Data/AuditChecks/DriveSecurityChecks.json
|
{ "categoryId": "drive", "categoryName": "Drive Security & Data Protection", "categoryDescription": "Checks related to Google Drive sharing, access controls, DLP, and data protection settings", "checks": [ { "id": "DRIVE-001", "name": "External Sharing Defaults", "description": "Sharing outside the organization should be restricted or disabled by default to prevent accidental data exposure to external parties", "severity": "High", "zeroTrustPillar": "Data", "zeroTrustWeight": 2, "subcategory": "Sharing", "recommendedValue": "External sharing restricted to allowlisted domains or disabled", "remediationUrl": "https://admin.google.com/ac/appsettings/55656082996/sharing", "remediationSteps": "Admin Console > Apps > Google Workspace > Drive and Docs > Sharing settings > Set sharing outside the organization to 'Off' or 'Allowlisted domains'", "compliance": { "nistSp80053": [ "AC-3", "AC-4" ], "mitreAttack": [ "T1567", "T1537" ], "cisBenchmark": [ "2.1" ], "scuba": [ "GWS.DRIVEDOCS.1.1v1", "GWS.DRIVEDOCS.1.2v1", "GWS.DRIVEDOCS.1.6v1" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "DRIVE-002", "name": "Link Sharing Default Settings", "description": "Default link sharing should be set to 'Restricted' (specific people) rather than broad access to prevent unintended data exposure", "severity": "High", "zeroTrustPillar": "Data", "zeroTrustWeight": 2, "subcategory": "Sharing", "recommendedValue": "Default link sharing set to 'Restricted' (specific people only)", "remediationUrl": "https://admin.google.com/ac/appsettings/55656082996/sharing", "remediationSteps": "Admin Console > Apps > Google Workspace > Drive and Docs > Sharing settings > Set default link sharing to 'Restricted'", "compliance": { "nistSp80053": [ "AC-3", "AC-6" ], "mitreAttack": [ "T1530" ], "cisBenchmark": [ "2.2" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "DRIVE-003", "name": "Anyone With the Link Sharing Audit", "description": "Files shared with 'Anyone with the link' are accessible to anyone on the internet and represent a significant data exposure risk", "severity": "High", "zeroTrustPillar": "Data", "zeroTrustWeight": 2, "subcategory": "Sharing", "recommendedValue": "'Anyone with the link' sharing disabled or tightly controlled", "remediationUrl": "https://admin.google.com/ac/appsettings/55656082996/sharing", "remediationSteps": "Admin Console > Apps > Google Workspace > Drive and Docs > Sharing settings > Disable 'Anyone with the link' option or restrict to 'Domain users with the link'", "compliance": { "nistSp80053": [ "AC-3", "AC-22" ], "mitreAttack": [ "T1530", "T1213" ], "cisBenchmark": [ "2.3" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "DRIVE-004", "name": "Shared Drive Creation Restrictions", "description": "Shared Drive creation should be restricted to prevent uncontrolled proliferation and ensure proper governance of shared data repositories", "severity": "Medium", "zeroTrustPillar": "Data", "zeroTrustWeight": 1, "subcategory": "Shared Drives", "recommendedValue": "Shared Drive creation restricted to specific groups or admins", "remediationUrl": "https://admin.google.com/ac/appsettings/55656082996/sharing", "remediationSteps": "Admin Console > Apps > Google Workspace > Drive and Docs > Sharing settings > Shared drive creation > Restrict who can create shared drives", "compliance": { "nistSp80053": [ "CM-7", "AC-6" ], "mitreAttack": [ "T1530" ], "cisBenchmark": [ "2.4" ], "scuba": [ "GWS.DRIVEDOCS.2.1v1", "GWS.DRIVEDOCS.2.2v1" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "DRIVE-005", "name": "Shared Drive Member Management", "description": "Shared Drive member management should be controlled to prevent unauthorized users from being added or permissions being escalated", "severity": "Medium", "zeroTrustPillar": "Data", "zeroTrustWeight": 1, "subcategory": "Shared Drives", "recommendedValue": "Only managers can add members and change access levels", "remediationUrl": "https://admin.google.com/ac/appsettings/55656082996/sharing", "remediationSteps": "Admin Console > Apps > Google Workspace > Drive and Docs > Sharing settings > Shared drive settings > Configure member management permissions", "compliance": { "nistSp80053": [ "AC-3", "AC-6(1)" ], "mitreAttack": [ "T1098" ], "cisBenchmark": [ "2.5" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "DRIVE-006", "name": "Shared Drive External Sharing", "description": "External sharing on Shared Drives should be restricted to prevent sensitive organizational data from being shared outside the domain", "severity": "High", "zeroTrustPillar": "Data", "zeroTrustWeight": 2, "subcategory": "Shared Drives", "recommendedValue": "External sharing on Shared Drives disabled or restricted to allowlisted domains", "remediationUrl": "https://admin.google.com/ac/appsettings/55656082996/sharing", "remediationSteps": "Admin Console > Apps > Google Workspace > Drive and Docs > Sharing settings > Shared drive sharing > Restrict external sharing", "compliance": { "nistSp80053": [ "AC-3", "AC-4" ], "mitreAttack": [ "T1537", "T1567" ], "cisBenchmark": [ "2.6" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "DRIVE-007", "name": "File Ownership Transfer Settings", "description": "File ownership transfer should be controlled to prevent unauthorized data migration and maintain proper data governance chains", "severity": "Medium", "zeroTrustPillar": "Data", "zeroTrustWeight": 1, "subcategory": "Access Control", "recommendedValue": "File ownership transfer restricted to admins or controlled process", "remediationUrl": "https://admin.google.com/ac/appsettings/55656082996/sharing", "remediationSteps": "Admin Console > Apps > Google Workspace > Drive and Docs > Transfer ownership settings > Configure restrictions", "compliance": { "nistSp80053": [ "AC-3", "MP-5" ], "mitreAttack": [ "T1537" ], "cisBenchmark": [ "2.7" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "DRIVE-008", "name": "Drive for Desktop Allowed/Blocked", "description": "Drive for Desktop syncs files locally and should be controlled to prevent data from being stored on unmanaged endpoints", "severity": "Medium", "zeroTrustPillar": "Data", "zeroTrustWeight": 1, "subcategory": "Access Control", "recommendedValue": "Drive for Desktop restricted to managed devices or disabled", "remediationUrl": "https://admin.google.com/ac/appsettings/55656082996/drivefordesktop", "remediationSteps": "Admin Console > Apps > Google Workspace > Drive and Docs > Features and Applications > Drive for Desktop > Configure access", "compliance": { "nistSp80053": [ "SC-28", "MP-7" ], "mitreAttack": [ "T1530", "T1005" ], "cisBenchmark": [ "2.8" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "DRIVE-009", "name": "Third-Party App Drive Access", "description": "Third-party applications with access to Drive data should be reviewed and restricted to prevent unauthorized data exfiltration", "severity": "High", "zeroTrustPillar": "Data", "zeroTrustWeight": 2, "subcategory": "Data Protection", "recommendedValue": "Third-party app access to Drive data restricted and reviewed", "remediationUrl": "https://admin.google.com/ac/owl/list?tab=apps", "remediationSteps": "Admin Console > Security > API controls > Third-party app access > Review and restrict apps with Drive access", "compliance": { "nistSp80053": [ "AC-3", "AC-20" ], "mitreAttack": [ "T1530", "T1567.002" ], "cisBenchmark": [ "2.9" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "DRIVE-010", "name": "Drive DLP Rules Audit", "description": "Data Loss Prevention rules should be configured to detect and prevent sharing of sensitive data through Google Drive", "severity": "Medium", "zeroTrustPillar": "Data", "zeroTrustWeight": 1, "subcategory": "Data Protection", "recommendedValue": "DLP rules configured for sensitive data types (PII, financial, health data)", "remediationUrl": "https://admin.google.com/ac/dp/rules", "remediationSteps": "Admin Console > Security > Data protection > Manage rules > Create rules for sensitive data types in Drive", "compliance": { "nistSp80053": [ "SC-7", "SI-4" ], "mitreAttack": [ "T1567", "T1048" ], "cisBenchmark": [ "2.10" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "DRIVE-011", "name": "Target Audience Settings", "description": "Target audience settings control who can be suggested when sharing files and should be configured to limit accidental sharing", "severity": "Medium", "zeroTrustPillar": "Data", "zeroTrustWeight": 1, "subcategory": "Sharing", "recommendedValue": "Target audiences