Google Cloud Platform GCP Audit Program

Google Cloud Platform® (GCP®) Audit Program
Google Cloud Platform (GCP) Audit Program

Column Name Description Instructions
Process Sub-area An activity within an overall process influenced by the enterprise's policies and It is advisable to structure the audit program's scope by sub-areas to make it easier to manage. The auditor can
procedures that takes inputs from a number of sources, manipulates the inputs and modify this field to include entity-specific names and terms. ISACA has selected the most commonly used terms
produces outputs as the basis for developing this audit program.
Ref. Risk Specifies the risk this control is intended to address This field can be used to input a reference/link to risk described in the entity's risk register or enterprise risk
management (ERM) system or to input a description of the risk a particular control is intended to address.
Control Objectives A statement of the desired result or purpose that must be in place to address the This field should describe the behaviors, technologies, documents or processes expected to be in place to
inherent risk in the review areas within scope address the inherent risk that is part of the audit scope.
An IT audit manager can review this information to determine whether the review will meet the audit
objectives based on the risk and control objectives included in the audit program.
Controls The means of managing risk, including policies, procedures, guidelines, practices or This field should describe in detail the control activities expected to be in place to meet the control objective.
organizational structures, which can be of an administrative, technical, management Control activities can be in roles and responsibilities, documentation, forms, reports, system configuration,
or legal nature segregation of duties, approval matrices, etc.
An IT audit manager performing a quality control review must decide whether an auditor has planned to
identify enough controls to support an assessment and whether the planned evidence is sufficiently objective.
Control Type Automated/technical controls: controls managed or performed by computer Specifies whether the control under review is automated, manual, physical or a combination. This information
systems is useful in determining the testing steps necessary to obtain assessment evidence.
Manual/administrative controls: controls employees can or cannot do
Physical controls: controls such as locks, fences, mantraps and even geographic-
specific controls
Control Classification Preventive: Detect problems before they arise; monitor both the operation and Specifies the type of control in place. This information is useful as it describes the purpose of the control.
inputs; attempt to predict potential problems before they occur and make
adjustments; prevent an error, omission or malicious act from occurring
Detective: Use controls that detect and report the occurrence of an
error, omission or malicious act
Corrective: Minimize the impact of a threat; remedy problems discovered by
detective controls; identify the cause of a problem; correct errors arising from a
problem
Control Frequency Occurrence of control activities in real-time: daily, weekly, monthly, annually or Specifies whether the control under review occurs in real-time (e.g., daily, weekly, monthly, annually or some
other scheduled frequency other defined frequency). This information will be helpful when identifying testing steps and requesting
evidence.
© 2023 ISACA. All rights reserved. Page 1 of 31


Column Name Description Instructions
Testing Step Identifies the steps being tested to evaluate the effectiveness of the control under This field should describe in detail the steps necessary to test control activities and collect supporting
review documentation. The auditor can modify this field to meet entity-specific needs. ISACA has selected a set of
generic steps to develop this audit program.
An IT audit manager may determine if the proposed steps are adequate to review a particular control.
Ref. Framework/Standards Specifies frameworks and/or standards that relate to the control under review (e.g., Input references to other frameworks used by the entity as part of its compliance program
NIST, HIPAA, SOX, ISO)
Ref. Workpaper References other documents that may contain evidence supporting the pass/fail Specifies the location of supporting documentation detailing the audit steps and evidence obtained.
mark for the audit step An IT audit manager performing a quality control review must decide whether an auditor has tested enough
controls to enable an assessment and whether the obtained evidence is sufficiently objective to support a pass
or fail conclusion.
Pass/Fail Documents preliminary conclusions regarding the effectiveness of controls Specifies whether the overall control is effective (pass) or not effective (fail) based on the results of the testing
Comments Free-form field Documents any notes related to the review of this process sub-area or specific control activities


Governance
Ref. Framework/
Process Ref. Control Control Control Standards Ref. Pass/
Sub-area Risk Control Objectives Controls Type Classification Frequency Testing Step (if applicable) Workpaper Fail Comments
Utilization of Google Cloud Platform The enterprise has defined a formal and independent governance structure (e.g., a 1. Obtain position descriptions and interview responsible and/or accountable individuals who oversee GCP services within CIS V8 3.1
(GCP) services should be selected GCP steering committee whose purview includes cloud and IT) to guide the the enterprise (e.g., chief technology officer, chief security officer, chief financial officer, etc.). Determine if a formal COBIT EDM01
Defining and Understanding Structure, Roles and
and enabled based on business enablement and ongoing operations of business services within the GCP. governance structure exists to drive development, security and usage of GCP services and associated resources.
purposes in a manner that facilitates 2. Obtain and inspect documented enterprise organizational charts and confirm position and reporting details. Determine if
accomplishing the enterprise's Note: This group should exist separately from the enterprise's personnel performing reporting and communication channels have been established among the board of directors, governing body and personnel
mission and strategic objectives. daily or routine technology enablement and support operations within Google cloud responsible for operating the GCP over these key areas: policy management, network security, network management,
services, resources and applications. This group should be responsible for consulting server endpoint security, incident monitoring and response and development operations (DevOps).
with the board of directors to establish objective compliance criteria, approval, and 3. Obtain and inspect GCP program charters and related documentation (e.g., service contracts and agreements) outlining:
business and architectural understanding of all in-use GCP services and methods (e.g., • Intended business purpose(s) that Google services and/or resources should achieve and stakeholder ownership for those
Cloud Identity, BigQuery, Organization and Project Hierarchy, etc.). This will help the services/resources
GCP Steering committee measure compliance and governance effectiveness and • Acceptance of and mechanisms to govern cloud-shared responsibility model requirements
Responsibilities
performance among themselves, the board of directors and the operational personnel • Compliance criteria and/or service requirements
accountable to this group. • Mechanisms used to evaluate success criteria (e.g., annual platform reviews, baselines/alerts, etc.) or measure the
achievement of business objectives through the use of the GCP
• Routine review of the program charter between the board of directors and the governance structure to ensure that the
Google platform continues to meet business requirements
Alignment of GCP enablement and On a regular basis (as defined by the enterprise), the GCP steering committee meets 1. Obtain calendar invites, meeting minutes and/or summary GCP program status reports. Inspect the reports to determine COBIT EDM01,
operational support actions with GCP with operational management personnel to discuss the GCP program status, portfolio, if the governance structure is regularly communicating with personnel who perform daily GCP program operations. EDM05
program requirements per the GCP services and assets. 2. Obtain and inspect documentation related to the service catalog, enabled services and applications and alignment to
steering committee is ensured business objectives.
Defining and Understanding Structure, Roles and Responsibilities
through the definition of roles and Note: These meetings should focus on the following:
responsibilities in the service catalog. • Alignment of the service portfolio and assets to organizational objectives
• Governance structure providing feedback to operational management
• Formal communication of staffing and resource needs required to continuously
operate the platform and services in accordance with stakeholder needs
• Challenges that operational management faces with security or program
implementation
• Compliance concerns (or other matters) that may generally impact the achievement
of stakeholder needs
Complete accountability is The enterprise has designated owners responsible for accurately configuring GCP 1. Interview responsible and/or accountable governance and operational stakeholders to understand the entire collection of COBIT EDM01,
established for individual GCP services, applications and related resources, assessing related risk (including cost GCP services and applications enabled and the corresponding individual(s) or department(s) who own and manage each EDM05
services and applications and their controls and management) and performing maintenance of GCP applications and service and/or application.
related resources to ensure that the resources as necessary. 2. Interview stakeholders to understand how each service, application, related resource and configuration methodology is
enterprise can meet stakeholders' used to meet documented security and business (including billing, financial and change management) requirements.
expectations through a secure Note: GCP has a myriad of both individual and integrated application and service Further determine requirements for documenting, communicating and resolving noncompliant services and applications.
environment. offerings, and defined owners take on a custodial role for these offerings. Service and 3. Obtain and inspect documentation describing intended business use and architecture/integration of each service and
application owners may be a single individual, department or business function within application, completed risk assessments and/or completed reviews performed by individual GCP owners documenting GCP
the enterprise, or several departments or individuals across the enterprise. GCP service and application compliance and resolution of noncompliant items (if necessary).
services and applications (e.g., Big Data, Compute, IAM roles/permissions/policies,
etc.) are subject to functionality, availability and technical implementation (code)
changes under the control of Google. As part of the nature of the cloud, new services
constantly emerge that may integrate with or replace existing services. It is important
that the entire suite of enabled GCP services, applications and their related resources
(Google Workspace, Cloud Datastore, Compute Engine and IAM components) have
organizational ownership and that their capabilities are fully understood, regularly
assessed and strictly maintained in accordance with enterprise requirements.


Governance
Ref. Framework/
The enterprise's information security The enterprise has developed formal security documentation (e.g., plans, policies and 1. Interview responsible and/or accountable individuals who maintain information security program plans and related COBIT EDM03,
program, architecture and related procedures) and architecture guidance that incorporates the use of GCP services and documentation (e.g., chief security officer, cloud security engineer, etc.) to ensure ongoing consideration is given to APO01
procedures (inclusive of enabled applications. Management performs a minimum annual review of GCP security reviewing, understanding, documenting and communicating security requirements for all GCP services and applications in
services and applications) remain documentation in order to align documentation and Google service and platform use and the impact to enterprise security architecture is captured.
current and are communicated to security changes with enterprise operational changes to ensure security coverage, 2. Obtain and inspect security program documentation (e.g., security plan, policies, procedures, etc.), and determine
responsible parties to support completeness and accuracy in protecting enterprise information and assets. whether existing documentation adequately describes:
effective and sustainable • GCP security requirements and how they are generally achieved across services and applications
management processes for enabled • Security standards/frameworks that the enterprise uses to baseline security policy and architecture
Establishing Google Cloud Platform (GCP) Enterprise Directives
GCP services and applications. • Security architecture (e.g., permission hierarchies) and alignment of the GCP security architectural structure across
services and applications with organizational business and risk objectives
• Instructions to personnel detailing how to configure and maintain a compliant environment in accordance with
documented requirements
3. Further inspect the related documents and determine whether:
• An owner is documented for each directive
• Documents are formally reviewed by management, at least annually, for completeness and accuracy
Ongoing operability of business- The enterprise has developed formal monitoring, logging, change management, 1. Obtain GCP architectural documentation for information on GCP-enabled services, applications and related resources COBIT EDM03,
critical GCP services, applications and financial management, vulnerability management, and data breach programs; security defined as business critical. EDM04, APO01
integrated resources are supported. incident response and disaster recovery plans; policies and operational procedures for 2. Interview responsible stakeholders and owners for each GCP-enabled service, application and related resource to obtain
business-critical GCP services, applications and integrated resources. The plans are plans, policies and procedures for information security and compare with architectural documentation of enabled services
reviewed, at minimum, on an annual basis for completeness and accuracy. to ensure completeness and accuracy. Determine the frequency of the plan (policy/procedure) reviews to ensure
completeness, accuracy and timeliness. Obtain details of prior reviews and the resolution of any gaps.
3. For each plan, policy, and procedure, determine the appropriateness of the following elements:
• Logging and monitoring
1) Categories, components and any automation in place
2) Alerting and review by responsible parties
3) Procedures per category/component
4) Documentation and retention period
5) Backup and restore procedures
• Change management
1) Categories and components of changes (priority one, two, three, emergency, etc.) and any automation in place
2) Change deployment processes, including SLAs, SDLC and system architecture (sandbox, development, production
system tiering)
3) Required approvals per category/component
4) Documentation and retention period of change records
5) Approved change windows per change category
5) Testing requirements and back-out plans
• Financial management
1) Financial thresholds, billing and any automation in place
2) Alerting responsible parties
3) Required approvals per category/component
4) Documentation and retention period of records
• Vulnerability management
1) Classification of vulnerability and business risk assessment
system tiering) and any automation in place
3) Required approvals
blishing Google Cloud Platform (GCP) Enterprise Directives
4) Testing requirements, mitigations, and back-out plans

• Data breach/Security incident response
1) Phases of and responsibilities during an incident (discovery, investigation, communication, containment, eradication,
recovery, etc.) and any automation in place
2) Crisis communication procedures
3) Call trees for necessary staff
4) Reporting requirements
5) Evidence collection, retention and postincident process for lessons learned and/or external reporting
• Business continuity/Disaster recovery
1) Identify completed business impact analysis (BIA)
2) Identify control measures to reduce risk (preventive, detective and corrective measures)
3) Identify recovery strategies for critical enterprise and GCP services and applications or related critical assets
4) Identify recovery time objectives (RTO) per GCP service, application or related critical assets
5) Identify recovery point objectives (RPO) per GCP service, application or related critical assets
6) Identify documented recovery exercises to ensure the plan will work as intended, along with plan maintenance

system tiering) and any automation in place
3) Required approvals
Establishing Google Cloud Platform (GCP) Enterprise Directives

Google Cloud Platform (GCP) Audit Program 4) Testing requirements, mitigations, and back-out plans
• Data breach/Security incident response
1) Phases of and responsibilities during an incident (discovery, investigation, communication, containment, eradication,
recovery, etc.) and any automation in place
Google Cloud Platform (GCP) Audit
2) Crisis Program
communication procedures
Governance 3) Call trees for necessary staff
4) Reporting requirements
5) Evidence collection, retention and postincident process for lessons learned and/or external reporting
• Business continuity/Disaster recovery Ref. Framework/
Process Ref. Control Control Control 1) Identify completed business impact analysis (BIA) Standards Ref. Pass/
Sub-area Risk Control Objectives Controls Type Classification Frequency 2) Identify control measures to reduce risk (preventive,Testing
detective and corrective measures)
Step (if applicable) Workpaper Fail Comments
3) Identify recovery strategies for critical enterprise and GCP services and applications or related critical assets
4) Identify recovery time objectives (RTO) per GCP service, application or related critical assets
5) Identify recovery point objectives (RPO) per GCP service, application or related critical assets
6) Identify documented recovery exercises to ensure the plan will work as intended, along with plan maintenance
Risk associated with business-critical The enterprise has developed formal risk assessment procedures for business-critical 1. Interview responsible and/or accountable individuals who maintain and approve the risk assessment procedures and risk
Establishing Google Cloud
Platform (GCP) Enterprise
GCP services, applications and GCP services, applications and integrated resources. The risk register is reviewed, at register (e.g., chief security officer, compliance, governance committee) to review the process for assessing and accepting
integrated resources is mitigated. minimum, on an annual basis for completeness and accuracy. Mitigation plans, risk for GCP services, applications and integrated resources.
remediation plans and acceptance of residual risks are reviewed by the steering 2. Obtain and inspect risk assessment documentation (e.g., plan, risk register) and determine whether the existing
committee. documentation adequately describes:
Directives
• Risk assessment procedures and responsibilities

• Risk identified and mitigation or remediation plans
• Residual risk to be accepted
3. Further inspect the related documents and determine whether:
• An owner is documented for each risk and evidence of any accepted risk exists
• Documents are formally reviewed by management, at least annually, for completeness and accuracy
The enterprise provides consistent, Management has documented network, service and application diagrams detailing all 1. Interview responsible and/or accountable individuals (cloud security engineers, network architects, network engineers) CIS V8 1.1, 3.2
secure and resilient levels of IT utilized GCP services, applications, resources, data pathways and integrations. and obtain documentation of the enterprise network architecture and GCP-enabled platform, services and applications, COBIT EDM03,
Defining and Understanding Network Boundaries
operational service through Diagrams are reviewed annually at a minimum and updated as enabled including: APO01
adequate network management, services/applications/resources and integrations change. • Administrative and highly privileged accounts within the enterprise with the ability to create or change network
including ingress and egress points configuration (the GCP Policy Analyzer may be used for this)
enabled through GCP software- Note: Appropriate network diagrams usually entail a series of layered diagrams that • The number of VPCs and mapping to Organizations and Projects within GCP with routing and traffic details (ingress,
defined networking (SDN), services explain abstract—but related—concepts about the structure of a given environment. egress)
and applications. Application diagrams, or blueprints, should indicate the interaction between • Existing VPC peering connections (peering connections allow inter-VPC connectivity from the same or different GCP
components and how data is exchanged, including trust zones. In the case of GCP, it is projects)
important to know the following: • Individual services, applications and resources deployed to each individual VPC
• Number of administrative accounts in use • Placement and general configuration of firewalls and NAT gateways receiving internal or external network traffic using
• Number of virtual private clouds (VPCs) per GCP Organization or Project Firewall Insights from the GCP Network Intelligence Center
• Regions to which each VPC has been deployed (e.g., Northern Virginia, Frankfurt, • Business entities (parent enterprise, partner enterprises, extranets, etc.) that create, use or extract data (and the types of
Germany, etc.) data traversing the network) and the data classification
• Shared VPCs (Shared between GCP Projects) • Processes for logging and monitoring network traffic
• Peering connections between each VPC (if any) 2. Further inquire into the frequency of reviews for the appropriateness of the items above and what criteria or methods
• Number of subnets per VPC are used to identify inappropriate network configurations, data flow, data types, in-use applications or network behavior
• Configured gateways per VPC anomalies.
• Google Cloud Interconnect configurations (if any) 3. Obtain and inspect network diagrams and/or related documentation. Determine whether each diagram adequately
• Google Cloud Routes and firewall rules depicts and describes the items described above. If the items are described in a diagram, determine whether data types,
• Classification of the data traversing each connection network pathways that data travel on and data recipients or participants are also depicted.


