Data/AuditChecks/CollaborationChecks.json
|
{ "categoryId": "collab", "categoryName": "Collaboration & Communication Security", "categoryDescription": "Checks related to Google Meet, Chat, and Calendar security settings including external access, recording, and sharing controls", "checks": [ { "id": "COLLAB-001", "name": "Meet Recording Settings", "description": "Meeting recording settings should be controlled to prevent unauthorized capture of sensitive discussions", "severity": "Medium", "zeroTrustPillar": "Applications & Workloads", "zeroTrustWeight": 1, "subcategory": "Google Meet", "recommendedValue": "Recording restricted to meeting organizers or disabled for sensitive OUs", "remediationUrl": "https://admin.google.com/ac/appsettings/625702498764/meetingsettings", "remediationSteps": "Admin Console > Apps > Google Workspace > Google Meet > Meet video settings > Recording > Configure recording permissions", "compliance": { "nistSp80053": [ "AC-3", "AU-14" ], "mitreAttack": [ "T1125" ], "cisBenchmark": [ "5.1" ], "scuba": [ "GWS.MEET.5.1v1" ] } }, { "id": "COLLAB-002", "name": "Meet External Participant Settings", "description": "External participant access to meetings should be controlled to prevent unauthorized attendance and information disclosure", "severity": "Medium", "zeroTrustPillar": "Applications & Workloads", "zeroTrustWeight": 1, "subcategory": "Google Meet", "recommendedValue": "External participants require approval or knocking to join", "remediationUrl": "https://admin.google.com/ac/appsettings/625702498764/meetingsettings", "remediationSteps": "Admin Console > Apps > Google Workspace > Google Meet > Meet video settings > Participants > Require approval for external participants", "compliance": { "nistSp80053": [ "AC-3", "AC-17" ], "mitreAttack": [ "T1040" ], "cisBenchmark": [ "5.2" ], "scuba": [ "GWS.MEET.1.1v1" ] } }, { "id": "COLLAB-003", "name": "Meet Anonymous Join Settings", "description": "Anonymous users (without Google accounts) should not be able to join meetings without explicit host approval", "severity": "Medium", "zeroTrustPillar": "Applications & Workloads", "zeroTrustWeight": 1, "subcategory": "Google Meet", "recommendedValue": "Anonymous join disabled or requires host approval", "remediationUrl": "https://admin.google.com/ac/appsettings/625702498764/meetingsettings", "remediationSteps": "Admin Console > Apps > Google Workspace > Google Meet > Meet video settings > Participants > Disable anonymous join or require knocking", "compliance": { "nistSp80053": [ "AC-3", "IA-2" ], "mitreAttack": [ "T1040" ], "cisBenchmark": [ "5.3" ] } }, { "id": "COLLAB-004", "name": "Chat External Communication", "description": "External chat communication should be restricted to prevent data leakage through direct messages with external users", "severity": "High", "zeroTrustPillar": "Applications & Workloads", "zeroTrustWeight": 2, "subcategory": "Google Chat", "recommendedValue": "External chat restricted or disabled for most users", "remediationUrl": "https://admin.google.com/ac/appsettings/553322/chatsettings", "remediationSteps": "Admin Console > Apps > Google Workspace > Google Chat > Chat settings > External chat > Restrict external chat to specific OUs", "compliance": { "nistSp80053": [ "AC-4", "SC-7" ], "mitreAttack": [ "T1567", "T1048" ], "cisBenchmark": [ "5.4" ], "scuba": [ "GWS.CHAT.4.1v1" ] } }, { "id": "COLLAB-005", "name": "Chat History Settings", "description": "Chat history should be enabled and retained for compliance and audit purposes. Disabling history can hide malicious communications", "severity": "Medium", "zeroTrustPillar": "Applications & Workloads", "zeroTrustWeight": 1, "subcategory": "Google Chat", "recommendedValue": "Chat history enabled and retained according to retention policy", "remediationUrl": "https://admin.google.com/ac/appsettings/553322/chatsettings", "remediationSteps": "Admin Console > Apps > Google Workspace > Google Chat > Chat settings > History > Enable history and configure retention", "compliance": { "nistSp80053": [ "AU-11", "AU-3" ], "mitreAttack": [ "T1070.008" ], "cisBenchmark": [ "5.5" ], "scuba": [ "GWS.CHAT.1.1v1", "GWS.CHAT.1.2v1" ] } }, { "id": "COLLAB-006", "name": "Chat Spaces External Access", "description": "Chat spaces (rooms) that allow external members can expose