Data/AuditChecks/DriveSecurityChecks.json

{
  "categoryId": "drive",
  "categoryName": "Drive Security & Data Protection",
  "categoryDescription": "Checks related to Google Drive sharing, access controls, DLP, and data protection settings",
  "checks": [
    {
      "id": "DRIVE-001",
      "name": "External Sharing Defaults",
      "description": "Sharing outside the organization should be restricted or disabled by default to prevent accidental data exposure to external parties",
      "severity": "High",
      "zeroTrustPillar": "Data",
      "zeroTrustWeight": 2,
      "subcategory": "Sharing",
      "recommendedValue": "External sharing restricted to allowlisted domains or disabled",
      "remediationUrl": "https://admin.google.com/ac/appsettings/55656082996/sharing",
      "remediationSteps": "Admin Console > Apps > Google Workspace > Drive and Docs > Sharing settings > Set sharing outside the organization to 'Off' or 'Allowlisted domains'",
      "compliance": {
        "nistSp80053": [
          "AC-3",
          "AC-4"
        ],
        "mitreAttack": [
          "T1567",
          "T1537"
        ],
        "cisBenchmark": [
          "2.1"
        ],
        "scuba": [
          "GWS.DRIVEDOCS.1.1v1",
          "GWS.DRIVEDOCS.1.2v1",
          "GWS.DRIVEDOCS.1.6v1"
        ]
      },
      "provenance": "baseline",
      "source_url": null,
      "source_read_date": null,
      "official_id": null
    },
    {
      "id": "DRIVE-002",
      "name": "Link Sharing Default Settings",
      "description": "Default link sharing should be set to 'Restricted' (specific people) rather than broad access to prevent unintended data exposure",
      "severity": "High",
      "zeroTrustPillar": "Data",
      "zeroTrustWeight": 2,
      "subcategory": "Sharing",
      "recommendedValue": "Default link sharing set to 'Restricted' (specific people only)",
      "remediationUrl": "https://admin.google.com/ac/appsettings/55656082996/sharing",
      "remediationSteps": "Admin Console > Apps > Google Workspace > Drive and Docs > Sharing settings > Set default link sharing to 'Restricted'",
      "compliance": {
        "nistSp80053": [
          "AC-3",
          "AC-6"
        ],
        "mitreAttack": [
          "T1530"
        ],
        "cisBenchmark": [
          "2.2"
        ]
      },
      "provenance": "baseline",
      "source_url": null,
      "source_read_date": null,
      "official_id": null
    },
    {
      "id": "DRIVE-003",
      "name": "Anyone With the Link Sharing Audit",
      "description": "Files shared with 'Anyone with the link' are accessible to anyone on the internet and represent a significant data exposure risk",
      "severity": "High",
      "zeroTrustPillar": "Data",
      "zeroTrustWeight": 2,
      "subcategory": "Sharing",
      "recommendedValue": "'Anyone with the link' sharing disabled or tightly controlled",
      "remediationUrl": "https://admin.google.com/ac/appsettings/55656082996/sharing",
      "remediationSteps": "Admin Console > Apps > Google Workspace > Drive and Docs > Sharing settings > Disable 'Anyone with the link' option or restrict to 'Domain users with the link'",
      "compliance": {
        "nistSp80053": [
          "AC-3",
          "AC-22"
        ],
        "mitreAttack": [
          "T1530",
          "T1213"
        ],
        "cisBenchmark": [
          "2.3"
        ]
      },
      "provenance": "baseline",
      "source_url": null,
      "source_read_date": null,
      "official_id": null
    },
    {
      "id": "DRIVE-004",
      "name": "Shared Drive Creation Restrictions",
      "description": "Shared Drive creation should be restricted to prevent uncontrolled proliferation and ensure proper governance of shared data repositories",
      "severity": "Medium",
      "zeroTrustPillar": "Data",
      "zeroTrustWeight": 1,
      "subcategory": "Shared Drives",
      "recommendedValue": "Shared Drive creation restricted to specific groups or admins",
      "remediationUrl": "https://admin.google.com/ac/appsettings/55656082996/sharing",
      "remediationSteps": "Admin Console > Apps > Google Workspace > Drive and Docs > Sharing settings > Shared drive creation > Restrict who can create shared drives",
      "compliance": {
        "nistSp80053": [
          "CM-7",
          "AC-6"
        ],
        "mitreAttack": [
          "T1530"
        ],
        "cisBenchmark": [
          "2.4"
        ],
        "scuba": [
          "GWS.DRIVEDOCS.2.1v1",
          "GWS.DRIVEDOCS.2.2v1"
        ]
      },