Governance
Ref. Framework/
The enterprise manages security Google Cloud Asset Inventory, Google Security Command Center and Google Cloud 1. Interview responsible owners and stakeholders (cloud security engineer, network engineer, security architect) to COBIT EDM03,
configuration weaknesses and logging have been enabled to collect, display and report to management services, determine whether (and how) the IT inventory is documented and maintained for completeness/accuracy. EDM04
inherent risk by maintaining a applications and related resources in use and detect security misconfigurations and If using the Google Security Command Center:
Establishing a Complete and Accurate Resource Inventory
complete and accurate inventory of compliance deviations. • From GCP Management Console, click "Security." Under Security, navigate to the Security Command Center. The
GCP-enabled services and dashboard will populate with information specific to the Google Project or Organization you have accessed.
applications and the appropriate Note: Google Security Command Center and Google Cloud logging require some data • On the dashboard tabs, navigate to "ASSETS" to see a list of assets that can be filtered by resource type, project or change
control mechanisms. access to be explicitly enabled. It is important to compare architectural diagrams to details.
logging to fully understand what exists before assets can be adequately protected and If using the Google Cloud Asset Inventory:
their benefits (relative to cost) can be understood. • From GCP Management Console, click "IAM & Admin." Navigate to Asset Inventory. The dashboard will populate with
information specific to the Google Project or Organization you have accessed.
• On the dashboard tabs, navigate to the "RESOURCES" tab to see a list of assets that can be filtered by resource type,
project or location.
The enterprise designs and applies The enterprise has developed and maintains a strategy to aid in the identification, 1. Interview responsible owners and stakeholders (cloud security engineer, security architect, operations management, CIS V8 1.1
asset protection commensurate with protection and data retention of IT assets (labels or tagging). The labels are applied to application development, etc.) to determine if a GCP asset tagging or labeling strategy exists and is formally documented. COBIT EDM03,
data classification. GCP assets to appropriately classify data and ensure required protections. 2. Obtain and inspect tagging strategy documentation to understand the GCP tagging or labeling hierarchy and how it APO03
applies to individual GCP resources and applications across the enterprise.
Note: GCP provides an ability to "tag" resources with custom labels and apply policies 3. Compare the tagging strategy documentation to network and security architecture diagram documentation.
based on that tagging. Tagging facilitates the identification and grouping of assets by 3. Through random sampling, determine if GCP tagging or labeling has been applied to assets as defined by the tagging
common business terminology (such as confidential, sensitive, public, etc.) or strategy using the GCP Console and reviewing the GCP Cloud Asset Inventory or GCP Security Command Center list of assets.
department and business use. Tagging further helps the enterprise know which
resources should have encryption applied or when data retention or data purge
mechanisms should be triggered. A single tagging strategy should be developed,
approved and used throughout the enterprise to reduce confusion and misapplication
of security controls or data classification based on tags.
The enterprise has defined Purchases of GCP services and applications must follow a documented review and 1. Interview responsible owners and stakeholders (cloud security engineer, operations management, application COBIT EDM01
ownership, procedures and approval process by the appropriate, enterprise-defined department or group prior to development, purchasing) to determine the application-acquisition process for new GCP services, applications and the
responsibility for purchases of use. The business need for individual GCP applications is reviewed for appropriateness scaling up of additional resources the enterprise uses. Further determine:
appropriate GCP services, on a periodic basis, as defined by the enterprise and in line with enterprise financial • Individuals required to review and approve purchases or new billing threshold limits and purchasing procedures
applications and resources that policies. • Method used to document and retain approvals
support business goals and • Individuals responsible for receiving and reviewing notifications of billing and billing changes
stakeholder needs. Note: It is important for the enterprise to control expenses and approve the use of • Level of involvement from business stakeholders (such as accounts payable and purchasing personnel) to determine
only those applications that it needs. GCP, like most cloud services, releases new other departments outside of IT that must also review for appropriateness
functionality, services and applications on a regular basis. These items should be • Purchasing limits that may trigger additional reviews and approvals (e.g., anything over $2,500 requires CEO approval)
considered carefully as they may introduce additional cost to the enterprise. and exception approval processes
Additionally, in order to control wasteful spending and limit security risk exposure, the • Which GCP applications in use have been subjected to the documented process (processes may have been developed
use of each service/application and its related resources should be reviewed on a after the environment was built) and which procedures for reviewing and assessing items may pre-date policies
routine basis to retire applications or resources that no longer serve a business need. • Timing thresholds, frequency and methods used to review each GCP application for business-use validity. Note that
business validity may be more challenging to determine during the first year. Evaluate the process and procedure for risk
acceptance during the initial implementation periods and regular review process of business validity for services.
2. Build a population of services that are subject to the documented process in step one.
3. Using a judgmental selection of GCP services, applications and resources from the GCP Cloud Asset Inventory, determine
whether the documented acquisition process has been followed. For items built prior to policy implementation, evaluate
actions taken to assess against policy and any determined risk and risk treatment.


Governance
Ref. Framework/
Engagement of an enterprise GCP External service providers that render in-scope services to the enterprise directly or 1. Interview responsible and/or accountable owners and/or stakeholders (cloud security engineer, security architect, vendor COBIT EDM02,
environmental integration with through integration (e.g., via APIs) must agree to enterprise security requirements management office, legal, etc.), to obtain vendor selection, review and approval processes. Obtain standard contract EDM04, APO10
external service providers does not before gaining access to GCP services, applications and sensitive data. These providers language used for external providers and any regular review or re-assessment periods for contracts. Determine any
jeopardize security expectations the are also subject to routine security assessments, particularly as the enterprise's exception processes and review and approval for those exceptions.
enterprise has established for its security architecture changes or the provider's security architecture changes. 2. Review vendor review and selection process documentation for security requirements and baselines required for
Integrated Provider Risk
own environment. compliance by external parties.

Note: Standard contract language, annual reviews of SOC and third-party compliance 3. Obtain a list of service providers and integrated parties (e.g., API-connected partners) and current versions of contracts.
reports, third-party penetration testing or security questionnaires may satisfy this Determine if standard contract language and assessment occurred prior to entering into agreement with third-party service
control. providers and contracts have been approved by the appropriate enterprise stakeholders.
Managing
4. Confirm that the agreements selected for testing include evidence that security baselines requirements have been met by
the service provider and any risk or unmet requirements have been accepted by appropriate enterprise stakeholders. Verify
that contracts were fully executed prior to external providers being granted access to GCP applications or related data.
5. Confirm that the agreements selected for testing have been reviewed or re-assessed according to the enterprise's review
and reassessment period.


Network Configuration and Management
Ref. Framework/
Network security architecture is GCP network security architecture is routinely reviewed and compared against 1. Interview responsible and/or accountable personnel to determine whether a security network architecture standard CIS V8 4.2
baselined and supports the enterprise-defined security requirements. Periodic reports are produced and sent to exists and has been formally documented, the review process for security network architecture changes, and standards that COBIT APO01
enterprise's security requirements. appropriate personnel for review. Any deficiencies are addressed in a timely manner. have been applied to the environment. Process documentation for network architecture should distinguish between the
Maintaining Security Architecture & Network Traffic Baselines
network modes used (Default, Auto, Custom) to define deployments.

2. Determine the frequency of reviews that assess compliance of the network security architecture with the documented
standard.
3. Determine how the compliance of the network security architecture with the documented standard is assessed (e.g.,
reporting and alerts through the Google Security Command Center compliance dashboard).
4. Obtain and inspect completed compliance reviews and confirm that any instances of noncompliance are remediated in a
timely manner.
The enterprise can identify and take The enterprise has deployed a security information and event management (SIEM) 1. Interview responsible and/or accountable individuals (cloud security engineer, networking, etc.) to determine if network CIS V8 8.1, 8.2, 8.5,
timely action against inappropriate capability to log and define normal traffic patterns and report suspicious events to baselines have been established to facilitate an understanding of standard versus abnormal network behavior. Baselines 8.6, 8.7, 8.8, 8.10,
network traffic. personnel in a timely manner. SIEM configuration and event logs are routinely may include indicators, such as volume input/output, top resources or GCP applications that generate traffic. Confirm the 8.11
assessed by the enterprise to ensure the tool functions as intended and anomalies are following: COBIT APO01,
detected. • Degree of automated versus manual capabilities used to define baselines, inspect traffic, record results, detect anomalies APO12, APO13
and trigger alerting that are identified relative to established baselines
Note: The enterprise may need to ensure that all applicable logging has been enabled. • Retention of point-in-time baselines
Default logging may not include all activity. • Change approvals are captured and secured for later analysis
• Frequency of review used to ensure the baseline and alerting capability continues to function as intended
• Timeliness of response/remediation actions by enterprise personnel to alerts received by the baselining capability
2. Document the population of the GCP application and related resources captured by the network baselining. This requires
obtaining the population of baseline alerts or reporting configuration for each in-scope GCP service, application and related
resource through Google Security Command Center, Google Cloud Asset Inventory, Google Cloud Logging, VPC flow logs and
data access audit logs (which must be explicitly enabled). Confirm that baselining occurs, has thresholds configured and is
monitored (either automatically or manually) by personnel. Alternatively, the assessor may request that the enterprise
generate certain types of traffic to trigger threshold alarms and observe that alerts are generated and sent to the
appropriate personnel.
The enterprise employs isolated Separate GCP environments, Organizations and/or Project hierarchies have been 1. Interview responsible and/or accountable individuals (network architecture, engineering departments, etc.) to determine CIS V8 12.2, 12.3,
Maintaining Security Architecture &
network environments to ensure created to distinguish and isolate production, staging, testing and development the number of business environments that exist (production, stage, R&D, etc.), integration between these environments 12.4, 16.8, 16.10
trust boundaries and the integrity of functions using network configuration and compliance boundary policies. and where these environments have been deployed within the GCP Organization or Project. COBIT APO01,
its various business operations. 2. Further determine how logical isolation of each environment is achieved and maintained and how noncompliance is APO03, APO12,
Network Traffic Baselines
detected, possibly through the GCP Organizational Policy Service, Google Command Security Center, deployment and APO13
change management pipeline, or VPC service controls.
3. Obtain and inspect the following for each environment, (testing for uniqueness):
• Organization and Project the environment is billed under
• VPC name
• IP address range
• Policy controls and routing modes/rules
• Firewall rules using GCP Firewall Insights within the Network Intelligence Center
4. Additional testing may focus on inspecting:
• Deployed resources in each environment (naming conventions, resource tagging, logging enablement, etc.)
• User access (e.g., developers with access to production environment resources/applications, etc.)


Ref. Framework/
Network communications are The enterprise restricts ingress and egress GCP network traffic to interactions that 1. Interview responsible and/or accountable individuals (cloud security engineer, networking, operations, etc.) to determine CIS V8 12.2, 12.3,
managed through a formal network align with valid business operational needs. the enterprise's approach to authorizing network sources, destinations, ports, protocols, integration to external enterprises, 12.4, 13.4, 13.6
traffic-management program. etc. COBIT APO03,
2. From the GCP Management Console, access the Google Security Command Center or the Network Intelligence Center and APO12, APO13
inspect the following elements for appropriateness of VPC resources:
Environment Segregation
• Configured organizational policies per VPC

• Subnets that exist for each VPC and business environment (e.g., prod, stage)
• Routing tables in use per subnet configured through automatic routing or Google Cloud Routes
• Network access control lists, IAM policies and permissions
• Internet gateways deployed and NAT configurations (servers and resources should not be publicly accessible but instead
communicate through a single secured point)
• Geo restrictions applied to each VPC or GCP service or application
• Configuration of subnets, security groups and VPC peering or VPC pairing across Projects
3. External enterprise access is routinely assessed for appropriateness leading to adjustments where necessary (e.g.,
remove unused firewall rules, remove former business partners or extranet connections, etc.).
• VPC flow and audit logs that monitor traffic among VPCs or to external sources/destinations
The enterprise grants privileged GCP Management Console tools are restricted to the departments and job functions 1. Interview responsible and/or accountable individuals (cloud security, network engineering, operations management, etc.) CIS V8 5.4
access to network configuration and identified by the enterprise and provide personnel access to configuration and to determine the: COBIT APO07,
management to personnel in administrative functions based on the principle of least privilege. • Types of administrative tools (native or external to GCP) provided to enterprise personnel that allow them to access and APO12, APO13
accordance with valid business and modify the environment. Tools include, but are not limited to:
Restricting Administrative Access
operational needs. a) GCP organizational access

b) GCP Management Console
c) GCP Command Line Interface (CLI)
d) GCP Software Development Kits (SDKs)
e) APIs and scripting capabilities such as Python
• Method for restricting access to each tool based on least-privilege rights/permissions (e.g., group membership
assignments, policies, automated processes)
• Request and authorization process for each administrative tool
• Logging and monitoring capabilities that exist for the use of each administrative tool
• Frequency of reviewing access to a given tool and individuals with access to each tool
2. Document the population of in-use tools, access rights/permissions and assigned individuals/access roles.
3. Through judgmental sampling, obtain and inspect administrative tool access authorizations.
4. Through judgmental sampling, obtain and inspect reviews of administrative tools access reviews.
Connectivity among GCP virtual VPC peering and shared VPC connections are documented within network architecture 1. Interview responsible and/or accountable individuals to determine the: CIS V8 12.1, 12.2,
Maintaining Valid VPC Peering or Shared
private clouds (VPCs) exists solely to and require management approval and routine assessment for appropriateness. • Number of VPC peering or shared connections that exist in the environment 12.3, 12.4
serve appropriate enterprise • GCP services, resources, applications and levels of access granted to each peering or shared connection COBIT APO03,
business needs. Note: Peering and shared connections can be established across GCP projects. Shared • Business purpose(s) of each peering or shared connection APO12, APO13
VPCs are project-level settings, and when a project is set as a host project, all existing • Change management, approval and periodic review process for the duration of peering connections
and new VPC networks will automatically become shared. Peering connections should 2. From the GCP Management Console, access the VPC service:
only exist for the time necessary to conduct valid business transactions. • Click "VPC Network peering."
• Assess the VPCs and review the peering connection(s) and valid period/duration of the peering.
• Inspect the naming convention of the VPCs and "Tags" tab to determine whether the use of the peering connection is
Connections
identified.
• Inspect routing configurations (or the Network Intelligence Center) to determine the network sources and destinations
allowed through the peering connection. Inquire further for individual routing table appropriateness and change
management approvals.
3. Obtain and inspect routine reviews of the peering connection to ensure only valid connections remain in effect and
explicit acceptance of peering durations.
4. Inspect the "Shared VPC" setting within the VPC service. Obtain details of projects within the shared VPC(s) and
ownership. Inquire regarding routine reviews and evidence of appropriateness.


