Data/AuditChecks/AdminManagementChecks.json
|
{ "categoryId": "admin", "categoryName": "Admin & User Management", "categoryDescription": "Checks related to admin role assignments, user account hygiene, directory settings, and group management", "checks": [ { "id": "ADMIN-001", "name": "Super Admin Account Inventory", "description": "All super admin accounts should be inventoried and reviewed. Super admins have unrestricted access to all organizational settings and data", "severity": "Critical", "zeroTrustPillar": "Governance", "zeroTrustWeight": 1, "subcategory": "Admin Roles", "recommendedValue": "All super admin accounts documented and justified with clear business need", "remediationUrl": "https://admin.google.com/ac/users", "remediationSteps": "Admin Console > Directory > Users > Filter by admin role > Review all super admin accounts and remove unnecessary assignments", "compliance": { "nistSp80053": [ "AC-2(7)", "AC-6(1)" ], "mitreAttack": [ "T1078.004", "T1087.004" ], "cisBenchmark": [ "4.1" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "ADMIN-002", "name": "Admin Role Assignments Audit", "description": "Administrative role assignments should follow the principle of least privilege. Custom roles should be used instead of broad built-in roles", "severity": "High", "zeroTrustPillar": "Governance", "zeroTrustWeight": 1, "subcategory": "Admin Roles", "recommendedValue": "All admin role assignments reviewed with least-privilege custom roles used where possible", "remediationUrl": "https://admin.google.com/ac/roles", "remediationSteps": "Admin Console > Account > Admin roles > Review each role assignment > Replace broad roles with scoped custom roles", "compliance": { "nistSp80053": [ "AC-6(1)", "AC-2(7)" ], "mitreAttack": [ "T1078.004", "T1098.003" ], "cisBenchmark": [ "4.2" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "ADMIN-003", "name": "Delegated Admin Permissions Review", "description": "Custom admin roles should be reviewed to ensure delegated permissions are appropriately scoped and do not grant excessive access", "severity": "Medium", "zeroTrustPillar": "Governance", "zeroTrustWeight": 1, "subcategory": "Admin Roles", "recommendedValue": "Custom admin roles scoped to minimum necessary permissions", "remediationUrl": "https://admin.google.com/ac/roles", "remediationSteps": "Admin Console > Account > Admin roles > Review each custom role > Verify permissions are scoped appropriately", "compliance": { "nistSp80053": [ "AC-6(1)", "AC-3" ], "mitreAttack": [ "T1098.003" ], "cisBenchmark": [ "4.3" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "ADMIN-004", "name": "Inactive/Suspended Admin Accounts", "description": "Suspended or inactive users should not retain admin role assignments. These accounts may be targeted for reactivation attacks", "severity": "High", "zeroTrustPillar": "Governance", "zeroTrustWeight": 1, "subcategory": "Admin Roles", "recommendedValue": "No suspended or inactive users with admin role assignments", "remediationUrl": "https://admin.google.com/ac/users", "remediationSteps": "Admin Console > Directory > Users > Filter suspended users > Remove admin roles from any suspended accounts", "compliance": { "nistSp80053": [ "AC-2(3)", "AC-2(4)" ], "mitreAttack": [ "T1078.004", "T1098" ], "cisBenchmark": [ "4.4" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "ADMIN-005", "name": "User Account Inventory", "description": "User account inventory should be maintained with clear counts of active, suspended, and archived accounts for governance", "severity": "Medium", "zeroTrustPillar": "Governance", "zeroTrustWeight": 1, "subcategory": "User Management", "recommendedValue": "Complete user inventory with all accounts in appropriate active/suspended/archived state", "remediationUrl": "https://admin.google.com/ac/users", "remediationSteps": "Admin Console > Directory > Users > Review user list > Suspend or archive accounts that are no longer needed", "compliance": { "nistSp80053": [ "AC-2", "CM-8" ], "mitreAttack": [ "T1087.004" ], "cisBenchmark": [ "4.5" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "ADMIN-006", "name": "Stale User Accounts", "description": "User accounts with no login in 90 or more days may be orphaned and should be reviewed for suspension or deletion", "severity": "Medium", "zeroTrustPillar": "Governance", "zeroTrustWeight": 0, "subcategory": "User Management", "recommendedValue": "No user accounts inactive for more than 90 days without documented justification", "remediationUrl": "https://admin.google.com/ac/users", "remediationSteps": "Admin Console > Directory > Users > Sort by last sign-in > Review and suspend accounts inactive for 90+ days", "compliance": { "nistSp80053": [ "AC-2(3)" ], "mitreAttack": [ "T1078.004" ], "cisBenchmark": [ "4.6" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "ADMIN-007", "name": "OU Structure Review", "description": "The organizational