      "provenance": "baseline",
      "source_url": null,
      "source_read_date": null,
      "official_id": null
    },
    {
      "id": "DRIVE-005",
      "name": "Shared Drive Member Management",
      "description": "Shared Drive member management should be controlled to prevent unauthorized users from being added or permissions being escalated",
      "severity": "Medium",
      "zeroTrustPillar": "Data",
      "zeroTrustWeight": 1,
      "subcategory": "Shared Drives",
      "recommendedValue": "Only managers can add members and change access levels",
      "remediationUrl": "https://admin.google.com/ac/appsettings/55656082996/sharing",
      "remediationSteps": "Admin Console > Apps > Google Workspace > Drive and Docs > Sharing settings > Shared drive settings > Configure member management permissions",
      "compliance": {
        "nistSp80053": [
          "AC-3",
          "AC-6(1)"
        ],
        "mitreAttack": [
          "T1098"
        ],
        "cisBenchmark": [
          "2.5"
        ]
      },
      "provenance": "baseline",
      "source_url": null,
      "source_read_date": null,
      "official_id": null
    },
    {
      "id": "DRIVE-006",
      "name": "Shared Drive External Sharing",
      "description": "External sharing on Shared Drives should be restricted to prevent sensitive organizational data from being shared outside the domain",
      "severity": "High",
      "zeroTrustPillar": "Data",
      "zeroTrustWeight": 2,
      "subcategory": "Shared Drives",
      "recommendedValue": "External sharing on Shared Drives disabled or restricted to allowlisted domains",
      "remediationUrl": "https://admin.google.com/ac/appsettings/55656082996/sharing",
      "remediationSteps": "Admin Console > Apps > Google Workspace > Drive and Docs > Sharing settings > Shared drive sharing > Restrict external sharing",
      "compliance": {
        "nistSp80053": [
          "AC-3",
          "AC-4"
        ],
        "mitreAttack": [
          "T1537",
          "T1567"
        ],
        "cisBenchmark": [
          "2.6"
        ]
      },
      "provenance": "baseline",
      "source_url": null,
      "source_read_date": null,
      "official_id": null
    },
    {
      "id": "DRIVE-007",
      "name": "File Ownership Transfer Settings",
      "description": "File ownership transfer should be controlled to prevent unauthorized data migration and maintain proper data governance chains",
      "severity": "Medium",
      "zeroTrustPillar": "Data",
      "zeroTrustWeight": 1,
      "subcategory": "Access Control",
      "recommendedValue": "File ownership transfer restricted to admins or controlled process",
      "remediationUrl": "https://admin.google.com/ac/appsettings/55656082996/sharing",
      "remediationSteps": "Admin Console > Apps > Google Workspace > Drive and Docs > Transfer ownership settings > Configure restrictions",
      "compliance": {
        "nistSp80053": [
          "AC-3",
          "MP-5"
        ],
        "mitreAttack": [
          "T1537"
        ],
        "cisBenchmark": [
          "2.7"
        ]
      },
      "provenance": "baseline",
      "source_url": null,
      "source_read_date": null,
      "official_id": null
    },
    {
      "id": "DRIVE-008",
      "name": "Drive for Desktop Allowed/Blocked",
      "description": "Drive for Desktop syncs files locally and should be controlled to prevent data from being stored on unmanaged endpoints",
      "severity": "Medium",
      "zeroTrustPillar": "Data",
      "zeroTrustWeight": 1,
      "subcategory": "Access Control",
      "recommendedValue": "Drive for Desktop restricted to managed devices or disabled",
      "remediationUrl": "https://admin.google.com/ac/appsettings/55656082996/drivefordesktop",
      "remediationSteps": "Admin Console > Apps > Google Workspace > Drive and Docs > Features and Applications > Drive for Desktop > Configure access",
      "compliance": {
        "nistSp80053": [
          "SC-28",
          "MP-7"
        ],
        "mitreAttack": [
          "T1530",
          "T1005"
        ],
        "cisBenchmark": [
          "2.8"
        ]
      },
      "provenance": "baseline",
      "source_url": null,
      "source_read_date": null,
      "official_id": null
    },
    {
      "id": "DRIVE-009",
      "name": "Third-Party App Drive Access",
      "description": "Third-party applications with access to Drive data should be reviewed and restricted to prevent unauthorized data exfiltration",
      "severity": "High",
      "zeroTrustPillar": "Data",