internal communications and shared files to unauthorized parties", "severity": "Medium", "zeroTrustPillar": "Applications & Workloads", "zeroTrustWeight": 1, "subcategory": "Google Chat", "recommendedValue": "External access to Chat spaces restricted or disabled", "remediationUrl": "https://admin.google.com/ac/appsettings/553322/chatsettings", "remediationSteps": "Admin Console > Apps > Google Workspace > Google Chat > Chat settings > Spaces > Restrict external access to spaces", "compliance": { "nistSp80053": [ "AC-3", "AC-4" ], "mitreAttack": [ "T1530", "T1213" ], "cisBenchmark": [ "5.6" ] } }, { "id": "COLLAB-007", "name": "Chat App Installation Settings", "description": "Chat app (bot) installation should be controlled to prevent unauthorized integrations from accessing conversation data", "severity": "Low", "zeroTrustPillar": "Applications & Workloads", "zeroTrustWeight": 1, "subcategory": "Google Chat", "recommendedValue": "Chat app installation restricted to admin-approved apps", "remediationUrl": "https://admin.google.com/ac/appsettings/553322/chatsettings", "remediationSteps": "Admin Console > Apps > Google Workspace > Google Chat > Chat settings > Apps > Restrict app installation to approved apps", "compliance": { "nistSp80053": [ "CM-7", "CM-11" ], "mitreAttack": [ "T1195.002" ], "cisBenchmark": [ "5.7" ] } }, { "id": "COLLAB-008", "name": "Calendar External Sharing", "description": "Calendar sharing with external users should be limited to free/busy information to prevent exposure of meeting details and attendees", "severity": "High", "zeroTrustPillar": "Applications & Workloads", "zeroTrustWeight": 2, "subcategory": "Google Calendar", "recommendedValue": "External calendar sharing limited to free/busy information only", "remediationUrl": "https://admin.google.com/ac/appsettings/435070579839/sharing", "remediationSteps": "Admin Console > Apps > Google Workspace > Calendar > Sharing settings > External sharing options > Set to 'Only free/busy information'", "compliance": { "nistSp80053": [ "AC-3", "AC-22" ], "mitreAttack": [ "T1530", "T1589" ], "cisBenchmark": [ "5.8" ], "scuba": [ "GWS.CALENDAR.1.1v1", "GWS.CALENDAR.1.2v1" ] } }, { "id": "COLLAB-009", "name": "Calendar External Invitations", "description": "Users should be warned or restricted when sending calendar invitations to external recipients to prevent accidental information disclosure", "severity": "Medium", "zeroTrustPillar": "Applications & Workloads", "zeroTrustWeight": 1, "subcategory": "Google Calendar", "recommendedValue": "External invitation warnings enabled", "remediationUrl": "https://admin.google.com/ac/appsettings/435070579839/sharing", "remediationSteps": "Admin Console > Apps > Google Workspace > Calendar > Sharing settings > Enable external invitation warnings", "compliance": { "nistSp80053": [ "AC-4", "SI-11" ], "mitreAttack": [ "T1589" ], "cisBenchmark": [ "5.9" ], "scuba": [ "GWS.CALENDAR.2.1v1" ] } }, { "id": "COLLAB-010", "name": "Calendar Appointment Slots External Visibility", "description": "Calendar appointment slot visibility should be controlled to limit external exposure of availability and scheduling details", "severity": "Low", "zeroTrustPillar": "Applications & Workloads", "zeroTrustWeight": 1, "subcategory": "Google Calendar", "recommendedValue": "Appointment slot external visibility restricted", "remediationUrl": "https://admin.google.com/ac/appsettings/435070579839/sharing", "remediationSteps": "Admin Console > Apps > Google Workspace > Calendar > Sharing settings > Review appointment slot visibility settings", "compliance": { "nistSp80053": [ "AC-22" ], "mitreAttack": [ "T1589.002" ], "cisBenchmark": [ "5.10" ] } }, { "id": "COLLAB-011", "name": "Meet External Participant Labeling", "description": "External participants in meetings should be visibly labeled so hosts and attendees can readily identify outsiders and avoid disclosing sensitive information", "severity": "Low", "zeroTrustPillar": "Applications & Workloads", "zeroTrustWeight": 1, "subcategory": "Google Meet", "recommendedValue": "External participant labeling enabled", "remediationUrl": "https://admin.google.com/ac/appsettings/625702498764/meetingsettings", "remediationSteps": "Apps > Google Workspace > Google Meet > Meet safety settings > External participants > Enable labeling