unit structure should be reviewed to ensure policies can be effectively applied at the appropriate scope", "severity": "Low", "zeroTrustPillar": "Governance", "zeroTrustWeight": 1, "subcategory": "Directory", "recommendedValue": "OU structure documented with clear policy mapping", "remediationUrl": "https://admin.google.com/ac/orgunits", "remediationSteps": "Admin Console > Directory > Organizational units > Review OU hierarchy and ensure it aligns with policy application needs", "compliance": { "nistSp80053": [ "CM-6", "AC-2" ], "mitreAttack": [ "T1087.004" ], "cisBenchmark": [ "4.7" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "ADMIN-008", "name": "Directory Sharing Settings", "description": "Directory sharing controls who can view organizational contacts and profiles. External directory sharing should be limited", "severity": "Medium", "zeroTrustPillar": "Governance", "zeroTrustWeight": 1, "subcategory": "Directory", "recommendedValue": "Directory sharing restricted to internal users only", "remediationUrl": "https://admin.google.com/ac/appsettings/986702928867/contactsharing", "remediationSteps": "Admin Console > Directory > Directory settings > Sharing settings > Restrict contact sharing to domain users", "compliance": { "nistSp80053": [ "AC-3", "AC-22" ], "mitreAttack": [ "T1087.004", "T1589" ], "cisBenchmark": [ "4.8" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "ADMIN-009", "name": "User Profile Visibility", "description": "User profile information visibility should be controlled to limit reconnaissance potential from external actors", "severity": "Low", "zeroTrustPillar": "Governance", "zeroTrustWeight": 1, "subcategory": "Directory", "recommendedValue": "User profile visibility restricted to internal users", "remediationUrl": "https://admin.google.com/ac/appsettings/986702928867/profilesharing", "remediationSteps": "Admin Console > Directory > Directory settings > Profile sharing > Restrict profile visibility", "compliance": { "nistSp80053": [ "AC-22", "AC-3" ], "mitreAttack": [ "T1589.002" ], "cisBenchmark": [ "4.9" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "ADMIN-010", "name": "Groups Settings and External Membership", "description": "Google Groups that allow external members can expose internal communications and data to unauthorized parties", "severity": "High", "zeroTrustPillar": "Governance", "zeroTrustWeight": 2, "subcategory": "Groups", "recommendedValue": "External group membership disabled or restricted to specific groups with documented justification", "remediationUrl": "https://admin.google.com/ac/appsettings/651400000067/sharing", "remediationSteps": "Admin Console > Apps > Google Workspace > Groups for Business > Sharing settings > Restrict external membership", "compliance": { "nistSp80053": [ "AC-3", "AC-4" ], "mitreAttack": [ "T1530", "T1213.003" ], "cisBenchmark": [ "4.10" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "ADMIN-011", "name": "Group Creation Restrictions", "description": "Group creation should be restricted to prevent proliferation of unmanaged groups that may expose organizational data", "severity": "Medium", "zeroTrustPillar": "Governance", "zeroTrustWeight": 1, "subcategory": "Groups", "recommendedValue": "Group creation restricted to admins or specific delegated roles", "remediationUrl": "https://admin.google.com/ac/appsettings/651400000067/sharing", "remediationSteps": "Admin Console > Apps > Google Workspace > Groups for Business > Sharing settings > Restrict who can create groups", "compliance": { "nistSp80053": [ "CM-7", "AC-6" ], "mitreAttack": [ "T1136.003" ], "cisBenchmark": [ "4.11" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "ADMIN-012", "name": "Groups for Business Settings", "description": "Groups for Business settings control group features including external posting, member visibility, and content sharing", "severity": "Medium", "zeroTrustPillar": "Governance", "zeroTrustWeight": 1, "subcategory": "Groups", "recommendedValue": "Groups for Business configured with restricted external access and posting", "remediationUrl": "https://admin.google.com/ac/appsettings/651400000067/sharing", "remediationSteps": "Admin Console > Apps > Google Workspace > Groups for Business > Sharing settings > Review all settings", "compliance": { "nistSp80053": [ "AC-3", "AC-4" ], "mitreAttack": [ "T1530", "T1213.003" ], "cisBenchmark": [ "4.12" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "ADMIN-013", "name": "Super Admin Count", "description": "The number of super admin accounts should be between 2 and 4. Too few creates a single point of failure; too many increases the attack surface", "severity": "High", "zeroTrustPillar": "Governance", "zeroTrustWeight": 1, "subcategory": "Admin Roles", "recommendedValue": "2-4 super admin accounts", "remediationUrl": "https://admin.google.com/ac/users", "remediationSteps": "Admin Console > Directory > Users > Filter by super admin role > Adjust count to 2-4 by removing unnecessary super admins or adding a backup", "compliance": { "nistSp80053": [ "AC-6(1)", "AC-2(7)" ], "mitreAttack": [ "T1078.004" ], "cisBenchmark": [ "4.13" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "ADMIN-014", "name": "Assured Controls - Access Approvals Enabled", "description": "Access Approvals should be enabled so that Google support staff must request and obtain organizational approval before accessing covered data, reducing the risk of unauthorized provider access.", "severity": "Medium", "zeroTrustPillar": "Governance", "zeroTrustWeight": 1, "subcategory": "Assured Controls", "recommendedValue": "Access Approvals enabled (Google staff require customer approval before accessing data)", "remediationUrl": "https://admin.google.com/ac/managedsettings", "remediationSteps": "Admin Console > Data > Compliance > Access Management / Access Approvals > Enable the requirement for Google support staff to request approval before accessing organizational data. Requires Assured Controls.", "compliance": { "scuba": [ "GWS.ASSUREDCONTROLS.1.1v1" ], "nistSp80053": [ "AC-3", "AC-6", "AU-9" ], "mitreAttack": [ "T1199" ], "cisBenchmark": [] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "ADMIN-015", "name": "Assured Controls - Support Access Restricted to U.S. Staff", "description": "Support access should be restricted to Google staff located in the United States to maintain data sovereignty and prevent covered data from being handled by non-U.S. personnel.", "severity": "Medium", "zeroTrustPillar": "Governance", "zeroTrustWeight": 1, "subcategory": "Assured Controls", "recommendedValue": "Support access audience restricted to U.S. Google staff", "remediationUrl": "https://admin.google.com/ac/managedsettings", "remediationSteps": "Admin Console > Data > Compliance > Access Management > Set the allowed support audience to U.S. Google staff only. Requires Assured Controls.", "compliance": { "scuba": [ "GWS.ASSUREDCONTROLS.1.2v1" ], "nistSp80053": [ "AC-3", "SA-9" ], "mitreAttack": [ "T1199" ], "cisBenchmark": [] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "ADMIN-016", "name": "Assured Controls - Multi-Region Data Processing Disabled", "description": "Data processing across multiple regions should be disabled for all Google Workspace products so that covered data is processed only within its designated storage region, preserving data sovereignty.", "severity": "Medium", "zeroTrustPillar": "Governance", "zeroTrustWeight": 1, "subcategory": "Assured Controls", "recommendedValue": "Data processing limited to the storage region (multi-region processing disabled)", "remediationUrl": "https://admin.google.com/ac/managedsettings", "remediationSteps": "Admin Console > Data > Compliance > Data regions > Enable 'Limit data processing to the chosen storage region' across Calendar, Drive and Docs, Gmail, Chat, Meet, and Gemini. Requires Assured Controls / Data Regions.", "compliance": { "scuba": [ "GWS.ASSUREDCONTROLS.2.1v1" ], "nistSp80053": [ "SC-7", "AC-4" ], "mitreAttack": [ "T1530" ], "cisBenchmark": [] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "ADMIN-017", "name": "Internal apps not auto-trusted (GWS.COMMONCONTROLS.10.3)", "description": "SCuBA GWS.COMMONCONTROLS.10.3: automatically trusting internal (domain-owned) OAuth apps grants them access without review, an insider/lateral data-access path. Reads api_controls.internal_apps; warns where trustInternalApps is on.", "severity": "Medium", "zeroTrustPillar": "Applications & Workloads", "zeroTrustWeight": 2, "subcategory": "API Controls", "recommendedValue": "Internal apps are not automatically trusted", "remediationSteps": "In Admin console > Security > API controls, disable automatic trust of internal apps so they undergo the same review as third-party apps.", "compliance": { "scuba": [ "GWS.COMMONCONTROLS.10.3v1" ], "nistSp80053": [ "AC-3", "AC-6", "CM-7" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "ADMIN-018", "name": "Data at-rest region configured (GWS.COMMONCONTROLS.15.1)", "description": "SCuBA GWS.COMMONCONTROLS.15.1: setting a data-at-rest region enforces where organizational data is stored (residency/compliance). Reads data_regions.data_at_rest_region; warns where no region preference is set.", "severity": "Low", "zeroTrustPillar": "Data", "zeroTrustWeight": 1, "subcategory": "Data Residency", "recommendedValue": "A specific data-at-rest region is configured per organizational policy", "remediationSteps": "In Admin console > Data > Data regions, set the data-at-rest region required by your organization's residency policy rather than leaving it unset.", "compliance": { "scuba": [ "GWS.COMMONCONTROLS.15.1v1" ], "nistSp80053": [ "SC-28", "AC-3" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null }, { "id": "ADMIN-019", "name": "Data processing restricted to storage region (GWS.COMMONCONTROLS.15.2)", "description": "SCuBA GWS.COMMONCONTROLS.15.2 requires that data be processed in the same region selected for data at rest, so processing does not move covered data outside the chosen jurisdiction. This check reads the data_regions.data_processing_region Cloud Identity policy and flags any organizational unit where processing is not limited to the storage region.", "severity": "Low", "zeroTrustPillar": "Data", "zeroTrustWeight": 1, "subcategory": "Data Residency", "recommendedValue": "Data processing limited to the storage region (limitToStorageRegion = true) in all organizational units.", "remediationSteps": "In the Google Admin console, under Account > Data regions, enable 'Process data only in the selected region' so processing stays within the region chosen for data at rest.", "compliance": { "scuba": [ "GWS.COMMONCONTROLS.15.2v1" ], "nistSp80053": [ "SA-9", "AC-4" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null, "verdictPaths": [ "clean", "known-bad", "not-assessed" ] }, { "id": "ADMIN-020", "name": "Access to unconfigured third-party apps blocked (GWS.COMMONCONTROLS.10.4)", "description": "SCuBA GWS.COMMONCONTROLS.10.4 requires that users SHALL NOT be allowed to access unconfigured third-party apps, because an app that has not been explicitly reviewed can request broad OAuth scopes and become a data-exfiltration or account-takeover path. This check reads the api_controls.unconfigured_third_party_apps Cloud Identity policy and flags any organizational unit whose access level is not BLOCK_ALL_SCOPES (the value that blocks all access to unconfigured apps).", "severity": "High", "zeroTrustPillar": "Applications & Workloads", "zeroTrustWeight": 2, "subcategory": "Third-Party App Access", "recommendedValue": "Access level for unconfigured third-party apps set to BLOCK_ALL_SCOPES in all organizational units.", "remediationSteps": "In the Google Admin console, under Security > API controls > App access control, set unconfigured third-party apps to 'Blocked', so users cannot grant any access to apps that have not been explicitly configured and reviewed.", "compliance": { "scuba": [ "GWS.COMMONCONTROLS.10.4v1" ], "nistSp80053": [ "AC-3", "AC-6" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null, "verdictPaths": [ "clean", "known-bad", "not-assessed" ] }, { "id": "ADMIN-021", "name": "Additional Google services without individual control restricted (GWS.COMMONCONTROLS.16.1)", "description": "SCuBA GWS.COMMONCONTROLS.16.1 recommends that Google services which do not have their own individual admin control be turned OFF for everyone. Google models this with inverted semantics: the enterprise_service_restrictions service must be ENABLED for those additional services to be restricted (blocked). This check reads the enterprise_service_restrictions.service_status Cloud Identity policy and flags any organizational unit where serviceState is not ENABLED, meaning users can still reach unconfigured additional services.", "severity": "Medium", "zeroTrustPillar": "Applications & Workloads", "zeroTrustWeight": 1, "subcategory": "Service Management", "recommendedValue": "enterprise_service_restrictions serviceState set to ENABLED (additional services restricted) in all organizational units.", "remediationSteps": "In the Google Admin console, under Apps > Additional Google services, set the access setting for services without an individual control to OFF for everyone. This enables the enterprise service restriction so users cannot access those additional services.", "compliance": { "scuba": [ "GWS.COMMONCONTROLS.16.1v1" ], "nistSp80053": [ "CM-7", "AC-6" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null, "verdictPaths": [ "clean", "known-bad", "not-assessed" ] }, { "id": "ADMIN-022", "name": "Early Access applications disabled (GWS.COMMONCONTROLS.16.2)", "description": "SCuBA GWS.COMMONCONTROLS.16.2 recommends disabling user access to Early Access applications, which are pre-release features that have not completed Google's full review and may carry unassessed risk. This check reads the early_access_apps.service_status Cloud Identity policy and flags any organizational unit where serviceState is ENABLED.", "severity": "Medium", "zeroTrustPillar": "Applications & Workloads", "zeroTrustWeight": 1, "subcategory": "Service Management", "recommendedValue": "early_access_apps serviceState not ENABLED (Early Access applications disabled) in all organizational units.", "remediationSteps": "In the Google Admin console, under Apps > Additional Google services > Early Access Apps, turn the service OFF for everyone so users cannot enable pre-release Early Access applications.", "compliance": { "scuba": [ "GWS.COMMONCONTROLS.16.2v1" ], "nistSp80053": [ "CM-7", "SA-22" ] }, "provenance": "baseline", "source_url": null, "source_read_date": null, "official_id": null, "verdictPaths": [ "clean", "known-bad", "not-assessed" ] } ] } |