      "zeroTrustWeight": 2,
      "subcategory": "Data Protection",
      "recommendedValue": "Third-party app access to Drive data restricted and reviewed",
      "remediationUrl": "https://admin.google.com/ac/owl/list?tab=apps",
      "remediationSteps": "Admin Console > Security > API controls > Third-party app access > Review and restrict apps with Drive access",
      "compliance": {
        "nistSp80053": [
          "AC-3",
          "AC-20"
        ],
        "mitreAttack": [
          "T1530",
          "T1567.002"
        ],
        "cisBenchmark": [
          "2.9"
        ]
      },
      "provenance": "baseline",
      "source_url": null,
      "source_read_date": null,
      "official_id": null
    },
    {
      "id": "DRIVE-010",
      "name": "Drive DLP Rules Audit",
      "description": "Data Loss Prevention rules should be configured to detect and prevent sharing of sensitive data through Google Drive",
      "severity": "Medium",
      "zeroTrustPillar": "Data",
      "zeroTrustWeight": 1,
      "subcategory": "Data Protection",
      "recommendedValue": "DLP rules configured for sensitive data types (PII, financial, health data)",
      "remediationUrl": "https://admin.google.com/ac/dp/rules",
      "remediationSteps": "Admin Console > Security > Data protection > Manage rules > Create rules for sensitive data types in Drive",
      "compliance": {
        "nistSp80053": [
          "SC-7",
          "SI-4"
        ],
        "mitreAttack": [
          "T1567",
          "T1048"
        ],
        "cisBenchmark": [
          "2.10"
        ]
      },
      "provenance": "baseline",
      "source_url": null,
      "source_read_date": null,
      "official_id": null
    },
    {
      "id": "DRIVE-011",
      "name": "Target Audience Settings",
      "description": "Target audience settings control who can be suggested when sharing files and should be configured to limit accidental sharing",
      "severity": "Medium",
      "zeroTrustPillar": "Data",
      "zeroTrustWeight": 1,
      "subcategory": "Sharing",
      "recommendedValue": "Target audiences configured to limit sharing suggestions appropriately",
      "remediationUrl": "https://admin.google.com/ac/targetaudiences",
      "remediationSteps": "Admin Console > Directory > Target audiences > Review and configure target audience groups",
      "compliance": {
        "nistSp80053": [
          "AC-3",
          "AC-6"
        ],
        "mitreAttack": [
          "T1530"
        ],
        "cisBenchmark": [
          "2.11"
        ]
      },
      "provenance": "baseline",
      "source_url": null,
      "source_read_date": null,
      "official_id": null
    },
    {
      "id": "DRIVE-012",
      "name": "Drive Add-ons Settings",
      "description": "Drive add-ons can access file content and should be controlled to prevent data exposure through untrusted extensions",
      "severity": "Low",
      "zeroTrustPillar": "Data",
      "zeroTrustWeight": 1,
      "subcategory": "Access Control",
      "recommendedValue": "Drive add-on installation restricted to admin-approved add-ons",
      "remediationUrl": "https://admin.google.com/ac/appsettings/55656082996/addons",
      "remediationSteps": "Admin Console > Apps > Google Workspace > Drive and Docs > Features and Applications > Add-ons > Configure installation restrictions",
      "compliance": {
        "nistSp80053": [
          "CM-7",
          "CM-11"
        ],
        "mitreAttack": [
          "T1195.002"
        ],
        "cisBenchmark": [
          "2.12"
        ]
      },
      "provenance": "baseline",
      "source_url": null,
      "source_read_date": null,
      "official_id": null
    },
    {
      "id": "DRIVE-013",
      "name": "Offline Access Settings",
      "description": "Offline access allows Drive files to be cached locally on devices and should be controlled to prevent data exposure on shared or unmanaged devices",
      "severity": "Medium",
      "zeroTrustPillar": "Data",
      "zeroTrustWeight": 1,
      "subcategory": "Access Control",
      "recommendedValue": "Offline access disabled or restricted to managed devices",
      "remediationUrl": "https://admin.google.com/ac/appsettings/55656082996/offlineaccess",
      "remediationSteps": "Admin Console > Apps > Google Workspace > Drive and Docs > Features and Applications > Offline > Disable or restrict offline access",
      "compliance": {
        "nistSp80053": [
          "SC-28",
          "AC-19"
        ],
        "mitreAttack": [
          "T1005",
          "T1530"