of external participants", "compliance": { "nistSp80053": [ "AC-22" ], "mitreAttack": [ "T1199" ], "cisBenchmark": [ "6.1" ], "scuba": [ "GWS.MEET.4.1v1" ] } }, { "id": "COLLAB-012", "name": "Meet Host Management", "description": "Host management should be enabled so meeting hosts retain moderation controls such as muting, removing, and locking to prevent meeting hijacking and disruption", "severity": "Medium", "zeroTrustPillar": "Applications & Workloads", "zeroTrustWeight": 1, "subcategory": "Google Meet", "recommendedValue": "Host management enabled", "remediationUrl": "https://admin.google.com/ac/appsettings/625702498764/meetingsettings", "remediationSteps": "Apps > Google Workspace > Google Meet > Meet safety settings > Host management > Enable host management controls", "compliance": { "nistSp80053": [ "AC-3" ], "mitreAttack": [ "T1199" ], "cisBenchmark": [ "6.2" ], "scuba": [ "GWS.MEET.3.1v1" ] } }, { "id": "GROUP-001", "name": "External access to Google Groups restricted (GWS.GROUPS.1.1)", "description": "SCuBA GWS.GROUPS.1.1 requires that Groups for Business sharing be limited so groups are not accessible to people outside the organization. When the group sharing collaboration capability is not set to domain-users-only, group content — which in a school can include student and staff data — becomes reachable by external parties. This check reads the groups_for_business.groups_sharing policy from the Cloud Identity Policy API and flags any organizational unit whose collaboration capability is not DOMAIN_USERS_ONLY.", "severity": "High", "zeroTrustPillar": "Data", "zeroTrustWeight": 3, "subcategory": "Group Sharing", "recommendedValue": "Groups sharing collaboration capability set to DOMAIN_USERS_ONLY for all organizational units", "remediationSteps": "In the Google Admin console under Apps > Google Workspace > Groups for Business > Sharing settings, set group access to be limited to users in the organization (not 'Anyone on the internet'), so external parties cannot access group content.", "compliance": { "scuba": [ "GWS.GROUPS.1.1v1" ], "nistSp80053": [ "AC-3", "AC-22", "SC-7" ] } }, { "id": "GROUP-002", "name": "Group owners cannot add external members (GWS.GROUPS.1.2)", "description": "SCuBA GWS.GROUPS.1.2 requires that group owners not be permitted to add members from outside the organization. External members gain access to everything shared with the group. This check flags organizational units where owners can allow external members (ownersCanAllowExternalMembers is enabled).", "severity": "Medium", "zeroTrustPillar": "Data", "zeroTrustWeight": 2, "subcategory": "Group Sharing", "recommendedValue": "Group owners cannot allow external members (ownersCanAllowExternalMembers disabled)", "remediationSteps": "In Groups for Business sharing settings, disable the option that lets group owners add members from outside the organization, so external membership requires administrative action.", "compliance": { "scuba": [ "GWS.GROUPS.1.2v1" ], "nistSp80053": [ "AC-2", "AC-3", "SC-7" ] } }, { "id": "GROUP-003", "name": "Groups cannot receive mail from outside the org (GWS.GROUPS.1.3)", "description": "SCuBA GWS.GROUPS.1.3 requires that group owners not be permitted to allow incoming email from outside the organization. Allowing public inbound mail to groups is an inbound phishing and spam vector. This check flags organizational units where owners can allow incoming mail from the public (ownersCanAllowIncomingMailFromPublic is enabled).", "severity": "Medium", "zeroTrustPillar": "Applications & Workloads", "zeroTrustWeight": 2, "subcategory": "Group Sharing", "recommendedValue": "Group owners cannot allow incoming mail from the public (ownersCanAllowIncomingMailFromPublic disabled)", "remediationSteps": "In Groups for Business sharing settings, disable the option that lets group owners accept incoming email from outside the organization, restricting group mail to internal senders unless explicitly configured.", "compliance": { "scuba": [ "GWS.GROUPS.1.3v1" ], "nistSp80053": [ "SC-7", "SI-8" ] } }, { "id": "GROUP-004", "name": "Group creation restricted to administrators (GWS.GROUPS.2.1)", "description": "SCuBA GWS.GROUPS.2.1 recommends restricting who can create Groups for Business to administrators. When any user can create groups, group