Security_Controls

Controls

• Issue ID label filter - https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues?q=is%3Aissue+is%3Aopen+label%3Asecurity-controls
• ITSG-33 Controls Details are available at the 2015 version of https://www.cyber.gc.ca/sites/default/files/cyber/publications/itsg33-ann4a-1-eng.pdf

Controls Coverage

• TODO: add P1 and optionally P2 controls - Use the new "All Products" page for a list of Google Cloud Services https://console.cloud.google.com/products

Controls to Code Mappings

Controls to GCP Services Mappings

Recommended Security Controls List

Category + count	Controls subset P1=**bold** P2=_italic_	Inherited Controls	Guardrails Additional +
AC 28 P1=7 P2=17	AC-2 AC-2(2) AC-2(3) AC-2(4) AC-2(10) AC-3 AC-3(4) AC-3(7) AC-3(9) AC-4 AC-4(21) AC-6(10) AC-7 AC-8 AC-9 AC-9(3) AC-10 AC-11 AC-11(1) AC-12 AC-16(2) AC-16(4) AC-16(5) AC-17(1) AC-17(2) AC-17(3) AC-17(100) AC-18(1)
AU 16 P1=3 P2=13	AU-3 AU-3(1) AU-4(1) AU-5 AU-5(1) AU-6(4) AU-7 AU-7(1) AU-7(2) AU-8 AU-8(1) (AU-9 P1?) AU-9(2) (AU-12 P1?) AU-12(1) AU-12(2)
CA 1 P3=1	CA-9(1)(P3)
CM 3 P2=2 P3=1	CM-5(1) CM-11(1) CM-11(2)(P3)
CP 1 P3=1	CP-11(P3)
IA 16 P1=5 P2=8	IA-2 IA-2(1) IA-2(3) IA-2(6) IA-2(8) IA-2(9) IA-2(11) IA-3 IA-3(1) IA-5(1) IA-5(2) IA-5(11) IA-5(13) (from P1) IA-6 IA-7 IA-8 (from P1)
MA 1 P3=1	MA-4(6)(P3)
MP 1 P2=1	MP-5(4)
RA 1	RA-5(5)
SC 28 P1=7 P2=12 P3=4	SC-2 SC-2(1) SC-4 SC-5 SC-5(2) SC-7(5) SC-7(7) SC-7(8) SC-7(9) SC-7(11) SC-7(18) SC-8 SC-8(1) SC-10(P3) SC-13(P3) SC-15(P3) SC-18(1) SC-18(3) SC-18(4) SC-20 SC-22(P3) SC-23 SC-23(1) SC-23(3) SC-24 SC-28 SC-28(1) SC-39
SI 11 P2=8 P3=3	SI-3(2) SI-3(4) SI-3(7)(P3) SI-4(4) SI-4(5) SI-4(7) SI-7(1) SI-8(2) SI-10(P3) SI-11(P3) SI-16

Controls Summary

• refer to https://www.cyber.gc.ca/sites/default/files/cyber/publications/itsg33-ann4a-1-eng.pdf
• 107 Controls
• P1 = 22
• P2 = 61
• P3 = 11 = CA-9(1) CM-11(2) CP-11 MA-6 SC-10 SC-13 SC-15 SC-22 SI-3(7) SI-10 SI-11
• Uncategorized = 13
• secondary reference (hyperlinked) = 8

Secondary Reference - Security Controls List

• 31 (15 guardrails) + 10 + 25 = 66 (guardrails subset = 48)