configured to limit sharing suggestions appropriately", "remediationUrl": "https://admin.google.com/ac/targetaudiences", "remediationSteps": "Admin Console > Directory > Target audiences > Review and configure target audience groups", "compliance": { "nistSp80053": [ "AC-3", "AC-6" ], "mitreAttack": [ "T1530" ], "cisBenchmark": [ "2.11" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "DRIVE-012", "name": "Drive Add-ons Settings", "description": "Drive add-ons can access file content and should be controlled to prevent data exposure through untrusted extensions", "severity": "Low", "zeroTrustPillar": "Data", "zeroTrustWeight": 1, "subcategory": "Access Control", "recommendedValue": "Drive add-on installation restricted to admin-approved add-ons", "remediationUrl": "https://admin.google.com/ac/appsettings/55656082996/addons", "remediationSteps": "Admin Console > Apps > Google Workspace > Drive and Docs > Features and Applications > Add-ons > Configure installation restrictions", "compliance": { "nistSp80053": [ "CM-7", "CM-11" ], "mitreAttack": [ "T1195.002" ], "cisBenchmark": [ "2.12" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "DRIVE-013", "name": "Offline Access Settings", "description": "Offline access allows Drive files to be cached locally on devices and should be controlled to prevent data exposure on shared or unmanaged devices", "severity": "Medium", "zeroTrustPillar": "Data", "zeroTrustWeight": 1, "subcategory": "Access Control", "recommendedValue": "Offline access disabled or restricted to managed devices", "remediationUrl": "https://admin.google.com/ac/appsettings/55656082996/offlineaccess", "remediationSteps": "Admin Console > Apps > Google Workspace > Drive and Docs > Features and Applications > Offline > Disable or restrict offline access", "compliance": { "nistSp80053": [ "SC-28", "AC-19" ], "mitreAttack": [ "T1005", "T1530" ], "cisBenchmark": [ "2.13" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "DRIVE-014", "name": "Drive SDK API access disabled (GWS.DRIVEDOCS.4.1)", "description": "SCuBA GWS.DRIVEDOCS.4.1: the Drive SDK lets third-party apps read and write Drive content via API, a direct data-exfiltration channel when broadly enabled. Reads drive_and_docs.drive_sdk; fails where enableDriveSdkApiAccess is on.", "severity": "High", "zeroTrustPillar": "Data", "zeroTrustWeight": 3, "subcategory": "Drive API", "recommendedValue": "Drive SDK API access disabled", "remediationSteps": "In Admin console > Apps > Google Workspace > Drive and Docs > Features and Applications, disable Drive SDK unless specific reviewed integrations require it.", "compliance": { "scuba": [ "GWS.DRIVEDOCS.4.1v1" ], "nistSp80053": [ "AC-4", "AC-3", "SC-7" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "DRIVE-015", "name": "Drive external-file warning enabled (GWS.DRIVEDOCS.1.9)", "description": "SCuBA GWS.DRIVEDOCS.1.9: warning users when they share files externally is a low-friction data-loss control. Reads drive_and_docs.external_file_warning; warns where highlightingEnabled is off.", "severity": "Low", "zeroTrustPillar": "Data", "zeroTrustWeight": 1, "subcategory": "Drive Sharing", "recommendedValue": "External-file sharing warning enabled", "remediationSteps": "In Drive sharing settings, enable warnings when users share files with people outside the organization.", "compliance": { "scuba": [ "GWS.DRIVEDOCS.1.9v1" ], "nistSp80053": [ "AC-22", "SI-10" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "DRIVE-016", "name": "Drive file security update enforced (GWS.DRIVEDOCS.3.1)", "description": "SCuBA GWS.DRIVEDOCS.3.1: the file security update tightens link-sharing on affected files; letting users remove it re-opens access. Reads drive_and_docs.file_security_update; warns where users are allowed to remove/manage the security update.", "severity": "Medium", "zeroTrustPillar": "Data", "zeroTrustWeight": 2, "subcategory": "Drive Sharing", "recommendedValue": "Security update applied and users cannot remove it", "remediationSteps": "In Drive settings, apply the file security update and do not allow users to remove it from files they own.", "compliance": { "scuba": [ "GWS.DRIVEDOCS.3.1v1" ], "nistSp80053": [ "AC-3", "CM-6" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null } ] } |