sprawl outpaces governance and external-sharing defaults may be applied without review. This check flags organizational units where the create-groups access level is not ADMIN_ONLY.", "severity": "Low", "zeroTrustPillar": "Governance", "zeroTrustWeight": 2, "subcategory": "Group Governance", "recommendedValue": "Group creation access level set to ADMIN_ONLY", "remediationSteps": "In Groups for Business settings, set 'who can create groups' to admins only, so new groups are created deliberately and inherit reviewed sharing settings.", "compliance": { "scuba": [ "GWS.GROUPS.2.1v1" ], "nistSp80053": [ "AC-2", "AC-6", "PM-10" ] } }, { "id": "GROUP-005", "name": "Group conversation visibility defaults to members (GWS.GROUPS.3.1)", "description": "SCuBA GWS.GROUPS.3.1 requires that the default permission for viewing group conversations be restricted to group members rather than the whole domain or the public. Overly-open conversation visibility exposes discussion archives — which can contain sensitive student and staff information. This check reads viewTopicsDefaultAccessLevel from the groups_for_business.groups_sharing policy and warns where the default is broader than group members.", "severity": "Low", "zeroTrustPillar": "Data", "zeroTrustWeight": 2, "subcategory": "Group Sharing", "recommendedValue": "Default conversation view access set to GROUP_MEMBERS", "remediationSteps": "In Groups for Business settings, set the default 'who can view conversations' permission to group members.", "compliance": { "scuba": [ "GWS.GROUPS.3.1v1" ], "nistSp80053": [ "AC-3", "AC-22" ] } }, { "id": "COLLAB-013", "name": "Chat external file sharing disabled (GWS.CHAT.2.1)", "description": "SCuBA GWS.CHAT.2.1 requires that external file sharing in Google Chat be disabled (set to no files). Allowing files to be shared with external users through Chat is a direct data-exfiltration path. This check reads chat.chat_file_sharing and fails any organizational unit where external file sharing is not set to NO_FILES.", "severity": "High", "zeroTrustPillar": "Data", "zeroTrustWeight": 3, "subcategory": "Chat Security", "recommendedValue": "External file sharing in Chat set to NO_FILES", "remediationSteps": "In the Admin console under Apps > Google Workspace > Google Chat > External file sharing, set external file sharing to 'No files' so files cannot be shared to people outside the organization via Chat.", "compliance": { "scuba": [ "GWS.CHAT.2.1v1" ], "nistSp80053": [ "AC-4", "SC-7" ] } }, { "id": "COLLAB-014", "name": "Chat space history is on (GWS.CHAT.3.1)", "description": "SCuBA GWS.CHAT.3.1 requires that history for Chat spaces be always on so conversations are retained for oversight, investigation, and eDiscovery. This check reads chat.space_history and warns any organizational unit where space history is not set to HISTORY_ALWAYS_ON.", "severity": "Low", "zeroTrustPillar": "Visibility & Analytics", "zeroTrustWeight": 1, "subcategory": "Chat Security", "recommendedValue": "Chat space history set to HISTORY_ALWAYS_ON", "remediationSteps": "In Google Chat settings, set space history to always on so conversations are retained and available for oversight and eDiscovery.", "compliance": { "scuba": [ "GWS.CHAT.3.1v1" ], "nistSp80053": [ "AU-11", "AU-12" ] } }, { "id": "COLLAB-015", "name": "Meeting join restricted to the organization (GWS.MEET.2.1)", "description": "SCuBA GWS.MEET.2.1 requires that access to meetings be restricted so only users in the organization (or trusted Workspace organizations) can join. Leaving meetings open to anyone lets external and unauthenticated parties into sessions that may involve students. This check reads meet.safety_access and fails any organizational unit where meetingsAllowedToJoin is broader than SAME_ORGANIZATION_ONLY / ANY_WORKSPACE_ORGANIZATION.", "severity": "High", "zeroTrustPillar": "Identity", "zeroTrustWeight": 3, "subcategory": "Meet Safety", "recommendedValue": "meetingsAllowedToJoin set to SAME_ORGANIZATION_ONLY (or ANY_WORKSPACE_ORGANIZATION)", "remediationSteps": "In Google Meet safety settings, restrict who can join meetings to users in your organization, so external/unauthenticated participants cannot join by default.", "compliance": { "scuba": [ "GWS.MEET.2.1v1" ], "nistSp80053": [ "AC-3", "AC-14", "SC-7" ] } }, { "id": "COLLAB-016", "name": "Meet