Category	31 Controls highlighted 20 P1 in bold, 11 P2- in italic GR +	10 Extended/Inherited Controls	25 Guardrails Additional +
AC 5	+AC-2 +AC-3 +AC-4 +AC-6 AC-12	AC-17(1)	+AC-5 +AC-6(5) +AC-6(10) +AC-7 +AC-9 +AC‑19 +AC‑20(3)
AT 1	AT-3
AU 4	+AU-2 +AU-3 +AU-6 AU-13	+AU-9 +AU-12	+AU-8 +AU-9(4)
CA 1	CA-3
CM 1	+CM-2	+CM-8	+CM-3 +CM-4 +CM-5
IA 2	+IA-2 +IA-5	+IA-2(1) +IA-2(2)	+IA-2(11) +IA-4 +IA-5(1) +IA-5(6) +IA-5(7) +IA-5(13) +IA-6 +IA-8
IR 1	IR-6
MP 1	MP-2
PE 2	PE-3 PE-19
PS 1	PS-6
RA 1	RA-5
SA 2	SA-4 SA-8		+SA-22
SC 5	+SC-7 +SC-13 SC-26 +SC-28 SC-101	+SC-5 SC-7(3) +SC-7(5) +SC-28(1)	+SC-8 +SC-8(1) +SC-12 +SC-17
SI 4	+SI-2 SI-3 +SI-4 SI-7

P1 Controls

140 P1
24 AC-1/2/3/3.7/3.9/3.10/4/4.4/4.12/4.13/4.14/4.15/5/6/6.5/7/8/17/18/18.5/19/19.4/19.100/22
4 AT-1/2/2.2 3
8 AU-1/2/3/4/4.1/6/8/12
8 CA-1 / 2.1 /3/3.2 3.3/3.4/6 7.1 
10 CM-1 2 2.7 3 5 6 7 7.5 8 9 
2 CP-1 9
8 IA-1 2 2.1 3 4 5 5.1 6
2 IR-1 9
3 MA-1 3.2 5.2
9 MP-1 2 3 4 5 5.3 8 8.3 8.4
15 PE-1 2 2.3 2.100 3 4 6 6.2 6.3 6.4 8 16 18 18.1 20
7 PL-1 2 4 7 8 8.1 8.2
9 PS-1 3 3.1 3.2 4 5 6 6.2 7
3 RA-1 2 3
5 SA-1 4.2 4.6 4.7 9
17 SC-1 2 5 7 7.3 7.5 7.9 7.14 8 12.2 12.3 18 23 24 28 43 101
6 SI-1 2 3 4 5 8

• 140 P1 list in italic referenced in https://cyber.gc.ca/sites/default/files/cyber/publications/Annex%20B%20CCCS%20MEDIUM%20Cloud%20Profile%20Recommendations.xlsx replaces older 2021 https://cyber.gc.ca/sites/default/files/cyber/publications/itsg33-ann4a-1-eng.pdf (replaces moved https://cyber.gc.ca/sites/default/files/publications/itsg33-ann4a-1-eng.pdf)
• See P1 list italic diff of 77 in https://cyber.gc.ca/sites/default/files/cyber/publications/itsg33-ann4a-1-eng.pdf

graph LR;
    style GCP fill:#44f,stroke:#f66,stroke-width:2px,color:#fff,stroke-dasharray: 5 5
    %% mapped and documented

    PBMM-->AU-1;
    PBMM-->AU-2;
    PBMM-->AU-3;
    PBMM-->AU-4;
    PBMM-->AU-4.1;
    PBMM-->AU-6;
    PBMM-->AU-8;
    PBMM-->AU-12;
    PBMM-->CM-1;
    PBMM-->CM-2;
    PBMM-->CM-3;
    PBMM-->CM-5;
    PBMM-->CM-6;
    PBMM-->CM-7;
    PBMM-->CM-7.5;
    PBMM-->CM-8;
    PBMM-->CM-9;
    PBMM-->CP-1;
    PBMM-->IR-1;
    PBMM-->IR-9;
    PBMM-->MA-1;
    PBMM-->MA-3.3;
    PBMM-->MP-2;
    PBMM-->PE-3;
    PBMM-->PE-19;
    PBMM-->RA-1;
    PBMM-->RA-2;
    PBMM-->RA-3;
    %% subset edit point above