Ref. Framework/
Critical enterprise applications are Google Cloud Armor Standard is enabled for distributed denial-of-service (DDoS) 1. Interview responsible and/or accountable individuals (cloud security engineers, network engineering, operations CIS V8 12.6, 13.4,
configured to be highly available and protection and web application firewall service for critical business applications or management, etc.) to determine whether one or more DDoS protection plan(s) have been enabled and configured for the 13.6
resilient against network attacks. where deemed necessary and periodically reviewed. virtual networks in scope. COBIT BAI04
2. Determine the criteria that dictate whether a critical business service, application or resource should be enabled or
Network Availability & Resiliency
configured on GCP and requires DDoS protection, how exceptions for DDoS protection are identified, documented,
reviewed and approved for appropriateness and whether management has defined DDoS protection monitoring metrics
(e.g., service issue tracking, health advisories, etc.), attack telemetry or mitigation reports (e.g., what management has in
place to strengthen security posture and assess attacks and their outcomes before or after they occur).
3. From the Google Cloud Armor, verify the protection plan scope and coverage, search for and confirm protection rules
against common attacks, select DDoS protection plans and review the selected protection plans (plan name, type, resource
groups, location and subscription).
4. From the Google Cloud Armor, compare the configuration to captured criteria for any logs that must be enabled to detect
allowed or denied requested traffic.
• Assess appropriateness of any named IP address list configured to allow sources.
• Request evidence of regular review and remediation of any items out of compliance.
5. From the Google Security Command Center, review whether any findings have been identified and request evidence of
review.
The enterprise takes measures to Management has secured integrated network connections through the use of Google 1. Interview responsible and/or accountable individuals (cloud security engineers, network engineering, etc.) to determine CIS V8 12.2, 12.7
enhance security of external Cloud VPN or similar mechanisms. the number of external connections that integrate with each GCP organization, project and/or virtual network. Obtain COBIT APO12,
connections that have been documented procedures for configuration management and the establishment of VPN connections. Assess whether Google APO13, APO14
integrated with the GCP Note: Google Cloud VPN is a managed service that allows an enterprise network to Cloud VPN or a similar mechanism is used to enforce connection security and/or privacy over these external connections in
environment. connect to the GCP environment through a secured channel. the GCP environment.
Securing External Connections
2. From the GCP Management Console, verify Google Cloud VPN is enabled.
• Search for and select "ExpressRoute Circuits." Then, click on the circuit name. Review the following attributes for
appropriateness:
a) Use of the AES-GCM-16-256 algorithm for encryption of the IPSec tunnel and traffic passing through the tunnel
b) IAM permissions and groups to restrict access to the VPN connections to targeted groups
c) The location of the Cloud VPN gateway (does this location meet enterprise and regulatory compliance needs?)
d) Bandwidth (is bandwidth sufficient for current and future traffic needs and appropriate considering cost
considerations?)
e) Individual peering, the status of the peering connection, primary subnets, secondary subnets and last modified dates
(are the peering endpoints associated with the appropriate business partner(s)?)
3. Further inquire and obtain evidence that external connections and membership to groups granting access are periodically
reviewed.


Resource Configuration and Management
Ref. Framework/
Process Ref. Control Control Control Standards Pass/
Sub-area Risk Control Objectives Controls Type Classification Frequency Testing Step (if applicable) Ref. Workpaper Fail Comments
Assurance that operational The enterprise utilizes predefined and preapproved blueprints, templates and policy 1. Interview responsible and/or accountable individuals (cloud security engineer, network engineer, site reliability engineer, CIS V8 4.1, 5.4, 11.3
requirements for security and configurations to develop and deploy GCP services, applications and resources in the development teams) to determine how the enterprise develops and deploys individual services, applications and related COBIT BAI10, BAI06,
managed changes are met is gained environment. The enterprise routinely assesses the adequacy of the blueprints, resources (assets) within the environment. Expressly consider how the enterprise sets, monitors and ensures minimum BAI07, BAI09
through a formal process for templates and policies in use to ensure they meet business requirements for security security requirements for assets and identifies any deviations from minimum security requirements (as changes to existing
managing the deployment and and/or functionality. assets occur) and actions to be taken.
integration of GCP services and 2. Inquire about the specific configurations or security requirements that each in-scope GCP asset and automation tooling
applications in the environment. Note: The enterprise may leverage infrastructure-as-code (IaC), security-as-code (SaC) should meet as set forth by the enterprise. Document these requirements for every GCP asset.
Maintaining Security Baselines
and compliance-as-code (CaC) tooling for the automation of secure and compliant 3. Obtain documentation of the population of GCP application assets that utilize blueprints, templates, trusted VM images
deployments. This may be through native GCP tools, such as Anthos Config and policy configurations for asset generation and security configuration. Identify GCP native blueprints, templates and
Management, Cloud Deployment Manager and Cloud Build or third-party and open- policies in use and obtain specific documentation of the definitions for any custom blueprints, templates and policies.
source tools, such as Gatekeeper and Terraform by Hashicorp. The configuration and 4. Obtain documentation on any automation tooling and tooling configuration used to invoke and create/deploy/modify
GCP Resources
appropriate personnel access to these tools should be considered when assessing this GCP assets using blueprints, templates and policy configurations. Obtain documentation of periodic reviews and
control. evaluations of deviations from security baselines.
5. Using a judgmental selection, obtain and inspect samples of GCP assets to determine whether tooling in use and
blueprint, templates and policies have adequately set the required configurations or security requirements.
6. Using a judgmental selection, obtain and inspect the evidence of reviews demonstrating that the enterprise assesses the
adequacy of asset configurations or security configurations provided by applied blueprints, templates and policies and that
actions to remediate deviations from security baselines have been performed.
7. Obtain evidence of periodic reviews of and updates to security baseline requirements as well as processes and
procedures used to assess deviations from updated baselines.
The enterprise expressly authorizes GCP asset configuration modifications are formally documented, reviewed, tested and 1. Interview responsible and/or accountable individuals (cloud security engineer, network engineer, site reliability engineer, CIS V8 4.1, 5.4, 11.3
changes to GCP services, applications approved prior to production deployment. development teams) to determine whether processes and procedures are in place to control the creation, integration, COBIT BAI06, BAI07,
and related resources to ensure that modification and deployment of GCP services, applications and related resources (assets). BAI10
any modifications are appropriate Note: The enterprise may use automated workflows and deployment processes (e.g., 2. Determine the asset creation, integration, modification, deployment, rollback and failed change workflow processes, as
and support business needs. Deployment Manager, Cloud Deploy) for certain categories of changes as part of well as change logging procedures. Obtain architecture documentation for DevOps or Pipeline configuration, workflows,
following a DevOps methodology. The configuration of these automation workflows, approvals and access controls.
continuous integration/continuous deployment (CI/CD) and toolings used to configure 3. Review the population of services, applications and related resources the processes and procedures apply to.
and execute the workflows should be considered when assessing this control. 4. Review which individuals and automation accounts are responsible for each part of the change management process.
Change Management
5. Document the population of changes that occurred during the period under review.
6. Review Google Cloud Monitoring logs, auditing logs and the Google Security Command Center to validate that the
population of asset changes has been logged according to processes and procedures.
7. Through judgmental selection, obtain and inspect change records to determine if the process was followed as
documented in the process/procedures. For any failed or rollback changes, obtain evidence of the actions taken to fully
correct and restore the production environment.


Ref. Framework/
Alerting is enabled, and changes to The enterprise utilizes monitoring and alerting solutions within change management 1. Interview responsible and/or accountable individuals (cloud security engineer, network engineer, site reliability engineer, CIS V8 4.1, 5.4, 8.1, 8.2,
GCP assets are monitored to mitigate operations that provide detailed records of asset modifications. Records are retained development teams, operations) to determine how the enterprise logs and alerts on modifications 8.10, 8.11, 11.3
risk that changes in the environment for a sufficient amount of time. Recording of asset changes includes the date of the in-scope GCP services, applications and related resources (assets) and which assets are in scope. Inquire about: COBIT BAI06, BAI09,
adversely affect operations. change, the account making changes, results of the change testing and deployment • The level of detail captured by the monitoring solution BAI10
and additional information supporting the authorized approval and appropriateness of • Where records are stored
the change. • How long records are retained
• Individuals with access to reading/reviewing any changes
Note: Not all items may be logged by default, and the enterprise may need to ensure • Processes and procedures, including response times for the enterprise, for reviewing logs and alerting and responding to
logging of certain data and fields has been explicitly enabled. Additionally, if the unauthorized changes
enterprise uses a third-party tool to orchestrate changes, this should also be 2. Document the Google Cloud Logging, Cloud Monitoring, and Security Command Center events, rules and alerts that are
Change Management
considered when assessing this control. configured to capture GCP asset creation, deployment, modifications and integrations.
3. Review Google Cloud Monitoring logs, Google Security Command Center and auditing logs to validate that the population
of changes for assets has been logged according to processes and procedures.
4. Document the GCP log entries where asset changes (creation, deployment, modification, integration) are recorded.
5. Using evidence from the previous test, review a sample of asset changes that occurred during the period.
6. Determine whether a record of the change was documented by the appropriate logging event and included sufficient
detail as required by the business.
7. Examine retention periods for the change records to ensure they will be available if needed during an investigation.
8. Evaluate evidence of periodic log and alert reviews by the enterprise. Examine alert rules to confirm the appropriateness
of contacts notified and obtain records to determine if the process for alert responses was followed according to
process/procedure and actions for nonadherence.
The enterprise maintains the The enterprise has designated time periods for requested changes by priority and 1. Interview responsible and/or accountable individuals and stakeholders (cloud security engineer, network engineer, site CIS V8 4.1
environment's integrity by requires additional review and approvals for emergency changes. The process and reliability engineer, development teams, operations) to determine if formal time periods have been designated for changes COBIT BAI06
establishing change schedules. procedure regarding the appropriateness of approvers in the emergency change based on their enterprise-designated priority (one, two, three, etc.).
process are periodically reviewed. 2. Determine whether additional reviews and approvals are required for emergency changes that may occur.
3. Determine which individuals are responsible for reviewing and approving emergency changes.
Note: Establishing change schedules based on priorities helps reduce enterprise chaos 4. Determine the period, frequency and process for which appropriateness of emergency reviewers is performed.
Change Management
caused by change and also facilitates the identification of inappropriate changes. The 5. Review the difference in volume between standard and emergency changes (i.e., are personnel abusing the emergency
enterprise may be orchestrating this through automated workflows and tooling, which change process by declaring normal changes as emergencies. This can typically be identified by reviewing the total
require periodic reviews to confirm the automated configuration. population of changes and examining the percentage of change categorization.
6. Through judgmental selection, determine whether completed changes are being implemented during the designated
time periods.
7. Through judgmental selection, inspect evidence of assessments by emergency approvers to determine whether the
appropriateness of reviewers has been performed according to process/procedure.
8. Through judgmental selection, inspect change logs of orchestration and workflow toolings for configuration changes and
routing rules to confirm adherence to documented change windows and reviewers.
The enterprise maintains a secure The enterprise performs application security testing and vulnerability assessments 1. Interview responsible and/or accountable individuals (cloud security engineer, site reliability engineering, development CIS V8 4.1, 7.5
development lifecycle and performs with scans using enterprise-identified tools and addresses findings through an teams, operations) to determine methods, tools, frameworks and/or exception processes used by the enterprise to identify, COBIT APO12,
security testing assessments to enterprise-determined frequency and prioritization process. Authorized personnel document, prioritize and remediate security gaps and vulnerabilities in GCP services, applications and related resources APO13, BAI06, BAI07
mitigate against security threats and accept findings and vulnerabilities. (assets). Confirm the organizational process to determine the completeness of assets covered under vulnerability scans,
vulnerabilities of GCP assets. including third-party provided applications and APIs.
Note: This control may be achieved through a variety of tools, such as Google Security 2. Determine who has access to security testing and vulnerability scanning tools, how output of the tools is interpreted and
Identifying and Remediating
Command Center, security and policy-as-code deployment checks and open-source prioritized within the enterprise (including any exception processes and responsibilities for reviewing, approving and
and third-party scanning and testing tools. In the case of automation workflows, the remediating scan findings), the automation and integration of scanning processes within deployment workflows and the
Asset Vulnerabilities
tools may have configuration logic to allow the findings from these scans to be degree and timeliness of remediation performed when vulnerabilities are discovered.
automatically accepted at a particular risk level, which should be documented and 3. Document the population of security testing and vulnerability scan outputs for in-scope assets.
periodically reviewed. It may also involve manual checks via self-assessments or 4. Through judgmental selection, determine whether identified security findings and vulnerabilities have been remediated
external audits. within the allowable timeframes and through the methods stipulated by the enterprise. For any exceptions, obtain evidence
of appropriate approvals and risk acceptance.
5. Through judgmental selection, inspect change logs of orchestration and workflow tooling to assess the process for the
notification and appropriateness of accepting vulnerabilities by responsible/accountable individuals that was performed
through automation. Select changes where vulnerabilities or security have been automatically accepted to confirm
adherence to document process and procedure. Assess asset coverage and obtain evidence of a periodic review for
completeness.


