONTROLS.15.1v0.1,"Required system-defined alerting rules, as listed in the Policy section, SHALL be active, with alerts enabled when available. Any system-defined rules not are considered optional but ought to be reviewed for consideration.",Admin Log Event,System Defined Rule Updated,N/A,N/A,rules/00gjdgxs1x4hrff,Needs Manual Verification of Status
-GWS.COMMONCONTROLS.16.1v0.1,The following critical logs SHALL be sent at a minimum.,Admin Log Event,Change Application Setting,"Data Sharing Settings between GCP and Google Workspace ""Sharing Options""",ENABLED,rules/00gjdgxs0yu1jgq,JK 09-19-23 @ 06:40
-GWS.COMMONCONTROLS.16.2v0.1,"Audit logs SHALL be maintained for at least 6 months in active storage and an additional 18 months in cold storage, as dictated by OMB M-21-31. The logs SHALL be sent to the agency’s Security Operations Center (SOC) for monitoring.",N/A,N/A,N/A,N/A,N/A,Not Alertable
-GWS.COMMONCONTROLS.17.1v0.1,"The data storage region SHALL be set to be the United States for all users in the agency's GWS environment.",Admin Log Event,Change Application Setting,Location Policy,US,rules/00gjdgxs2k8ieyq,JK 12-05-23 @ 15:57
-GWS.COMMONCONTROLS.18.1v0.1,"The supplemental data storage region SHALL NOT be set to 'Russian Federation'.",Admin Log Event,Change Data Localization for Russia,N/A,false,rules/00gjdgxs3rufh17,Not Tested
+GWS.COMMONCONTROLS.10.5v0.1(a),Agencies SHALL NOT allow users to access unconfigured third-party apps.,Admin Log Event,All third party API access unblocked,No Setting Name,No Value,rules/00gjdgxs0zd46an,JK 09-22-23 @ 14:15 (works only from Don't allow)
+GWS.COMMONCONTROLS.10.5v0.1(b),Agencies SHALL NOT allow users to access unconfigured third-party apps.,Admin Log Event,Allow Google Sign-in only third party API access,No Setting Name,No Value,rules/00gjdgxs3b25o0w,JK 09-22-23 @ 14:15 (works only from Don't allow)
+GWS.COMMONCONTROLS.11.1v0.1(a),Only approved Google Workspace Marketplace applications SHOULD be allowed for installation.,Admin Log Event,Change Application Setting,Apps Access Setting Allowlist access,ALLOW_SPECIFIED,rules/00gjdgxs0o3dzli,JK 09-12-23 @ 13:33
+GWS.COMMONCONTROLS.11.1v0.2(b),Only approved Google Workspace Marketplace applications SHOULD be allowed for installation.,Admin Log Event,Change Application Setting,Apps Access Setting allow_all_internal_apps,false,rules/00gjdgxs3f0ca00,JK 11-14-23 @ 07:37
+GWS.COMMONCONTROLS.11.2v0.1,Access to Google Workspace applications by less secure apps that do not meet security standards for authentication SHALL be prevented.,Admin Log Event,Less Secure Apps Access Setting Changed,No Setting Name,DISABLED,rules/00gjdgxs2y7rekk,JK 09-20-23 @ 06:51
+GWS.COMMONCONTROLS.12.1v0.1,Google Takeout services SHALL be disabled for users.,Admin Log Event,Toggle Service Enabled,N/A,false,rules/00gjdgxs3wksszz,JK 09-12-23 @ 13:19
+GWS.COMMONCONTROLS.13.1v0.1,"Required system-defined alerting rules, as listed in the Policy section, SHALL be active, with alerts enabled when available. Any system-defined rules not are considered optional but ought to be reviewed for consideration.",Admin Log Event,System Defined Rule Updated,N/A,N/A,rules/00gjdgxs1x4hrff,Needs Manual Verification of Status
+GWS.COMMONCONTROLS.14.1v0.1,The following critical logs SHALL be sent at a minimum.,Admin Log Event,Change Application Setting,"Data Sharing Settings between GCP and Google Workspace ""Sharing Options""",ENABLED,rules/00gjdgxs0yu1jgq,JK 09-19-23 @ 06:40
+GWS.COMMONCONTROLS.15.1v0.1,"The data storage region SHALL be set to be the United States for all users in the agency's GWS environment.",Admin Log Event,Change Application Setting,Location Policy,US,rules/00gjdgxs2k8ieyq,JK 12-05-23 @ 15:57
+GWS.COMMONCONTROLS.15.2v0.1,"The supplemental data storage region SHALL NOT be set to 'Russian Federation'.",Admin Log Event,Change Data Localization for Russia,N/A,false,rules/00gjdgxs3rufh17,Not Tested