    
    %% mapped but not yet documented
    unmapped-->AC-2.1/5/6.5/6.10/7/19;
    unmapped-->AU-3.2/4/9.4;
    unmapped-->CM-3/4/5/8;
    unmapped-->CP-7;
    unmapped-->IA-4/5.1/5.7/5.13/6/8;
    unmapped-->SA-22;
    unmapped-->SC-5/7.7/8/8.1/12/17;
    
    %% control to sub-service
    AC-2-->bucket-not-public;
    AC-2-->enforce-public-access-prevention;
    AC-2-->restrict-public-IP-access-sql;
    AC-2-->Roles;
    AC-2-->Identity-Federation;
    AC-3-->Roles;
    AC-4-->IDS;
    AC-4-->VFW;
    AC-4-->Asset-Inventory;
    AC-6-->Roles;
    AC-12-->Pre-Signed-URLs;
    AC-17.1-->IAP;
    AC-20.3-->BeyondCorp-CAA;
    AU-2-->Monitoring;
    AU-2-->Identity;
    AU-2-->Password-Policies;
    AU-2-->Audit-and-Investigation;
    AU-2-->Apps-Reports-Accounts;
    AU-2-->Alert-Policy;
    AU-2-->Logs-Explorer;
    AU-2-->Logs-Router;
    AU-2-->bucket-not-public;
    AU-2-->bucket-protection-retention-1-sec;
    AU-3-->Monitoring;
    AU-3-->Alert-Policy;
    AU-3-->Logs-Explorer;
    AU-3-->Logs-Router;
    AU-6-->bucket-protection-retention-1-sec;
    AU-6-->Monitoring;
    AU-6-->Alert-Policy;
    AU-6-->Logs-Explorer;
    AU-6-->Logs-Router;
    AU-13-->DLP;
    AU-13-->bucket-not-public;
    AU-13-->Monitoring;
    AU-13-->Alert-Policy;
    AU-13-->Logs-Explorer;
    AU-13-->Logs-Router;
    AU-8-->Event-Logging;
    
    %% post-Terraform
    post-TF-console-->SC-7-->Location-Restriction;
    
    %% requires Traffic Generation app
    AU-12== traffic gen ==>VPC-Flow-Logs;
    AU-12== traffic gen ==>SCC-Findings;
    AU-12-->SCC-Compliance;
    
    AU-9-->Non-Public-->Cloud-Storage;
    AU-9-->Protection-Retention-->Cloud-Storage;
    AT-3-->Certification-Training;
    CA-3-->IAP;
    CA-3-->Cloud-Deploy;
    CA-3-->Deployment-Manager;
    CA-3-->Private-Access;
    CM-2-->Marketplace-Role-restriction;
    IA-2-->Identity-Federation;
    IA-2-->IAP;
    IA-2.1-->Roles;
    IA-2.1-->Identity-Federation;
    IA-2.2-->Identity-Federation;
    IA-2.1-->IAP;
    IA-2.1-->Roles;
    IA-2.2-->Roles;
    IA-5-->IAP;
    IA-5-->Roles;
    IA-5-->2FA;
    IR-6-->Alert-Policy;
    IR-6-->Logs-Explorer;
    IR-6-->Logs-Router;
    IR-6-->bucket-not-public;
    IR-6-->bucket-protection-retention-1-sec
    MP-2-->DLP;
    MP-2-->Data-Center-Security;
    PE-3-->Data-Center-Security;
    PE-19-->Data-Center-Security;
    
    
    RA-5-->SCC-Vulnerabilities;
    RA-5-->Vulnerability-Scanning;
    SA-4-->SCC-Vulnerabilities;
    SA-4-->Vulnerability-Scanning;
    SA-8-->Encryption-at-rest;
    SA-8-->Encryption-in-transit;
    SC-7-->Resource-Location-Restriction;
    SC-7== traffic gen ==>VPC-Firewall-Logs;
    SC-7-->IDS;
    SC-7== traffic gen ==>VPC-Firewall-Rules;
    SC-7.3== traffic gen ==>VPC-Firewall-Logs;
    SC-7.5== traffic gen ==>VPC-Firewall-Logs;
    