Ref. Framework/
The enterprise maintains a The enterprise performs the application of security patches for managed assets within 1. Interview responsible and/or accountable individuals (cloud security engineer, site reliability engineering, development CIS V8 7.4
Identifying and Remediating
vulnerability and security patch the GCP to limit enterprise exposure to known security vulnerabilities. teams, operations) to determine the methods, tools and/or procedures used by the enterprise to identify, document and COBIT BAI06, AP012,
management process to mitigate apply security patches to managed operating system and database resources within the GCP. APO13
Asset Vulnerabilities
against security threats and 2. Determine who has access to deploy security patches, the deployment process, how patches are analyzed and prioritized
vulnerabilities of GCP assets. within the enterprise (including any exception processes and responsibilities for reviewing, approving and verifying patch
application), automation workflows and the degree and timeliness of remediation performed when applicable patches are
discovered.
3. Document the population of in-scope patches for the managed GCP operating system and database assets.
4. Through judgmental selection, determine whether identified patches have been prioritized and applied within the
allowable timeframes and through the methods stipulated by the enterprise.
Assessment and modeling of The enterprise schedules and performs penetration testing in accordance with its 1. Interview responsible and/or accountable individuals (cloud security engineers, network engineers, security operations) CIS V8 18.1, 18.2,
potential security threats and predetermined frequency to identify and remediate security threats and vulnerabilities to determine vendors, assessment type (black box/white box, etc.), frequency and resources devoted to conducting 18.3, 18.5
weaknesses are independently within the enterprise's GCP architecture (enabled services, applications, and penetration testing exercises. COBIT APO12, APO13
performed through penetration resources). The enterprise contracts external subject matter experts to identify GCP 2. Inquire about:
testing. architecture and resource vulnerabilities and remediate findings in a timely manner. • Individuals involved in setting the statement of work
• How nondisclosure of vulnerabilities is handled
Penetration Testing
• Individuals or departments within the enterprise that receive the final report
• Responsibilities, the prioritization framework and timeliness for resolving identified vulnerabilities (confirmed, internally
External
reviewed, assigned, etc.)

3. Obtain and inspect penetration testing statements of work, schedules and final report summaries (if available) to
determine whether penetration testing exercises have been scheduled and completed as discussed.
4. Inspect the Google Cloud Security Command Center and Network Intelligence Dashboards to determine the remediation
history and whether external report findings are known issues.
5. Evaluate findings from penetration testing reports and obtain evidence of a post assessment to confirm the findings have
been remediated.
Enterprise objectives related to cost The enterprise has configured Google Cloud Billing and Google Cloud Monitoring alerts 1. Interview responsible and/or accountable individuals (cloud security engineer, site reliability engineer, operations COBIT DSS01, DSS06
containment are supported through to identify impacts on Organizational and Project level resource billing and management, finance) to determine the methods used by the enterprise to identify GCP services, applications and related
configured cost controls and alerting. consumption thresholds for business operations. resources (assets) that are being charged to the enterprise but are not providing a business value.
2. Inquire about:
Note: Defining alerts that inform appropriate users and business functions when • Organizational and Project structure and billing ownership for each
services near or exceed thresholds supports a separation of duties for cost control and • GCP services, applications and related resources (assets) that are in scope
purchasing processes and can also support the enterprise in determining if change • Billing and cost alerts configured in Cloud Billing and Cloud Monitoring and the response process to be followed
management or governance processes have been bypassed for the enablement of new • Triggers that exist for each configured alert (i.e., what limits are the enterprise monitoring per asset?)
services, applications and resources. • Individuals who can set or modify alerts and triggers
Financial Change Management
• Individuals to whom an alert should be sent and the mechanism for them to receive the alert
• Time limits and evaluation methods to determine the action to be taken
• Length of time and location where triggered alerts are stored
• Conditions triggering the deletion of alert messages and change history
3. Obtain documentation of the population of GCP assets and conditions that should have alerts configured. Through
judgmental sampling, test to determine whether:
• Alerts are configured for existing assets and conditions and apply to new assets as they are created
• Alert thresholds are configured in accordance with enterprise requirements
• Alerts are configured to notify the appropriate group within the enterprise
• Alerts trigger once the configured threshold is crossed
• Timely investigation of alerts is conducted, and corrective is taken
• Changes to alerting configuration are restricted to specified personnel and are documented and follow a change
management process


Ref. Framework/
Enterprise objectives related to cost The enterprise has configured Google Cloud Billing, Cloud Monitoring, Organizational 1. Interview responsible and/or accountable individuals (cloud security engineer, site reliability engineer, operations COBIT DSS01, DSS06,
containment are supported through Policies and periodic Cloud Asset inventory reviews to identify assets that no longer management, finance) to determine the methods used by the enterprise to identify GCP services, applications and related BAI09, APO03
the identification and removal of serve valid business purposes and to follow a documented decommission process to resources (assets) that are being charged to the enterprise but are not providing a business value.
unnecessary assets in a timely remove the assets. 2. Inquire about:
manner. • GCP services, applications and related resources (assets) that are in scope
Financial Change Management
• Individuals responsible for the periodic review of the Cloud Asset Inventory, review frequency and documented actions
• Policies and alerts configured for each GCP asset
• Decommissioning the change management process for GCP assets (e.g., tagging used, folder/project group and permission
assignments, communication, access restriction policies, disabled procedures)
• Triggers that exist for each policy and alert
• Individuals who can set or modify assets in decommission
• Time limits and evaluation methods to determine whether an asset is to be removed
3. Obtain documentation of the population of GCP assets. Through judgmental sampling, test to determine whether:
• An asset inventory review was performed and the results documented
• If an asset was tagged for decommissioning, all change management process steps have been followed


Data Security and Integrity Controls
Ref. Framework/
Across the data life cycle, the The enterprise has established policies and procedures for discovering, classifying, 1. Interview responsible and/or accountable individuals (cloud security engineer, data protection officer, network engineer, CIS V8 3.1, 3.7
enterprise protects data protecting and storing sensitive data and applies a minimum of AES 256-bit-level operations management) to determine the data protection and encryption process and policies that have been defined and COBIT APO12,
confidentiality, integrity and encryption for data at rest and in transit for each GCP service, application and affected documented for each GCP service, application and related resource(s) and data storage asset. Further inquiry should APO14
availability by establishing and resource. determine the:
applying appropriate security • Existence and location of documented encryption requirements (minimum AES 256-bit)
hygiene and protection measures • Policies, methods and tools (e.g., Google Front End) for encrypting network traffic
that are commensurate with • Frequency and methods used to assess compliance against the requirements
business requirements. • Automated mechanisms in place used to validate compliance or inform personnel of potential noncompliance
2. Obtain and inspect documented encryption requirements defined by the enterprise to determine if all GCP services and
applications in use are included.
timely manner.
Defining Protection Requirements
Policies and procedures exist for the storage and management of encryption keys, 1. Confirm that the following have been implemented:
secrets, and certificates and for encryption and decryption. Access to these functions • Management processes and services for secrets (e.g., Secret Manager) and certificates (e.g. Google Cloud Certificated
and related tools, configuration, and configuration changes are logged. These policies Authority Service), including rotation procedures, and which permissions are used to restrict access to these services to
and procedures are reviewed on a regular basis, incorporated into the SDLC process appropriate personnel
and applied as changes are made to GCP services, applications and affected resources. • Key management services in use (e.g., Cloud Key Management Service, Hardware Security Module, External Key Manager)
for each GCP service and application and related resources and which permissions are used to control access
• Frequency of reviews for documented data protection processes and policies established to meet business requirements
• Architecture of data stores (including analytics tooling), data flow diagrams and the location of data types within GCP
services and applications
• Data handling procedures for the creation, removal, update and deletion of data within GCP services and applications
2. Obtain and inspect accounts with access to key, secret and certificate management services for appropriateness.
3. Obtain and inspect evidence of reviews of data protection policies and procedures and confirm that reviews have been
completed in accordance with the defined frequency.
The enterprise protects against the The enterprise has established policies, procedures and monitoring to detect and 1. Interview responsible and/or accountable individuals (cloud security engineer, data protection officer, network engineer, CIS V8 3.3, 3.13,
loss of organizational data. prevent the unauthorized access and exfiltration of data. operations management) to determine data exfiltration logging and monitoring requirements that have been defined and 3.14
documented for each GCP service, application and related resource(s) and data storage asset. Inquire further to determine COBIT APO12,
Note: This may include the deployment of data loss prevention (DLP) tools such as the: APO13, APO14
Cloud Data Loss Prevention or third-party tooling. Configuration and access to these • Process for approving and authorizing the exfiltration of data for each service, application and related resource(s) and
tools should be considered as part of assessing this control. data storage asset (including analytics tooling)
• Methods, tools and frequency for examining and logging data exfiltration events
Defining Protection Requirements
• Existence, storage location and retention period of logging for data exfiltration events
2. Confirm the following:
• Configured policies for the exfiltration of data for each service, application and related resource(s) and data storage asset
(including analytics)
• Configured alerting or automation for DLP
3. Obtain and inspect documented DLP policies and procedures to determine if all GCP services and applications in use are
included.
4. Obtain and inspect logs from DLP monitoring events. Determine if logging is performed and retained in accordance with
enterprise requirements.
timely manner.
6. Obtain and inspect evidence of alerts and responses to data exfiltration and confirm that reviews have been completed in
accordance with the defined frequency.
7. Determine accounts (individual, folder and project level) with access to modify, configure or view unencrypted data
within DLP tools and logs and confirm appropriateness.


Ref. Framework/
The enterprise maintains the Account access keys, certificates and secrets are configured to expire after a time 1. Interview responsible and/or accountable individuals (cloud security engineer, data protection officer, network engineer, COBIT APO12,
integrity of access keys, certificates period (as defined by the enterprise) and rotate, generating new operations management) to determine the GCP services, applications and related resources and individual data storage APO13, APO14
and secrets by requiring them to keys/certificates/secrets that allow access to stored data. assets that require key, certificate, or secret expiration and rotation. Further, determine the associated risk-based location
expire and regenerate (rotate). requirements and storage locations where account access keys, secrets and certificates are stored and whether the
Note: Not all logs related to key, secret and certificate management may be logged by enterprise has an operational process to establish a key/secret/certificate regeneration (rotation) period for individual
default. The enterprise may need to explicitly enable some activities for data access storage assets (e.g., using automated rotation, REST APIs, manually rotated through the Google Management Console).
audit logs. Inquire about the key life cycle process and obtain documentation on the process and procedures for change management.
2. Generate a population of services, applications and related resources and data storage accounts in scope and assess
whether individual key/secret/certificate regeneration is occurring.
3. In GCP, if the Google Cloud Key Management Service and/or Google Secret Manager are in use, review the settings for
automatic rotation.
4. Within the GCP Cloud Asset Inventory, identify storage assets and determine when each storage asset was created.
• Within each asset under review, review the change history for a log of activities performed to identify rotation of
key/secret/certificate within the defined time period.
• Review if the associated key/certificate/secret has been stored in the appropriate location according to risk-based location
Key, Certificate, and Secrets Management
requirements.
5. Evaluate whether keys are appropriately managed across the key life cycle, from generation to destruction, in accordance
with organizational processes and procedures.
The enterprise maintains the The enterprise grants GCP Key Management Service (KMS) and Secret Manager access 1. Interview responsible and/or accountable individuals (cloud security engineer, data protection officer, network engineer, COBIT APO07,
confidentiality and integrity of to personnel (based on job responsibilities) and implements access based on the operations management) to determine which users or departments are responsible for managing access to the enterprise's APO12, APO13,
cryptographic information by principle of least-privileged. cryptographic key management services. APO14
restricting access to appropriate 2. Inquire about:
individuals. The enterprise utilizes Cloud Audit Logging or a SIEM to monitor GCP KMS tooling API • The number of cryptographic keys that exist and what data they are meant to protect
calls for appropriateness. • Any cryptographic keys stored offsite with another provider and the justification
• How key policies are developed and applied to keys
• How access is authorized and how frequently access is reviewed for appropriateness
• Individuals with authority to change key policies
• Existence of monitoring to generate alerts if key policies are modified
2. Obtain documentation on the population of KMS Customer Managed Keys (CMK) and associated default key policies.
3. Through judgmental sampling, obtain and inspect default key policies with specific attention to the principals and the
actions each principal is allowed to take in order to determine whether they meet enterprise-defined access requirements.
4. Through judgmental sampling, obtain and review the configuration of monitoring alerts to determine whether capabilities
exist to alert appropriate personnel of inappropriate actions (e.g., copy or delete actions).
The enterprise maintains data The enterprise requires encrypted connections for communications with external 1. Interview responsible and/or accountable individuals (cloud security engineer, network engineer, operations CIS V8 3.6, 3.10
confidentiality and integrity for destinations. management, infrastructure, site reliability engineer) to determine which GCP services, applications and related resources COBIT APO03,
Securing Remote Connectivity and Data
external network sources and allow, or are configured to accept, external or public web connectivity or send data to external sources. Further inquiry AP012, APO13,
destinations. should determine the: AP014
• GCP services, applications and related resources that contain, process or transmit sensitive data
• Policies or procedures that define the types of allowed connections based on data sensitivity
• VPC configurations and VPC service controls that allow for ingress and egress or cross-project connectivity
• Network architecture and use of Google CDN, private connections (Cloud Dedicated Interconnect), Cloud VPN, web
application firewalls and firewall rules
• Architecture and data flow of hybrid connectivity scenarios and requirements for encrypting communication between
Transfer
networks
• Architecture and use of web application firewalls and firewall rules
2. Obtain and inspect configuration (e.g., using Network Intelligence) for data assets, ingress and egress points for
encryption settings and adherence to business requirements.
3. Evaluate that connection types and data sensitivity configurations are in adherence to policies and procedures.


Ref. Framework/
The enterprise maintains data APIs are designed, developed, deployed and tested to ensure the enforcement of data 1. Interview responsible and/or accountable individuals (cloud security engineer, DevOps, operations management, COBIT APO12,
confidentiality and integrity in validation, secure data exchange and connectivity and access control mechanisms. infrastructure, site reliability engineer) to determine which GCP services, applications and related resources allow or are APO13, APO14
integrated scenarios through the use configured to accept or send data to sources using API calls. Further inquiry should determine the:
of secure Application Programming • Custom or default APIs that are in use for GCP services, applications and related resources and whether they are inbound
Interfaces (API) calls. or outbound
• The process by which APIs and any input are verified, the scanning/validation of API security prior to use, and any
exception processes
• Change management process and procedures for APIs, including organizational approvers for the integration and use of
APIs
• Frequency of periodic reviews to confirm the appropriateness of APIs and anything that should be disabled
• Process by which authentication and authorization are enforced for the APIs
• Encryption requirements
• Process by which denial of service attacks are detected and prevented
• Architecture and use of web application firewalls and firewall rules to protect against API attacks
Security of APIs
2. Obtain and inspect exposed APIs for encryption settings and adherence to business requirements for input validation,
authentication and authorization and testing.
3. Through the API gateway, verify the list of APIs configured to allow inbound access is accurate and complete based on
prior interview responses.
4. Using Cloud Audit Logs and the API gateway, perform a sampling of API calls and compare it with the results from the
periodic reviews to confirm accuracy and completeness.
5. Obtain evidence of security scanning for APIs, remediation of any vulnerabilities prior to use and periodic scanning as part
of change management. For any exceptions, confirm risk acceptance by organizational management.
6. Using a judgmental sample, obtain evidence of change management and review approvals.
The enterprise has developed data Data management policies and processes exist for GCP services, applications and 1. Interview responsible and/or accountable individuals (cloud security engineer, legal, operations management) to CIS V8 3.1, 3.5, 3.7,
retention and purge directives for related resources and data storage assets for managing enterprise data life cycle determine how the enterprise defines and programmatically enforces data retention and data purging activities for 3.8, 3.13
GCP data storage assets to ensure requirements. individual GCP applications and related resources. COBIT APO12,
Defining Data Retention
data are retained only for the time 2. Obtain and inspect data management policies. Determine methods for tagging and identifying retention policies to be APO13, APO14
required by law or for business applied to a given set of data. Evaluate if data retention policies are applied to backup data and if backup data is managed
Requirements
needs. (retention and purging) along with the primary data.