        ],
        "cisBenchmark": [
          "2.13"
        ]
      },
      "provenance": "baseline",
      "source_url": null,
      "source_read_date": null,
      "official_id": null
    },
    {
      "id": "DRIVE-014",
      "name": "Drive SDK API access disabled (GWS.DRIVEDOCS.4.1)",
      "description": "SCuBA GWS.DRIVEDOCS.4.1: the Drive SDK lets third-party apps read and write Drive content via API, a direct data-exfiltration channel when broadly enabled. Reads drive_and_docs.drive_sdk; fails where enableDriveSdkApiAccess is on.",
      "severity": "High",
      "zeroTrustPillar": "Data",
      "zeroTrustWeight": 3,
      "subcategory": "Drive API",
      "recommendedValue": "Drive SDK API access disabled",
      "remediationSteps": "In Admin console > Apps > Google Workspace > Drive and Docs > Features and Applications, disable Drive SDK unless specific reviewed integrations require it.",
      "compliance": {
        "scuba": [
          "GWS.DRIVEDOCS.4.1v1"
        ],
        "nistSp80053": [
          "AC-4",
          "AC-3",
          "SC-7"
        ]
      },
      "provenance": "baseline",
      "source_url": null,
      "source_read_date": null,
      "official_id": null
    },
    {
      "id": "DRIVE-015",
      "name": "Drive external-file warning enabled (GWS.DRIVEDOCS.1.9)",
      "description": "SCuBA GWS.DRIVEDOCS.1.9: warning users when they share files externally is a low-friction data-loss control. Reads drive_and_docs.external_file_warning; warns where highlightingEnabled is off.",
      "severity": "Low",
      "zeroTrustPillar": "Data",
      "zeroTrustWeight": 1,
      "subcategory": "Drive Sharing",
      "recommendedValue": "External-file sharing warning enabled",
      "remediationSteps": "In Drive sharing settings, enable warnings when users share files with people outside the organization.",
      "compliance": {
        "scuba": [
          "GWS.DRIVEDOCS.1.9v1"
        ],
        "nistSp80053": [
          "AC-22",
          "SI-10"
        ]
      },
      "provenance": "baseline",
      "source_url": null,
      "source_read_date": null,
      "official_id": null
    },
    {
      "id": "DRIVE-016",
      "name": "Drive file security update enforced (GWS.DRIVEDOCS.3.1)",
      "description": "SCuBA GWS.DRIVEDOCS.3.1: the file security update tightens link-sharing on affected files; letting users remove it re-opens access. Reads drive_and_docs.file_security_update; warns where users are allowed to remove/manage the security update.",
      "severity": "Medium",
      "zeroTrustPillar": "Data",
      "zeroTrustWeight": 2,
      "subcategory": "Drive Sharing",
      "recommendedValue": "Security update applied and users cannot remove it",
      "remediationSteps": "In Drive settings, apply the file security update and do not allow users to remove it from files they own.",
      "compliance": {
        "scuba": [
          "GWS.DRIVEDOCS.3.1v1"
        ],
        "nistSp80053": [
          "AC-3",
          "CM-6"
        ]
      },
      "provenance": "baseline",
      "source_url": null,
      "source_read_date": null,
      "official_id": null
    },
    {
      "id": "DRIVE-017",
      "name": "Default file access set to private to owner (GWS.DRIVEDOCS.1.8)",
      "description": "SCuBA GWS.DRIVEDOCS.1.8 requires that 'Private to owner' be the default access level for newly created Drive items, so files are not shared more broadly than intended at creation time. This check reads the drive_and_docs.general_access_default Cloud Identity policy and flags any organizational unit where the default file access is not PRIVATE_TO_OWNER.",
      "severity": "Medium",
      "zeroTrustPillar": "Data",
      "zeroTrustWeight": 2,
      "subcategory": "Drive Sharing",
      "recommendedValue": "Default access level for new files set to PRIVATE_TO_OWNER (defaultFileAccess) in all organizational units.",
      "remediationSteps": "In the Google Admin console, under Apps > Google Workspace > Drive and Docs > Sharing settings > General access default, set the default to 'Private to owner' so newly created files start private and are shared only by deliberate action.",
      "compliance": {
        "scuba": [
          "GWS.DRIVEDOCS.1.8v1"
        ],
        "nistSp80053": [
          "AC-3",
          "AC-6"
        ]
      },
      "provenance": "baseline",
      "source_url": null,
      "source_read_date": null,
      "official_id": null,
      "verdictPaths": [
        "clean",
        "known-bad",
        "not-assessed"
      ]
    }
  ]
}