    SC-8-->Encryption-at-rest;
    SC-8-->Encryption-in-transit;
    SC-13-->Encryption-at-rest;
    SC-13-->Encryption-in-transit;
    SC-13-->bucket-not-public;
    SC-13-->bucket-protection-retention-1-sec
    SC-26-->SCC-Container-Threat-Detection;
    SC-26-->Armor;
    SC-28.1-->Encryption-at-rest;
    SC-28-->Encryption-at-rest;
    SC-101-->Data-Center-Security;
    SI-2-->Armor;
    SI-3-->Vulnerability-Scanning;
    SI-3-->SCC-Vulnerabilities;
    SI-4== traffic gen ==>Compute-VM;
    SI-4-->Armor;
    SI-4-->VM-logging-agent-logs;
    
    %% sub-service to service
    

    
    2FA-->Identity;
    Alert-Policy-->Cloud-Logging;
    Apps-Reports-Accounts-->Reporting;
    Reporting-->Identity;
    Asset-Inventory-->IAM;
    Armor-->Network-Security;
    Audit-and-Investigation-->Identity;
    bucket-not-public-->Org-Policies;
    bucket-protection-retention-1-sec-->Org-Policies;
    enforce-public-access-prevention-->Org-Policies;
    restrict-public-IP-access-sql-->Org-Policies;
    BeyondCorp-CAA-->Security;
    Certification-Training-->Training;
    Cloud-Identity-->Google-Admin;
    Compute-VM-->Cloud-Logging;
    Data-Center-Security-->Security;
    Cloud-Deploy-->GCP;
    Deployment-Manager-->GCP;
    DLP-->Security;
    Encryption-in-transit-->Security;
    Encryption-at-rest-->Security;
    Event-Logging-->Cloud-Operations-Suite;
    IAP-->Security;
    Identity-Federation-->IAM;
    IDS-->Network-Security;
    Location-Restriction-->Org-Policies;
    Logs-Explorer-->Cloud-Logging;
    Logs-Router-->Cloud-Logging;
    Marketplace-Role-restriction-->Marketplace
    MFA-->Cloud-Identity;
    Monitoring-->GCP;
    Org-Policies-->IAM;
    Password-Policies-->Identity;
    Pre-Signed-URLs-->Cloud-Storage;
    Private-Access-->VPC-Networks;
    Resource-Location-Restriction-->Org-Policies;
    Roles-->IAM;
    SCC-Findings-->SCC;
    SCC-Compliance-->SCC;
    SCC-Container-Threat-Detection-->SCC;
    SCC-Vulnerabilities-->SCC;
    VM-logging-agent-logs-->Cloud-Logging;
    VFW-->VPC-Networks;
    VPC-Flow-Logs-->VPC-Networks;
    VPC-Firewall-Rules-->VPC-Networks;
    VPC-Firewall-Logs-->VPC-Networks;
    Vulnerability-Scanning-->Artifact-Registry;
    
    
    %% service to gcp
    Artifact-Registry-->GCP;
    Cloud-Operations-Suite-->GCP;
    Cloud-Logging-->GCP;
    Cloud-Storage-->GCP;

    Identity-->Admin;
    IAM-->GCP;
    Marketplace-->GCP;
    Network-Security-->GCP;
    SCC-->GCP;
    Security-->GCP;
    Training-->GCP;
    VPC-Networks-->GCP{GCP};

   %%PBHH
    PBHH-->AU-3.2
    PBHH-->IA-2.2
    

Loading

mermaid - diagrams as code

Security Controls List

Rev: 20231114

• ITSG 33 : Security Control Catalogue : https://www.cyber.gc.ca/en/guidance/annex-3a-security-control-catalogue-itsg-33