3. Review time-to-live (TTL) policies for any scheduling of expiration or bulk deletion of entities within a data asset.
4. Through judgmental sampling, obtain and inspect evidence for each in-scope GCP asset demonstrating tagging or labeling
and application of data retention policies.
The enterprise enhances security Database auditing is enabled on business-critical databases along with management- 1. Interview responsible and/or accountable individuals (cloud security engineer, operations management) to determine CIS V8 3.14
awareness and visibility by enabling defined retention periods. whether audit capabilities are enabled for GCP data storage assets, the specific audit categories that are enabled (e.g., COBIT APO01,
database auditing capabilities for successful login, failed login), where audit logs are stored, who can access or modify the logs and what the declared APO03, APO12,
Enabling Database Auditing
business-critical database servers. retention period is for each asset in scope. APO13, DSS04
2. Generate a population of services, applications and related resource(s) in scope for review and determine whether
database auditing is enabled.
3. From the GCP Management Console, go to "IAM & Admin" and then "Audit Logs" to review configurations for each in-
scope service, application and resource. Assess the following attributes for appropriateness and approval by organizational
management:
• Auditing (on or off)
• Audit log types (Admin, Data Read, Data Write)
• Exempted principals and documented, approved exceptions by organizational management, as well as alternative logging
and monitoring procedures in place


Ref. Framework/
The enterprise maintains the The enterprise has developed capabilities to identify and respond to encryption 1. Interview responsible and/or accountable individuals (cloud security engineer, site reliability engineer, operations CIS V8 3.1
integrity of encryption status failures or misconfigurations in a timely manner. management, data protection) to determine the methods used to detect and alert on security vulnerabilities related to COBIT APO12,
through the use of monitoring. encryption changes, misconfigurations and response processes for those alerts. Inquire about: APO13, DSS01,
• GCP services, applications and related resources (assets) that are in scope
• Alerts configured for changes in encryption status and the response process to be followed, including corrective actions,
response times and required approvals for actions to be taken
Misconfigured Encryption
• Triggers that exist for each configured alert

• Individuals who can set or modify alerts and triggers
• Individuals to whom an alert should be sent and the mechanism for them to receive the alert
• Time limits and evaluation methods to determine the action to be taken
Detecting
• Length of time and location where triggered alerts are stored

2. Obtain documentation on the population of events and alerting configured in Google Cloud Logging and Security
Command Center for each in-scope GCP service, application and related resource and data asset with specific attention to
monitoring encryption status (at rest and in transit). Through sampling, obtain and inspect alert logging and configuration to
determine:
• Whether changes to GCP application encryption status will generate alerts (SNS topics)
• The department or individuals where the alerts are sent
3. From a sample of triggered alerts, determine the timeliness of response and appropriateness of actions and approvals.


Security Incident Response
Ref. Framework/
The enterprise ensures that there is a Security incident response documentation is continuously updated as the enterprise 1. Interview responsible and/or accountable individuals (security operations, site reliability engineers, cloud security CIS V8 17.1, 17.2,
clear understanding across the evolves. Management reviews the security incident response on a predetermined engineers, executive management, legal) to determine the specific security incident response documentation that is in 17.3, 17.4, 17.9
organization regarding the strategy basis or as needed following operational changes. scope for review and the frequency of review. COBIT APO13,
and plan of action in the event of a 2. Inquire about methods used and specific individuals providing input for security incident response documentation and DSS04
security event. Note: The cloud provider shared responsibility model, which Google calls "shared individuals who must approve any changes or updates.
fate," should be considered when developing a response plan in conjunction with the 3. Obtain and inspect security incident policies, plans and procedures and determine whether they:
cloud provider and third parties. • Document a review by the necessary individuals
• Have been reviewed within the timeframes stipulated by the enterprise
• Summarize changes (i.e., modification of content, responsible individuals, call trees, technology used, etc.)
• Appropriately include the Google Cloud infrastructure components (services, applications, related resources and data
stores), cloud forensic procedures during postrecovery and cloud log analysis as part of the response plan
Maintaining the Plan
• Include firewall rules and Google Cloud Logging, Security Command Center, VPC flow logs, DLP, VM snapshotting and
Google Deployment Manager to provide technology support as part of the incident response plan
• Shared responsibilities and contact processes between the cloud service provider (Google) and the enterprise for incident
response and recovery
• Appropriately describe additional capabilities, such as Google Chronicle Security Operations Suite, Google Security
Command Center or other solutions that support threat hunting and security operation center (SOC) awareness and
response
• Appropriately describe any threat classification and hunting frameworks the enterprise uses for incident response
processes (e.g., MITRE ATT&CK Framework)
• Describe the review process for advisory notifications from the cloud service provider
• Regularly review defined Essential Contacts within the IAM & Admin product in GCP, allowing them to receive critical
notifications from Google, as well as regular review of contact information for GCP
The enterprise prepares for security threats through a variety of simulated exercises. 1. Interview responsible and/or accountable individuals (security operations, site reliability engineers, cloud security CIS V8 17.7, 17.8
The enterprise schedules security tabletop exercises on a frequency predetermined by engineers, executive management, legal) to determine the: COBIT APO13,
Practicing the
the enterprise to improve security incident response capabilities. • Frequency of incident response practice scenarios conducted by the enterprise DSS04
• Personnel involved
Plan
• Scenarios practiced in relation to enterprise operations and utilized technology

2. Obtain and inspect summary exercise reports, meeting minutes and updates to the security incident response plan
resulting from tabletop exercises.
The enterprise expressly considers The enterprise has developed crisis communication procedures that inform personnel 1. Interview responsible and/or accountable individuals (security operations, site reliability engineers, cloud security CIS V8 17.6
and incorporates public relations into how to report security breaches to regulators, law enforcement or customers, if engineers, executive management, legal) to determine whether security incident response policies, plans or procedures COBIT APO13
its security posture and necessary. inform the enterprise:
documentation. • How to identify and declare a formal crisis within the enterprise (e.g., if a security breach leads to millions of exposed PII
Note: The enterprise should know when, how and to whom it should report security records)
incidents (whether short-lived or prolonged). A single poorly managed security • Which individuals must be included in crisis communications and how to contact them and the responsibilities of other
Crisis Communications
incident can put the company out of business or permanently harm its reputation. individuals across the enterprise
Crisis communication procedures that are reviewed and practiced over time may help • What approaches and requirements are necessary when speaking with the media (this may be needed for standard
reduce the risk. employees as well)
• What approaches and requirements are necessary when communicating crisis information to authorities
• What approaches and requirements are necessary when communicating crisis impacts to customers or internal
employees (as appropriate)
2. Obtain and inspect security policies, plans and procedures and determine whether they define and/or contain appendices
describing how enterprise-wide security crises should be handled.
3. Inspect the crisis communications to determine whether they are routinely reviewed for completeness and accuracy.


Ref. Framework/
The enterprise ensures the Enterprise security personnel are informed about security events of interest in a timely 1. Interview responsible and/or accountable individuals (security operations, site reliability engineers, cloud security CIS V8 17.2, 17.3,
effectiveness of its security incident manner. The enterprise has deployed a security information and event monitoring engineers, executive management, legal) to determine which security tools (e.g., firewalls, IDS, IPS, antivirus, etc.), and 17.4, 17.5, 17.6
response program through strategic (SIEM) capability to report potential security events to appropriate personnel. event types from these tools are feeding into the SIEM tool. COBIT APO13
communication. 2. Inquire about:
• The required or intended recipients of alerts generated by the SIEM
Enterprisewide Visibility
• How maintenance of SIEM event monitoring is performed to update and include new event sources or remove old event
Through Automation
sources
• How event correlation between different sources is performed and achieved
• How alerts are prioritized and triaged
• The process and procedure of actions to be taken (manual or automated) as a result of alerts generated
• The review process and frequency for configuration of any automated actions or changes to automated actions
3. Obtain documentation on the population of event sources and types managed by the SIEM. Through observation and
judgmental sampling, determine whether alerting capabilities function as intended and inform the appropriate personnel.
4. Obtain and inspect completed maintenance reports or communications illustrating the enterprise's attempts to keep the
SIEM in an optimal state.
The enterprise maintains integrity Enterprise security incidents are maintained within the application (as defined by the 1. Interview responsible and/or accountable individuals (security operations, site reliability engineers, cloud security CIS V8 17.4
over security events by utilizing a enterprise) and are retained for the period of time determined by the enterprise. engineers, executive management, legal) to determine the applications or mechanisms employed by the enterprise to COBIT APO13
secure incident handling application. document the investigations, resolutions and lessons-learned activities resulting from security events.
Note: It is not uncommon for certain phases of a security incident to be handled in 2. Inquire about:
different applications or network directories. For example, the security incident may • Reported events or network alerts that should drive the creation of security incidents in the enterprise-designated
be initially documented, investigated and eradicated in the enterprise's help desk application
ticketing system (e.g., ServiceNow, Remedy, etc.) and then investigated for the root • Individuals with read and modify access to security incident information and how the appropriateness of access is
Centralized & Secured Storage
cause, using less formal means outside of that system (e.g., via meetings, Word determined
documents and reports stored in secured network directories). This may be done to • Level of required detail recorded for security events (enterprises may use obscure code words to internally communicate
keep the details of a security breach suppressed for security purposes or until that security events have occurred, or are occurring, and may require that minimal details be recorded in security incident
of Security Events
necessary details of the incident are known. tickets)

• Retention requirements for security incidents and how the deletion of records occurs or is triggered
• Personnel access to security incidents and how routinely access is reviewed to ensure that it remains appropriate
3. Obtain and inspect management review of access listings to security incident applications or other network sources and
inquire with management on the appropriateness of the access, if necessary.
4. Document the population of security events and incidents that have occurred in the period under review.
5. Through judgmental sampling, obtain and review security incident tickets to determine whether:
• Security incidents were appropriately generated or opened for security events reported
• Appropriate detail is contained in the security incidents as required by the enterprise (e.g., title, reporter, date, status,
etc.)
• Retention and deletion of security incidents and reporting is occurring as required by the enterprise
To ensure that the enterprise is The enterprise has appropriate contact information for external entities and business 1. Interview responsible and/or accountable individuals (security operations, site reliability engineers, cloud security CIS V8 17.2, 17.3,
aware of security events of interest, partners. On a periodic basis, the enterprise reviews and communicates necessary engineers, executive management, legal, finance) to determine which external parties the enterprise provides security 17.4, 17.5, 17.6
the enterprise collaborates with contact information modifications to external business partners and reviews external contact information to, along with alternative enterprise contacts, how the information is provided to external parties and COBIT APO13,
external business partners (law security events for their applicability to organizational response procedures and how often contact information is updated and shared. DSS01
enforcement, vendors, etc.). security controls. 2. Obtain and inspect crisis communication plans and security documentation or update communications sent to required
with External Entities
external contacts to determine if valid information is available for security event reporting purposes.
Communicating
Note: External entities should know who to contact if it is discovered that a security From the GCP Management Console, for each in-scope Organization/Project, in the GCP Navigation menu:
breach is, or may be, affecting the enterprise. • Click on the "IAM & Admin" product.
• Click "Essential Contacts."
• Inspect the contacts defined to receive critical notifications.
3. Determine how external security events are periodically evaluated and lessons learned are incorporated into enterprise
security measures and playbooks.


Ref. Framework/
The enterprise ensures that there is a The enterprise creates appropriate access roles for external GCP support personnel 1. Interview responsible and/or accountable individuals (operations management, security) to determine the number of CIS V8 17.1, 17.2,
role-specific plan of action in the assisting with security incidents. The enterprise has created or uses predefined GCP IAM roles, permissions or groups that provide external support personnel access to the environment, as well as the access 17.5
Creating Roles to Manage
GCP Support of Incidents
event of a security event. support roles and managed policies that limit external support personnel's access to permissions granted to each role. COBIT APO13,
GCP applications. 2. Inquire about: DSS02
•The frequency of review for support roles, applicability and related permissions (e.g., Private Log Viewer, Access Approvals
Approver)
• Users in the enterprise that can create, modify or assign GCP support roles
• The level of monitoring in place that detects and informs the enterprise (e.g., Google Access Transparency, Google Access
Approval, Google Cloud Logging) when GCP support roles are used, created or modified
3. Evaluate evidence of appropriate approvals and review for the use, creation and modification of support roles.


Business Continuity and Resiliency
Ref. Framework/
Business operations can continue in The enterprise performs a business impact analysis and documents business continuity 1. Interview responsible and/or accountable individuals (operational management, architecture, finance, executive officers) CIS V8 OBIT APO13,
the event of significant business procedures and processes for individual business units to execute during disaster to determine the: DSS04
disruption or can recover from a recovery. This includes GCP assets and procedures based on the cloud service provider • Business impact analysis performed and the business-critical functions within GCP and related resources required to
disaster. shared responsibility model. On a periodic basis, the enterprise performs a new impact maintain operations to meet business mission and objectives
analysis and reviews and updates the continuity plan based on current enterprise • Operational and functional dependencies that may exist before or during certain stages of disaster recovery exercises
architecture and business functions. • Enterprise preparation for potential unplanned events
• Affected business processes within GCP and related resources that the enterprise may need to address through
Note: Business units may have special procedures that need to be executed during or documented recovery instructions
following IT service restoration and require specific sequencing. The actions and • Assessment, review and incorporation of the GCP continuity plans and the right of the enterprise to audit those plans
sequence of actions, as well as the responsibility between the cloud service provider 2. Inquire about personnel responsible for developing and maintaining individual business continuity plans regarding the
Business Continuity Plans (BCPs)
and enterprise, should be clearly documented. Understanding of the continuity plans frequency of:
for the cloud service provider (Google) should be considered and factored into the • Reviews and updates of the business impact analysis and business continuity plans
enterprise's continuity and resiliency plans. • Business continuity/disaster recovery exercises
3. Obtain documentation of on the population of business continuity plans by business unit or department with special
attention to any missing business units or departments.
4. Using a judgmental selection of business plans from this population, review the sample for:
• Complete and accurate descriptions of business-critical processes that require validation during or after a disaster
• The detailed minimum level of recovery for individual processes or larger combined processes (for example, email
capability is required, but fax capability is not required)
• Detailed business process workarounds if primary methods remain unavailable
• Evidence of documented continuity practice exercises
• Evidence of documented periodic reperformance of business impact analysis and reviews and updates for business
continuity plans based on enterprise requirements
The enterprise mitigates the risk of The enterprise has a GCP disaster recovery (DR) plan that it reviews on a periodic basis 1. Interview responsible and/or accountable individuals (operational management, architecture, technology officers) to CIS V8 11.1, 11.5
being unable to resume operations for completeness and accuracy. Periodically, enterprise management also participates determine the level of required or actual participation of individual business units (sales, finance, AR, etc.) in the COBIT DSS04
within GCP and related resources in disaster recovery exercises and provides feedback to the organizational stakeholders development and maintenance of the enterprise's disaster recovery activities based on business functions operating within
when a disaster occurs. and responsible contacts for business continuity operations. or integrated into GCP. Determine the:
• Business impact analysis performed and critical functions within or integrated into GCP and related resources required to
Note: DR is IT-operations focused, compared to business continuity, which is business- maintain operations to meet business mission and objectives
operations focused. Each may negatively affect the other, but the impact of disaster • IT operational and functional dependencies that may exist before or during certain stages of business continuity exercises
recovery on business operations is typically more severe. • Enterprise preparation for critical IT events and technology outages
DR plans should take a complete and accurate account of the potential impact of a • Restoration of GCP services and related resources that the enterprise may need to address through documented recovery
Stakeholder Input & Review
disaster, cloud shared responsibility agreements and the needs of the business instructions
Disaster Recovery Plans:
operations affected by a disaster as they recover. Actions documented and executed • Frequency of reviews for the business impact analysis, DR plans and accuracy of IT infrastructure and systems covered by
from the DR plan should seek to assist the business and its individual units in becoming the plan
acceptably functional in the least amount of time at minimal cost. 2. Obtain and inspect business impact analysis documents, disaster recovery plans, meeting minutes and/or recovery
exercise summary reports to determine whether enterprise stakeholders are assisting the enterprise in creating effective
disaster recovery plans. Evidence of stakeholder involvement may include:
• Timestamped signoffs on disaster recovery plans, procedures or related documentation
• Documented meeting minutes and calendar invites
• Documented input from stakeholders that is later transcribed by the business continuity department into DR exercise
reports
3. Obtain evidence of documented periodic reperformance of business impact analysis and reviews and updates for disaster
recovery plans based on enterprise requirements and learnings from recovery exercises.