automatic transcription off by default (GWS.MEET.5.2)", "description": "SCuBA GWS.MEET.5.2 recommends that automatic transcription in Google Meet be off by default. Auto-transcribing meetings captures and stores conversation content — sensitive when students are present — without a deliberate decision. This check reads meet.automatic_transcription and warns any organizational unit where it is enabled by default.", "severity": "Low", "zeroTrustPillar": "Data", "zeroTrustWeight": 1, "subcategory": "Meet Safety", "recommendedValue": "Automatic transcription disabled by default", "remediationSteps": "In Google Meet settings, disable automatic transcription by default so meeting content is captured only when a host deliberately enables it.", "compliance": { "scuba": [ "GWS.MEET.5.2v1" ], "nistSp80053": [ "SI-12", "SC-28" ] } }, { "id": "COLLAB-017", "name": "Calendar external interoperability managed (GWS.CALENDAR.3.1)", "description": "SCuBA GWS.CALENDAR.3.1 requires that Calendar Interop (sharing free/busy and calendar data with an external system such as Microsoft Exchange) be off unless it is deliberately managed. Interop bridges calendar data to an outside platform. This check reads calendar.interoperability and warns any organizational unit where enableInteroperability is on.", "severity": "Low", "zeroTrustPillar": "Governance", "zeroTrustWeight": 1, "subcategory": "Calendar Security", "recommendedValue": "Calendar interoperability disabled unless deliberately managed", "remediationSteps": "In the Admin console under Apps > Google Workspace > Calendar > Calendar Interop management, disable interoperability unless a reviewed integration requires it.", "compliance": { "scuba": [ "GWS.CALENDAR.3.1v1" ], "nistSp80053": [ "AC-4", "SC-7" ] } }, { "id": "COLLAB-018", "name": "Calendar appointment payments disabled (GWS.CALENDAR.4.1)", "description": "SCuBA GWS.CALENDAR.4.1 recommends that paid appointment schedules be disabled. This check reads calendar.appointment_schedules and warns any organizational unit where enablePayments is on.", "severity": "Low", "zeroTrustPillar": "Governance", "zeroTrustWeight": 1, "subcategory": "Calendar Security", "recommendedValue": "Paid appointment schedules disabled", "remediationSteps": "In Google Calendar appointment-schedule settings, disable payments unless the organization deliberately uses paid appointments.", "compliance": { "scuba": [ "GWS.CALENDAR.4.1v1" ], "nistSp80053": [ "CM-7" ] } }, { "id": "COLLAB-019", "name": "Meet automatic recording off by default (GWS.MEET.5.1)", "description": "SCuBA GWS.MEET.5.1 recommends that automatic recording in Google Meet be off by default. Auto-recording captures and stores meeting video/audio — sensitive when students are present — without a deliberate decision. This check reads meet.automatic_recording and warns any organizational unit where it is enabled by default.", "severity": "Low", "zeroTrustPillar": "Data", "zeroTrustWeight": 2, "subcategory": "Meet Safety", "recommendedValue": "Automatic recording disabled by default", "remediationSteps": "In Google Meet settings, disable automatic recording by default so meetings are recorded only when a host deliberately starts a recording.", "compliance": { "scuba": [ "GWS.MEET.5.1v1" ], "nistSp80053": [ "SI-12", "SC-28" ] } }, { "id": "GROUP-006", "name": "Groups are visible in the directory (GWS.GROUPS.4.1)", "description": "SCuBA GWS.GROUPS.4.1 requires that groups not be hideable from the directory — hidden groups undermine transparency and oversight of who can be reached and what access exists. This check reads the groups_for_business.groups_sharing policy and warns any organizational unit where owners can hide groups (ownersCanHideGroups) or new groups are hidden by default (newGroupsAreHidden).", "severity": "Low", "zeroTrustPillar": "Visibility & Analytics", "zeroTrustWeight": 1, "subcategory": "Group Sharing", "recommendedValue": "Owners cannot hide groups and new groups are not hidden by default", "remediationSteps": "In Groups for Business settings, prevent group owners from hiding groups from the directory and ensure new groups are not hidden by default, preserving directory transparency.", "compliance": { "scuba": [ "GWS.GROUPS.4.1v1" ], "nistSp80053": [ "AC-22", "AU-6" ] } } ] } |