• AU-1 - family: audit and accountability - class: technical - AU-1 : audit and accountability policy and procedures

• AU-2 - family: audit and accountability - class: technical - AU-2 : auditable events

• AU-3 - family: audit and accountability - class: technical - AU-3 : content of audit records

• AU-4 - family: audit and accountability - class: technical - AU-4 : audit storage capacity

• AU-4(1) - family: audit and accountability - class: technical - AU-4.1 : audit storage capacity | transfer to alternate storage

• AU-6 - family: audit and accountability - class: technical - AU-6 : audit review, analysis, and reporting

• AU-8 - family: audit and accountability - class: technical - AU-8 : time stamps

• AU-12 - family: audit and accountability - class: technical - AU-12 : audit generation

• CM-1 - family: configuration management - class: operational - CM-1: configuration management policy and procedures

• CM-2 - family: configuration management - class: operational - CM-2: baseline configuration

• CM-3 - family: configuration management - class: operational - CM-3: configuration change control

• CM-5 - family: configuration management - class: operational - CM-5: access restrictions for change

• CM-6 - family: configuration management - class: operational - CM-6: configuration settings

• CM-7 - family: configuration management - class: operational - CM-7: least functionality

• CM-7(5) - family: configuration management - class: operational - CM-7.5: least functionality | authorized software / whitelisting

• CM-8 - family: configuration management - class: operational - CM-8: information system component inventory

• CM-9 - family: configuration management - class: operational - CM-9: configuration management plan

• CP-1 - family: contingency planning (continuity planning) - class: operational - CP-1 : contingency planning policy and procedures

• IR-1 - family: incident response - class: operational - IR-1 incident response policy and procedures

• IR-9 - family: incident response - class: operational - IR-9 : information spillage response

• MA-1 - family: maintenance - class: operational - MA-1 : system maintenance policy and procedures

• MA-3(3) - family: maintenance - class: operational - MA-3 : maintenance tools | prevent unauthorized removal

• RA-1 - family: risk assessment - class: management - RA-1 : risk assessment policy and procedures

• RA-2 - family: risk assessment - class: management - RA-2 : security categorization

• RA-3 - family: risk assessment - class: management - RA-3 : risk assessment

Security Controls to Code Mappings

Security Controls to GCP Services Mappings

History

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/560

20231027

Check removed files

 delete mode 100644 solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/securitycontrols.md
 delete mode 100644 solutions/client-landing-zone/logging-project/securitycontrols.md
 delete mode 100644 solutions/core-landing-zone/lz-folder/audits/logging-project/securitycontrols.md

Todo

Example visuals for extract and/or live compliance dashboard

• d3js.org based or mermaid in-line-repo markup (generated) in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/wiki/Security_Controls

• https://observablehq.com/@kerryrodden/sequences-sunburst

• https://d3js.org/

• https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-security-controls.md#controls-coverage

• https://mermaid.js.org/#/flowchart?id=graph

• see https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-security-controls.md

Links

• https://cloud.google.com/security/compliance/fedramp
• detailed ITSG-33 (2014) https://cyber.gc.ca/en/guidance/annex-2-information-system-security-risk-management-activities-itsg-33
• detailed ITSG-33 (2015) https://www.cyber.gc.ca/sites/default/files/cyber/publications/itsg33-ann4a-1-eng.pdf
• summary ITSG-33 https://cyber.gc.ca/en/guidance/annex-4-identification-control-elements-security-controls-itsg-41
• AU-2 AU-3 AU-4 AU-5 AU-16 via cloud logging fedramp compliance https://cloud.google.com/blog/products/identity-security/5-must-know-security-and-compliance-features-in-cloud-logging
• COM https://ssc-clouddocs.canada.ca/s/com?language=en_US
• https://cloud-services-infonuagiques.canada.ca/