Ref. Framework/
The enterprise mitigates the risk of The enterprise deploys critical GCP applications to multiple data centers in different 1. Interview responsible and/or accountable individuals (architecture, networking, cloud engineering, site reliability CIS V8 11.1, 11.5
disruption to operations when a geographic regions that are physically secured by Google. engineers, operations management) to determine how the enterprise ensures or mitigates availability issues for its critical COBIT BAI09, DSS04
disaster occurs. GCP services, applications and related resources during a disaster. Ensure that:
Note: Google provides services across multiple regions (large geographical areas such • High availability (HA) or failover requirements and procedures have been defined and these requirements are applied
as a state or province) and availability zones (Google-controlled data centers within manually or through automation
the region). Enterprises can choose to deploy, duplicate or backup certain assets to • HA architecture for services, applications and data is not defined in a way that may introduce regulatory concerns (e.g.,
specific regions and availability zones for DR and availability purposes. For example, storing data across regions, countries or territories)
GCP Cloud Storage instances may be operational and deployed to "Region A" and • Regulatory and legal requirements are factored into the deployment architecture for GCP services, applications and data
certain data centers and, for high availability, also deployed to "Region B" as required • Methods are used to detect and correct events related to the conditions above (or other undesirable states defined by the
by the enterprise. This test seeks to determine whether critical assets are defined enterprise)
according to enterprise requirements for availability and in the regions and zones 2. Obtain documentation on the population of critical GCP services, applications, resources and related assets. Through
High Availability
where they should be in order to remain available during a disaster. In many cases, judgmental selection from this population, determine whether critical assets are completely and accurately fault-tolerant
high availability (HA) can be configured at the enablement or deployment time of the and/or provide high availability through deployment to agreed-upon alternate locations (regions and availability zones or
GCP service, application or resource. other data centers)
From the GCP Management Console:
• Select the "IAM & Admin" product and navigate to the Cloud Asset Inventory.
• Within the "Overview," identify zonal and regional resources. Alternatively, you can select individual assets to obtain
regional and zone deployment information.
3. Determine if resources are deployed appropriately through the inspection of individual resources in multiple regions.
Disaster recovery responsibilities are Disaster recovery coordinators and core staff are cross-trained on their responsibilities 1. Interview responsible and/or accountable individuals (architecture, networking, cloud engineering, site reliability CIS V8 11.1
shared and rotated routinely to and rotated on a periodic basis. Runbooks for critical processes and procedures are engineers, operations management, cloud security) to determine the personnel, business units or departments that require COBIT APO07,
maximize the availability potential of documented. alternate knowledge of business recovery processes and requirements and the frequency of updating runbooks. DSS04
Alternating Responsible
the enterprise's GCP service 2. Obtain and inspect completed training and/or evidence showing responsible individuals assigned recovery responsibilities
applications. Note: To ensure that appropriate knowledge and expertise are available when disaster as dictated by the enterprise.
strikes, multiple personnel should possess similar knowledge (possibly across multiple 3. Obtain and inspect runbooks covering recovery processes to confirm they are accurate and complete.
Personnel
or very specific areas) sufficient to recover the enterprise's GCP services, applications 4. Determine if the runbook has been updated according to the frequency required by the enterprise.
and business processes. This may include two individuals with the same responsibilities 5. Determine if runbooks are accessible to all personnel, alternate staff members, and business units with responsibilities for
or a group of three or more. These personnel should alternate between recovery critical business processes.
exercises to ensure they adequately understand and can execute their responsibilities
when needed.
The enterprise's strategic objectives The enterprise ensures critical data integrity and continued availability through 1. Interview responsible and/or accountable individuals (architecture, networking, cloud engineering, site reliability CIS V8 11.1, 11.2
around data availability and integrity backups of enterprise operational data and routinely scheduled test restorations of engineers, operations management, cloud security) to determine if routine testing and the restoration of data backups COBIT DSS04
are met through formal data data (as part of the enterprise's periodic disaster recovery exercises). occur as part of disaster recovery efforts to ensure backups will restore necessary data if needed.
protection and restoration planning. 2. Inquire about in-scope systems or data and how the completeness and accuracy of backup restoration is measured and
Validating Backups
Note: The tests may center on critical data generated in GCP applications that are documented.
stored in third-party applications, vendor data centers or inside the enterprise's data 3. Obtain and inspect disaster recovery exercise reports to determine if in-scope systems and data were accurately restored
center. Risk associated with backup-restoration failure can be tremendous and may and available as required.
require additional resources to deploy backup solutions. 4. Obtain and inspect backup solution reports indicating successful restoration for in-scope systems and data.
5. Evaluate if restored data follows the appropriate data handling procedures and is removed after restoration testing is
complete.


Ref. Framework/
The enterprise maintains availability Connectivity between the enterprise and GCP is fault tolerant through the use of 1. Interview responsible and/or accountable individuals to determine whether GCP services, applications and related COBIT DSS04
for GCP resources that depend on highly available and secure connections. resources rely on IT assets (e.g., servers, databases, identity stores, etc.) that are physically located on the enterprise's
enterprise-managed IT systems. premises and whether these resources are required for the proper functioning of GCP resources.
Note: This control is important for enterprises that federate identities and access in 2. Inquire about the process and procedure to ensure the continuity, resiliency, availability and accessibility of enterprise
GCP using local Active Directory groups or other identity stores that do not exist within resources required to support business-critical GCP applications and resources.
GCP. As part of DR testing, continuous, secure and highly available connectivity 3. Inquire about the use of Google Cloud Identity with AD Federation Services and confirm, if this is in use, that restoration
Between the Enterprise
between the enterprise and GCP to facilitate these functions is required. procedures are documented
Hybrid Connectivity
4. Inquire about the use of multifactor authentication (MFA) for any account with privileges to access the cloud
environment and any "break-glass" accounts that may be used to restore business operations.
5. Inquire about the availability, location and continuity of audit logging.
and GCP
6. Inquire about the use of VPN, Partner Interconnect or Dedicated Interconnect for dedicated connectivity between GCP
and the enterprise on-premise environment.
7. Determine if the testing of hybrid connectivity has been completed as part of disaster recovery exercises. Obtain and
inspect disaster recovery exercise reports to determine if secure, hybrid connectivity was accurately restored and available
as required.
The enterprise ensures continuity of GCP applications and APIs are developed or configured to be cross-compatible with 1. Interview responsible and/or accountable individuals (business continuity, application development, infrastructure) to COBIT DSS04
operations by maintaining assets that multiple cloud platforms. determine whether the GCP applications and related resources the enterprise develops are completely and directly
are transferable to additional cloud transferable to another cloud or noncloud provider (e.g., Azure, Oracle, Citrix, etc.) and whether the enterprise spends time
Managing Vendor Lock-in Risk
providers. Note: Cloud providers may engage in unacceptable practices or go out of business for and effort ensuring that the alternate provider's platform provides a seamless business operational experience for
various reasons (financial, breach, noncompetitive, etc.), leaving the enterprise with enterprise users (internal or external).
insufficient time to transfer or rebuild operations on another platform. Agile 2. Inquire about:
enterprises must ensure that they build and deploy cloud applications to transfer • The business impact analysis and minimum level of business application functionality and data that must be operational
easily to another provider, if necessary. and available for the enterprise to continue providing its services, as well as which GCP services, applications and related
resources (APIs, data in GCP applications, etc.) those business functions relate to
• The degree of business functionality that exists and is operational on the alternate provider's platform
3. Obtain and inspect disaster recovery reports and backups indicating that the enterprise routinely performs failover tests,
migrations or other functionality tests for critical GCP applications and related resources.
4. Obtain and inspect vendor contracts demonstrating that cloud service agreements and cloud service configurations allow
for the use of an alternate cloud provider for a similar service offering (i.e., similar types and volumes of services are
expected).


Security Logging and Monitoring
Ref. Framework/
Through its formal security The enterprise defines minimum monitoring requirements for GCP services, 1. Interview responsible and/or accountable individuals (cloud security, operations management) to determine whether a CIS V8 8.1
monitoring program, the enterprise applications and related resources (including computers, containers and storage) used minimum set of monitoring and logging requirements have been established for GCP services, applications and related COBIT APO13
mitigates the risk that access to its in support of business operations. Monitoring requirements are formally documented resources in use. Confirm that the monitoring and logging requirements are both formally documented and reassessed
data and systems is denied due to and reviewed on a frequency predetermined by the enterprise for completeness and routinely for completeness and accuracy.
malicious acts or unauthorized accuracy. 2. Inquire about:
activity is undetected. • In-scope GCP services, applications and related resources
Note: Monitoring may include specific event types, processes or API calls and extend • Individuals responsible for the methods used to identify new services, applications or related/integrated assets for which
to detailed attributes, such as the source and destination of activity (IP address), monitoring should be enabled
account performing the activity, timestamp details, etc. • The destination where logs will be stored
• The logs to be explicitly enabled or disabled
• Any standards or frameworks used by the enterprise to derive monitoring baselines and the frequency of review of
established monitoring requirements against standards and frameworks used
2. Obtain documentation of the population of in-scope GCP services, applications and related/integrated assets. Through
judgmental sampling, obtain and inspect enterprise documentation that details monitoring requirements for each asset.
3. Assess that the documentation has been reviewed according to the frequency established.
Defining Monitoring Requirements
The enterprise programmatically enforces minimum monitoring requirements through 1. Interview responsible and/or accountable individuals (cloud security, operations management) to determine how the CIS V8 8.1
policies, automation or configurations. GCP services, applications and related enterprise's monitoring standards are enforced for each in-scope asset. COBIT APO13
resources are configured to generate and retain monitored events required by the 2. Determine:
enterprise. Retained events may be aggregated into a centralized monitoring tool. • How the enterprise ensures logs are enabled and, if aggregated into a centralized monitoring tool, there is no disruption in
the writing and retention of logs
• How the enterprise detects a lack of compliance with monitoring standards as services, applications and assets change or
are added
• Timeliness of remediation upon discovery of noncompliance
3. Using the defined requirements gathered in the previous step, select a judgmental sample of assets and determine
whether the documented monitoring standards are enforced in each application.
• How the enterprise detects a lack of compliance with monitoring standards as services, applications and assets change or
are added
• Timeliness of remediation upon discovery of noncompliance
• Review Audit Log settings under the "IAM & Admin" product in the GCP Management Console. Review the default
configuration settings as well as specific settings. These may need to be reviewed at the Google organization or project level
and for specific folders to validate any inheritance that has been set for logging.


Ref. Framework/
The enterprise ensures that its log The enterprise retains logs generated by GCP services, applications and related 1. Interview responsible and/or accountable individuals (cloud security, operations management) to determine how log CIS V8 8.2, 8.10
retention practices meet operational resources in a secure, centralized location using GCP log buckets, Google Chronicle or aggregation, retention and access security are managed, giving specific attention to the application destinations of COBIT APO13
business needs as well as regulatory another SIEM tool. generated monitoring logs.
and compliance requirements for 2. Inquire whether:
availability. • Data classification is performed on logs stored in each log storage solution and access controls are set based on
classification
• Data retention policies are enforced by classification for each log storage solution.
• Short-term logging requirements and long-term storage requirements are identified and configured.
• Access to logging and log storage solutions is routinely reviewed for appropriateness using role-based access controls
where possible.
3. Using previously obtained documentation, obtain and inspect individual in-scope GCP asset configurations to determine
whether they are configured to send logs to the appropriate log storage solution.
4. If an automation solution is used to transfer logs, inspect the solution for appropriate and authorized access and
configuration/change management controls.
5. Inspect data retention settings and sample retained data timestamps to determine whether a complete and accurate
data transfer between short- to long-term storage is performed.
Log Storage
The enterprise establishes minimum requirements for retaining log data (for both 1. Interview responsible and/or accountable individuals (cloud security, operations management, legal, privacy) to CIS V8 8.1, 8.3, 8.10
hold/cold storage, and short- and long-term storage) based on defined requirements. determine whether requirements exist that specify periods of log retention prior to logs being purged from the COBIT APO13
Periodic reviews confirm the alignment of current practices with the enterprise's environment and the frequency of periodic reviews for requirements.
defined log data retention requirements. 2. Determine whether logs are retained in accordance with enterprise requirements by reviewing life cycle configuration
policies for logging repositories and observing system logging.
Note: Required retention periods may be based on regulations and/or determined on 3. Evaluate if sufficient logging capacity is provisioned and storage is available to meet requirements and alerting and
an asset-by-asset basis, depending on log data classification or requirements by response procedures if capacity is reaching thresholds.
geography. Logs should be retained for a period that will allow them to be useful in the 4. Obtain evidence of periodic reviews of logging retention requirements.
event of business continuity/disaster recovery activities, security incidents or
investigations.
The enterprise maintains log Access to GCP logs is based on job responsibilities and least privilege. Accounts with 1. Interview responsible and/or accountable individuals (cloud security, operations management, site reliability engineer) to CIS V8 8.1
confidentiality and integrity by access, including nonhuman identities, are reviewed by management on a periodic determine how access to logs generated by GCP assets is controlled and identify the accounts that should have access, COBIT APO07,
limiting access to a valid business basis. (based on business need). APO13
Restricting Log Access
need. 2. Inquire about reviews of access for appropriateness and the methods used to identify and remove inappropriate access
and ensure administrators do not have the ability to make edits or modify logs of their own activities.
3. Obtain and inspect access lists and inquire with management to determine the appropriateness of access.
4. Obtain and inspect completed access reviews to determine that inappropriate access (once identified) is removed in a
timely manner.
5. Inquire if the enterprise leverages a data loss prevention (DLP) solution for monitoring data extraction, downloads or
exfiltration and determine if the enterprise assesses any unauthorized access of logs by accounts identified as having
inappropriate access.
The enterprise maintains log integrity Change management processes are documented and followed for changes to logs, 1. Interview responsible and/or accountable individuals (cloud security, operations management) to determine whether the CIS V8 8.1, 8.10,
through monitoring and investigating data sources or configurations. Alerts are configured (through policies, the Google enterprise has mechanisms in place that notify personnel and initiate timely investigations if alerts are triggered by 8.11
attempts to modify log data and data Security Command Center or threat detection tools) to notify the appropriate groups attempts to modify logs, log configurations, alert statuses or related security settings. COBIT APO13, BAI06
retention sources. or individual(s) when successful or failed attempts to alter log data occur. 2. Inquire about change management procedures and approvals for the modifications of logs and log data sources and
periodic review frequency.
Note: Malicious users may attempt to cover their tracks during or after an attack by 3. Inquire whether multifactor authentication and privileged access functions to delete or modify log data require special
Monitoring Log Status
altering the bucket or storage policies or configuration settings, deleting logs, privileged access and secondary approval.
overwriting logs, modifying alert recipients or changing alert status (on/off) and other 4. Observe whether live attempts to alter log data generate timely alerts for the responsible departments or individuals.
log settings. 5. Obtain and inspect alert configurations, noting:
• Events and thresholds trigger the alert (success and failure).
• Recipients of the alert are the intended departments or individuals.
• Procedures for responding to alerts are followed.
5. Obtain evidence that change management procedures have been applied with logs and data sources have been modified.
6. Obtain evidence of the periodic review of approval processes and procedures and authorized approvers.


Ref. Framework/
The enterprise identifies and Alerts are configured to notify the appropriate group or individual(s) when logging 1. Interview responsible and/or accountable individuals (cloud security, operations management, site reliability engineer) to CIS V8 8.1
addresses logging failure events in a functionality is compromised. determine the mechanism used by the enterprise to detect logging failures and the individuals who are informed of logging COBIT APO13
timely manner. failures. Inquire about the process and procedure to be followed during logging failure and anomalies, including response
Note: Logging failure covers a variety of events from running out of available storage time and actions to be taken.
Monitoring Log Status
to failure of automation processes, to the intentional or accidental 2. Observe the generation and receipt of messages for instances where logging is disabled (or configuration modifications
disabling/modification of configurations. These scenarios and others should be have disabled logging).
investigated. 3. Obtain and inspect event monitoring and alert configurations to determine whether alerts will be sent to the appropriate
personnel following logging failures.
4. Obtain and inspect automation processes related to the collection, transfer or storage of logging, and determine the
frequency and mechanism used to periodically test that the automation is working as intended. Ensure that monitoring logs
are retained in accordance with organizational requirements.
5. Evaluate evidence that monitoring reports are generated and reviewed on a periodic basis to identify anomalies and
review the documented process to research and escalate anomalies has been followed.
The enterprise routinely assesses The group or individual(s) identified by the enterprise review logs on a periodic basis 1. Interview responsible and/or accountable individuals (cloud security, operations management) to determine whether CIS V8 8.11
logs for anomalies and suspicious for abnormal events and security threat detection. Log reviews may further identify procedures are in place (or automated mechanisms exist) to review logs generated by GCP assets. COBIT APO13
events through formalized reviews. logging improvements needed for enhanced enterprise protection and detection of 2. Determine algorithms, queries or procedures to identify anomalies and how suspicious events are investigated,
Reviewing Logs
potential threats. documented, communicated and remediated within the enterprise.

of Interest
for Events
3. Obtain and inspect completed log reviews for evidence that they occur as required by the enterprise and do not affect
the original logs or invalidate their admissibility for legal, regulatory or contractual purposes.
4. Document the population of identified suspicious events and/or anomalies. Through judgmental sampling, determine
whether identified suspicious events and/or anomalies have been properly investigated, documented, communicated and
remediated as necessary.
The enterprise routinely assesses the Periodically, the enterprise reviews logging and monitoring capabilities to determine if 1. Interview responsible and/or accountable individuals (cloud security, operations management) to determine the CIS V8 8.1, 8.11
completeness and accuracy of additional logging is required, if appropriate logging settings are enabled or if any enterprise's approach to periodically assessing and validating its logging and monitoring capabilities. COBIT APO13
logging as the enterprise monitoring should be disabled. 2. Inquire about:
environment changes and as new • The frequency of logging and monitoring reviews, including monitoring and logging tools, automation and configuration
features or attributes are enabled for Note: In GCP, there is typically a cost associated with configuring some monitoring and settings and the capacity and capabilities of logging tooling
GCP services, applications and logging solutions that the enterprise may use for its services; however, there is a level • Documentation and communication of logging and monitoring reviews
related resources. of admin logging that is enabled by default. The enterprise should consider its • How decisions are made to add or remove logging or monitoring and by whom
monitoring needs as it onboards additional assets or resources into GCP, as it retires • Timeliness of making adjustments to logging or monitoring (additions or removals)
them and as the cloud provider deploys new features for existing services. • Process and procedures for confirming and periodically reviewing proper security log configuration
2. Obtain and inspect completed logging and monitoring reviews to determine whether they are occurring as required by
the enterprise.
3. Obtain documentation of the population of logging and monitoring changes for the period under review. Through
judgmental sampling, obtain and inspect documented changes to determine whether the proper authorization of logging
and monitoring changes has been provided prior to executing the changes.
4. Evaluate if a periodic review has been performed on the configuration of security logs and if actions were taken to
address any abnormalities.
Assessing Adequate
Logging Coverage
The enterprise routinely assesses the The enterprise defines and periodically assesses the adequacy of network logging and 1. Interview responsible and/or accountable individuals (cloud security, operations management) to determine the CIS V8 8.1, 8.2, 8.5,
completeness and accuracy of monitoring requirements for virtual networking services (like Google Cloud VPC). enterprise's approach to periodically assessing and validating its VPC logging and monitoring capabilities. 8.11
network logging and monitoring. 2. Inquire about: COBIT APO03,
Note: The enterprise may use Google Cloud Logging and VPC flow logs or an external • The tools, processes and frequency of logging and monitoring reviews for network services (including any automated APO12, APO13
solution to aggregate and correlate network activity. activity or automation tools in use)
• Documentation and communication of firewall rules and VPC flow activity logging and monitoring reviews
• How decisions are made to add or remove logging or monitoring and by whom
• How decisions are made to enable and disable packet mirroring
• Proactive monitoring of network traffic for anomalies and actions taken for suspicious activity
• Timeliness of making adjustments to logging or monitoring of network activity (additions or removals)
2. Obtain and inspect completed network logging and monitoring reviews to determine whether they are occurring as
required by the enterprise.
3. Obtain documentation of the population of network logging and monitoring changes for the period under review.
Through judgmental sampling, obtain and inspect documented changes to determine whether proper authorization of
changes to network activity logging and monitoring has been provided prior to executing the changes.


Identity and Access Management Controls
Ref. Framework/
The confidentiality, integrity and The enterprise defines an accountable owner for privileged identities within GCP. 1. Interview responsible and/or accountable individuals (cloud security, security architecture, operations management) to determine privileged access and privileged identifies that exist CIS V8 5.1, 5.4
availability of the enterprise within Privileged identities are secured using strong authentication controls and least in the environment. COBIT APO07,
the GCP are protected through privilege assignments. Policies and procedures are defined regarding the appropriate 2. Inquire about: APO12, APO13
accountability and security of use of privileged accounts. Periodic reviews are conducted for the ownership of ● Frequency of review of the accounts, logging of the accounts and actions performed
privileged administrative accounts accounts, privileges assigned and appropriateness of usage. ● Defined owners responsible for the security of the accounts
within the GCP. ● Authentication methods configured for the accounts and the storage and rotation of credentials for privileged identities
Note: Privileged accounts should include those with Editor, Organization ● How use of the account is requested, approved and documented if usage is necessary
Administrator, Owner, Super Administrator, Role Administrator, Folder Admin and ● How monitoring is used to track individuals who view or may attempt to access root account passwords
billing and financial administration capabilities. This is not an exhaustive list of ● Whether any custom policies or permissions have been created to include or exclude identities from generally applicable policies and processes
administrative and highly privileged roles, and the enterprise should define privileged 3. Obtain and inspect the list of identities with privileged access (this should be assessed at the organizational, project and folder levels):
roles in use and the business justification for that usage, including any custom ● Within the "IAM & Admin" product, select "IAM" to identify a list of principal users and privileges assigned.
permissions or policies (either to add or exclude identities) that have been defined. ● Within the "IAM & Admin" product, select "Service Accounts" to identify a list of service accounts and privileges assigned.
The assessment of privileged accounts should include service accounts and workload ● Within "Policy Analyzer," use the templates to run a query on privileged users and access. Compare the list of privileged permissions and roles with the default list of permissions GCP
identities. provides (https://cloud.google.com/iam/docs/understanding-roles), the stated list of roles that the enterprise has documented as in use and the list of roles enabled by going to the "IAM
& Admin" product and selecting "Roles."
● Within the Google Workspace Admin Console, Select "Account" and "Admin roles" to view a list of roles that exist and identities assigned to each role.
● Within the Google Workspace Admin Console, Select "Account" and "Account settings" to view the primary admin defined for the account.
4. Obtain and inspect activity logs for privileged accounts and ask management about their appropriateness. Further, determine whether views or modifications of authentication
credentials are logged and reviews of the logs have been completed within the stated frequency.
Securing Privileged Account Access
The enterprise maintains integrity The Super Administrator role, which contains irrevocable and highly critical access, is 1. Interview responsible and/or accountable individuals (cloud security, security architecture, operations management) to determine the types of access protections and approval CIS V8 5.1, 5.4
and control of Super Administrator configured to require multifactor authentication before it may be used, and usage processes applied to Super Administrator role assignment and account creation, the usage of Super Administrator accounts and the frequency with which settings and activity are COBIT APO12,
accounts within Google Workspace should require a documented workflow approval. This account should be enrolled in reviewed. Confirm the job functions and person responsible for reviewing activity. APO13
by implementing Google multifactor the Google Advanced Protection Program and require the use of generated security 2. Obtain and inspect access protections applied to the Super Administrator role and accounts with the role assigned:
authentication (MFA). codes for executing privileged access where other forms of strong authentication can't ● From the GCP Workspace Admin Console, access the "Directory service."
be applied. These settings should be reviewed on a periodic basis. ● Using the list of administrative accounts obtained from the previous control testing step, select users with the Super Administrator role and verify under security settings that 2-step
verification has been enabled for each user.
Note: Permissions with the Super Administrator role are irrevocable, and accounts ● Confirm that the user is enrolled in the Advanced Protection Program.
with these permissions should be limited and treated as break-glass accounts. 3. Obtain and review audit log details of usage for the Super Administrator accounts. Confirm the usage has been reviewed in accordance with the frequency set by the enterprise and by
the appropriate personnel.
4. Using a judgmental sample, obtain documented review and approval for the usage of Super Administrator accounts.
The enterprise maintains integrity In the event of an incident or personnel change, the enterprise can recover and reset 1. Interview responsible and/or accountable individuals (cloud security, security architecture, operations management) to determine the procedures and policy for managing, updating CIS V8 5.1
and control of Super Administrator authentication information for Super Administrator accounts. The recovery settings and approving recovery information added to Super Administrator accounts. Determine the frequency at which reviews are performed by appropriate personnel. COBIT APO12,
roles within Google Workspace by should be reviewed and approved on a periodic basis. 2. Obtain and inspect Super Administrator accounts to verify recovery information has been provided from the GCP Workspace Admin Console, access the "Directory service." APO13, BAI05
ensuring all account and ● Using the list of administrative accounts obtained from the previous control testing step, select users with the Super Administrator role.
authentication information are Note: Permissions with the Super Administrator role are irrevocable, and accounts ● Confirm that the user has "Recovery Information" updated according to the enterprise policy (email and/or phone).
recoverable. with these permissions should be limited and treated as break-glass accounts. 3. Obtain reviews for Super Administrator accounts and recovery information. Confirm the settings have been reviewed in accordance with the frequency set by the enterprise and by the
appropriate personnel.


Ref. Framework/
The enterprise protects data integrity The enterprise has developed and assigned access roles and permissions that provide 1. Interview responsible and/or accountable individuals (cloud security, security architecture, operations management) to determine how the enterprise determines the roles enabled CIS V8 6.8, COBIT
and confidentiality by granting access identities (users and service accounts) the least amount of privileges required to custom-created within GCP. APO07, APO12,
based on the level required for users execute job functions. 2. Further determine: APO13, BAI05
to perform approved and authorized ● The change management process and procedures regarding access permissions for each role and a periodic review period for appropriateness
job functions. Note: In addition to the roles that GCP provides natively out of the box (OOTB), ● The level of documentation that exists for desired access within groups, roles and role permissions and at organizational, project, folder and service levels (i.e., confirm that desired and
enterprises may build custom roles and policies around permissions. These can be appropriate access is documented)
applied at an organization, project, folder and service level. The segregation of duties ● How custom role permissions are developed, approved and attached to GCP entities (users, groups, folders, etc.)
and inheritance of permissions and roles should also be considered as part of this ● Individuals responsible for creating or removing GCP groups and roles and attaching role permissions to custom groups and roles
control. ● How least privilege is achieved and maintained for individual GCP Projects, Folders, access groups, roles, role permissions and identities
Establishing Role-Based Access
3. Obtain and inspect the population of identities and hierarchy within the IAM & Admin service in GCP through the management console:
● Projects and Folders and inheritance policies
● Groups and identities
● Roles that have been enabled, noting any roles that are custom
● Organization policies, noting any custom policies defined
● A list of users for each in-scope Project that GCP has noted as having excessive permissions (found by going to IAM and reviewing the "Security Insights" column)
4. Through random sampling, obtain and inspect users to determine whether they are assigned to an access role that is commensurate with their job responsibilities and/or under need-
to-know purposes and separation of duties. Review each role's permissions and inquire further with management about the appropriateness of the permissions associated with user
roles included in the sample. Alternatively, use management documentation, such as job descriptions or access role descriptions detailing the permissions a given Project, Folder, Service,
user, group or role should possess. Inspect the applied permissions for appropriateness.
5. Obtain reviews for roles to determine if the review of the role definitions and permissions assigned has been completed in accordance with the frequency set by the enterprise and by
appropriate personnel and has considered separation of duties as part of access assignments.
The enterprise enforces GCP Application programming interfaces (API) are required to be authenticated using 1. Interview responsible and/or accountable individuals (cloud security, cloud engineering, operations management, security architecture, infrastructure) to determine whether APIs CIS V8 5.5, 6.3, 6.4
confidentiality and integrity by strong controls and are periodically reviewed for appropriateness. must supply additional credentials (perform strong authentication) before they can interact with GCP assets and related resources. COBIT APO13
requiring strong authentication 2. Inquire about:
controls for applications. • In-scope users and APIs
• Ownership and responsibility for APIs and API functions
• Method and when additional authenticators are enforced (e.g., during user creation, after API deployment, etc.)
• Individuals responsible for configuring and strong authentication
• Types of strong authentication configurations that are used to secure APIs
• Frequency of reviews for API inventory, settings and appropriateness by owners
3. Obtain documentation of the population of in-scope users and APIs:
From the GCP Management Console, access the "APIs & Service" product.
• Click "Enabled APIs & Services" to get a list of in-scope APIs.
• Through random sampling, use the list of in-scope APIs and determine credentials assigned by clicking on "Credentials."
4. Obtain documentation of a periodic review of enabled APIs and credentials to confirm review frequency and the appropriateness of reviewers according to defined owners obtained
through the interview process.
Users are notified of acceptable use policies for GCP resources and are required to 1. Interview responsible and/or accountable individuals (cloud security, cloud engineering, operations management, security architecture, infrastructure, legal) to determine acceptable CIS V8 6.3, 6.4, 6.5
authenticate using strong controls that are periodically reviewed for appropriateness. use policies for GCP assets and resources and the strong authentication controls required before users can interact with GCP assets and related resources. COBIT APO12,
2. Inquire about: APO13
Note: One way this may be enforced is through 2-step verification (2SV) policy settings • How acceptable users are informed of acceptable use policies
within the GCP Admin Console. • Types of strong authentication in use
• Method for enforcing strong authentication and when additional authenticators are enforced
• Individuals responsible for configuring strong authentication
• Frequency of reviews of acceptable use policies, strong authentication control settings and appropriateness
3. Under GCP Admin Console:
• Access the "Security" resource.
• Click "Authentication" and review 2-step verification settings are required for users.
• Review the frequency and methods configured for the alignment with enterprise policy and procedure.
• Through random sampling, select a list of users and under "Directory" confirm that 2-step verification has been enabled for the user.
Managing External Authentication and Access
4. Obtain documentation of a periodic review of an enabled strong authentication to confirm review frequency and the appropriateness of reviewers.

Managing External Authentication and Access
Ref. Framework/
The enterprise enforces The enterprise creates and manages connection and session time-out controls and 1. Interview responsible and/or accountable individuals (cloud security, cloud engineering, operations management, security architecture, infrastructure, legal) on reauthentication and CIS V8 6.2
confidentiality and integrity and the enforces reauthentication policies for logins and access to protected GCP assets and session timeout policies for GCP assets and resources. COBIT APO12,
availability of data through related resources to ensure access is revoked when there is no longer a business need. 2. Inquire about: APO13
periodically requiring • How reauthentication and timeout policies are determined and applied across GCP assets
reauthentication and revalidation of • Individuals responsible for configuring reauthentication and timeout policies
the authorization credentials of • Method for enforcing timeout and reauthentication policies
users. • Individuals responsible for configuring strong authentication
• Frequency of reviews of timeout policies and reauthentication policy control settings and appropriateness
3. Under GCP Admin Console:
• Access the "Security" resource.
• Click "Access" and "Data control" and review the reauthentication policy settings under "Google Cloud session control."
• Review the frequency and methods configured for the alignment with enterprise policy and procedure.
• Through random sampling, select a list of users and verify through audit logs that reauthentication has been enforced according to policy.
4. Obtain documentation of a periodic review of reauthentication and timeout policies to confirm review the frequency and appropriateness of the review.
The enterprise manages external The enterprise creates and manages authentication and authorization policies and 1. Interview responsible and/or accountable individuals (operations management, vendor management, cloud security) to determine the number of external enterprises and accounts CIS V8 6.1, 6.2, 6.6
party access to GCP applications develops roles for the restriction of external parties to related resources. Access is that are allowed access to the GCP environment. COBIT APO12
through authorization and terminated in a timely manner when there is no longer a business need for the access. 2. Inquire about the: APO13
authentication processes that ● Exact method used to authorize, provide or delegate access
ensure actions taken are restricted to Note: The enterprise may use Access Context Manager to enforce additional security ●Types of permissions and access rights granted to external enterprise accounts
appropriate business-related requirements for incoming requests. Any access policies should be assessed. ● Individuals responsible for provisioning and communicating external GCP access
functions for the particular external ● Frequency of reviewing the appropriateness of connections, access rights and timeliness of removal (should business relationships change)
party. ● Monitoring of account usage and indicators of an external account
● Vendor management assessment of accounts and business purpose
3. Obtain documentation of the population of external enterprises and associated roles with access to the GCP environment. Through judgmental sampling:
● Obtain and inspect related roles and permissions policies and inquire with management on the appropriateness of access.
● Obtain and inspect completed authorization forms and management reviews of external enterprise access.
● Obtain and inspect access provided to external parties and reviews by the enterprise for approval and appropriateness in accordance with the frequency the enterprise has defined.
The enterprise maintains the Alerts and logging have been configured in security monitoring tools to detect 1. Interview responsible and/or accountable individuals (cloud security, operations management) to determine whether the enterprise has developed and deployed mechanisms that COBIT APO12,
confidentiality and integrity of GCP authentication, access and behavior anomalies for identities. Notifications are detect behavior anomalies, such as attempts to authenticate or gain unauthorized access to enterprise GCP assets or violate terms of use policies. APO13
Detecting Unauthorized
assets by detecting unauthorized and configured to inform the appropriate group or individual(s) when alerts have been 2. Inquire into:
abusive access scenarios and triggered and processes/procedures are defined as a response to these alerts. • The tools and logging used to detect these types of events
responding in a timely manner. • The detection queries or algorithms and scenarios covered
• The process defined for responding to these events
• The recipients of alerts and timeliness of responses to events
Access
• The frequency of review of alert settings for completeness and accuracy

3. Obtain and inspect alarm configuration for each scenario to determine whether triggers, receipt of alarms and follow-up investigations occurred as required by the enterprise.
4. Evaluate corrective actions taken based on alarms and the analysis of anomalous events.


Ref. Framework/
The enterprise centrally manages or The enterprise has established the centralized management of identity directory 1. Interview responsible and/or accountable individuals (cloud security, cloud engineering, operations management, network management) to determine the number of directories and CIS V8 6.7
syncs user identity directories for the stores. The enterprise routinely reviews source identity stores, synchronization identity providers that exist and require integration with GCP for identity and access management. COBIT APO07,
application of consistent and secure processes and configuration settings for completeness and accuracy. 2. Further inquire about: APO12, APO13
user authentication policies and user • Requirements and settings that integrated directories and identity providers must adhere to
life cycle management. Note: This control is highly recommended to avoid unnecessary management effort • How often synchronization occurs
over identities, allow account management to occur from one location and reduce • Specific segmentation rules due to legal or regulatory compliance
avoidable security risk that for enterprise accounts in use (unsynced passwords, similar • Whether single-sign-on (SSO) is required
accounts in two locations [on-premises and in GCP], etc.). Part of this assessment • Specific requirements and integrations for workload identities and service accounts
should also consider whether the directory sync configuration is intact to prevent • Individual responsible for managing settings
replication of credentials in GCP, as well as assign workload identity configuration • The frequency of synchronization configurations and logs for completeness and accuracy
settings. The assessment should also determine if Google Managed Service for 3. From the GCP Admin Console, click on "Directory:"
Microsoft Active Directory (AD) is in use. • Access "Directory settings" and review configuration.
• Access "Directory sync" and review the LDAP directories configuration and whether federation is enabled and includes appropriate domains for identity management.
4. From the GCP Admin Console, click on "Authentication:"
• Access the SSO with security assertion markup language (SAML) application settings to determine integrations.
• Access the SSO with third-party IdP to review integrations and settings to assess integrations.
5. From within the GCP Management Console, access "Workload Identity Federation" and whether federation adheres to enterprise requirements.
Managing Identity Governance
6. Through judgmental sampling, assess the completeness and accuracy of integrated directories and identity stores.
The enterprise maintains The enterprise maintains a life cycle governance process to address access changes for 1. Interview responsible and/or accountable individuals (security, network management) to determine how the account life cycle is governed through joiner, mover and leaver scenarios. CIS V8 5.1, 5.3, 5.4,
environment security by governing joiner, mover, and leaver scenarios for accounts. The enterprise routinely reviews Inquire about the frequency (e.g., quarterly, annually) by which access and permissions reviews will occur, the scope of each review (e.g., specific users, application access groups), the 5.5, 6.1, 6.2
the life cycle of user accounts and access for accounts to remove inappropriate access in a timely manner. duration of reviews, who the access reviewers are, how reminder notifications are managed, the tools used to conduct the reviews and what the consequences are (if any) for a given COBIT APO07,
job responsibilities and restricting item under review that is not completed on time. Inquire about any configured automation or policies related to life cycle governance and account reviews. APO12, APO13
user access to necessary accounts. Note: It is highly recommended that the enterprise use a workflow process or tool 2. Obtain and inspect human resource records, organizational charts, network integration architecture or other information that helps identify and confirm the identity population
integrated with an HR system to automate the provisioning, changing and removal of (human and nonhuman accounts) that are in scope for the access reviews declared by management.
accounts and access based on employment and job status. 3. Obtain and sample the most recent completed access review and determine whether the results of the review were completed as documented and the reviews per the management
schedule have been executed.
4.In the access review, randomly sample identities identified as removed or no longer with the enterprise. Determine if they still possess the access assignments that were noted as
denied in the completed access review.
5. Evaluate documented actions taken in the instance if excessive or inappropriate access is found or access rights that were specified to be removed still exist.
6. Obtain and inspect evidence of the frequency of requirements and policy reviews for completeness and accuracy.
The enterprise maintains the security The enterprise has a device management policy that enforces security and 1. Interview responsible and/or accountable individuals (cloud security, operations management, network management) to determine the methods used to ensure the security posture CIS V8 1.1, 1.2, 4.6
of GCP assets by enforcing security vulnerability checks and minimum security requirement baselines for devices accessing and controls of devices accessing the enterprise GCP environment. COBIT APO12,
posture and controls for devices enterprise resources. The policy addresses both managed devices and bring your own 2. Inquire about: APO13
accessing the enterprise device (BYOD) scenarios. • Enterprise requirements regarding BYOD and/or managed devices
environment. • Whether the enterprise allows users to self-register devices
• Device images, operating system and security requirements
• The methods used to check that devices conform to policy
• Any exceptions and the extent to which exceptions are documented, reviewed and routinely assessed for appropriateness
• The frequency of policy reviews for completeness and accuracy
2. From the GCP Admin Portal, under "Device and Mobile & Endpoints:"
• Verify device settings by checking that devices with Status Approved align to the stated policy.
• Review the Company owned inventory settings for completeness, accuracy and alignment with stated policy.
• Review both the Windows settings and Universal settings under the "Settings" section to review endpoint verification and security requirements and ensure device enrollment
requirements align to the stated policy and available configuration options with GCP.
3. For any device exceptions, confirm an existing documented report has been accepted by appropriate personnel.
The enterprise enforces password Password management policies have been configured for the enterprise. 1. Interview responsible and/or accountable individuals (cloud security, operations management) to determine the populations of users that have been identified for the required use of CIS V8 5.2
strength to reduce the risk of password policies. Further, determine the password requirements (e.g., minimum password length, age, history requirements) for each population of users and domain and whether any COBIT APO12,
compromised enterprise credentials. Note: An enterprise user with sufficient privileges can create a weaker custom policy user populations or domains exist that are exempt from a password policy. APO13
and override the built-in policy for stronger authentication controls beyond a 2. Obtain and inspect password management settings within the GCP Admin Console security settings:
password. This is the primary risk over which this control seeks to gain assurance. • Enforcement of strong passwords
• Enforcement of a minimum password length
Note: Password policies in GCP may not be enforced in some cases if a third-party • Enforcement of password policy changes at the next sign-in for accounts
identify provider (IdP) is in use. • Password reuse
• Password expiration

Google Cloud Platform GCP Audit Program

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Google Cloud Platform GCP Audit Program

Uploaded by

Copyright:

Available Formats

Google Cloud Platform® (GCP®) Audit Program

Google Cloud Platform (GCP) Audit Program

© 2023 ISACA. All rights reserved. Page 1 of 31

Google Cloud Platform (GCP) Audit Program

© 2023 ISACA. All rights reserved. Page 2 of 31

Google Cloud Platform (GCP) Audit Program

© 2023 ISACA. All rights reserved. Page 3 of 31

Google Cloud Platform (GCP) Audit Program

4) Testing requirements, mitigations, and back-out plans

© 2023 ISACA. All rights reserved. Page 4 of 31

Establishing Google Cloud Platform (GCP) Enterprise Directives

• Risk assessment procedures and responsibilities

© 2023 ISACA. All rights reserved. Page 5 of 31

Google Cloud Platform (GCP) Audit Program

© 2023 ISACA. All rights reserved. Page 6 of 31

Google Cloud Platform (GCP) Audit Program

own environment. compliance by external parties.

© 2023 ISACA. All rights reserved. Page 7 of 31

Google Cloud Platform (GCP) Audit Program

network modes used (Default, Auto, Custom) to define deployments.

© 2023 ISACA. All rights reserved. Page 8 of 31

Google Cloud Platform (GCP) Audit Program

• Configured organizational policies per VPC

operational needs. a) GCP organizational access

© 2023 ISACA. All rights reserved. Page 9 of 31

Google Cloud Platform (GCP) Audit Program

© 2023 ISACA. All rights reserved. Page 10 of 31

Google Cloud Platform (GCP) Audit Program

© 2023 ISACA. All rights reserved. Page 11 of 31

Google Cloud Platform (GCP) Audit Program

© 2023 ISACA. All rights reserved. Page 12 of 31

Google Cloud Platform (GCP) Audit Program

reviewed, assigned, etc.)

© 2023 ISACA. All rights reserved. Page 13 of 31

Google Cloud Platform (GCP) Audit Program

© 2023 ISACA. All rights reserved. Page 14 of 31

Google Cloud Platform (GCP) Audit Program

© 2023 ISACA. All rights reserved. Page 15 of 31

Google Cloud Platform (GCP) Audit Program

© 2023 ISACA. All rights reserved. Page 16 of 31

Google Cloud Platform (GCP) Audit Program

needs. (retention and purging) along with the primary data.

© 2023 ISACA. All rights reserved. Page 17 of 31

Google Cloud Platform (GCP) Audit Program

• Triggers that exist for each configured alert

• Length of time and location where triggered alerts are stored

© 2023 ISACA. All rights reserved. Page 18 of 31

Google Cloud Platform (GCP) Audit Program

• Scenarios practiced in relation to enterprise operations and utilized technology

© 2023 ISACA. All rights reserved. Page 19 of 31

Google Cloud Platform (GCP) Audit Program

necessary details of the incident are known. tickets)

© 2023 ISACA. All rights reserved. Page 20 of 31

Google Cloud Platform (GCP) Audit Program

© 2023 ISACA. All rights reserved. Page 21 of 31

Google Cloud Platform (GCP) Audit Program

© 2023 ISACA. All rights reserved. Page 22 of 31

Google Cloud Platform (GCP) Audit Program

© 2023 ISACA. All rights reserved. Page 23 of 31

Google Cloud Platform (GCP) Audit Program

© 2023 ISACA. All rights reserved. Page 24 of 31

Google Cloud Platform (GCP) Audit Program

© 2023 ISACA. All rights reserved. Page 25 of 31

Google Cloud Platform (GCP) Audit Program