draft for admin privledge accounts rewrite

cisagov · Feb 7, 2025 · 6fe1c78 · 6fe1c78
1 parent 135fed3
commit 6fe1c78
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv b/drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv
@@ -14,7 +14,7 @@ GWS.COMMONCONTROLS.5.3v0.3,User password length SHOULD be at least 15 characters
 GWS.COMMONCONTROLS.5.4v0.3,Password policy SHALL be enforced at next sign-in.,Admin Log Event,Change Application Setting,Password Management - Enforce password policy at next login,true,rules/00gjdgxs0p7tza1,JK 08-02-23 @ 09:00
 GWS.COMMONCONTROLS.5.5v0.3,User passwords SHALL NOT be reused.,Admin Log Event,Change Application Setting,Password Management - Enable password reuse,false,rules/00gjdgxs0tbqklj,JK 08-02-23 @ 09:05
 GWS.COMMONCONTROLS.5.6v0.3,User passwords SHALL NOT expire.,Admin Log Event,Change Application Setting,Password Management - Password reset frequency,0,rules/00gjdgxs1k1llys,JK 08-02-23 @ 09:09
-GWS.COMMONCONTROLS.6.1v0.3,All highly privileged accounts SHALL leverage Google Account authentication with phishing-resistant MFA and not the agency’s authoritative on-premises or federated identity system.,N/A,N/A,N/A,N/A,N/A,Not Alertable
+GWS.COMMONCONTROLS.6.1v0.3,All admin privileged accounts SHALL leverage Google Account authentication with phishing-resistant MFA and not the agency’s authoritative on-premises or federated identity system.,N/A,N/A,N/A,N/A,N/A,Not Alertable
 GWS.COMMONCONTROLS.6.2v0.3,A minimum of two and maximum of four separate and distinct Super Admin users SHALL be configured.,N/A,N/A,N/A,N/A,N/A,Not Alertable
 GWS.COMMONCONTROLS.7.1v0.3,Account conflict management SHOULD be configured to replace conflicting unmanaged accounts with managed ones.,N/A,N/A,N/A,N/A,N/A,Not Alertable due to no log event being produced
 GWS.COMMONCONTROLS.8.1v0.3,"Account self-recovery for Super Admins SHALL be disabled, forcing Super Admin users who have lost their login credentials to contact another Super Admin to recover their account.",Admin Log Event,Change Application Setting,AdminAccountRecoverySettingsProto Enable admin account recovery,false,rules/00gjdgxs2rlm6cr,JK 08-02-23 @ 09:16

diff --git a/scubagoggles/baselines/commoncontrols.md b/scubagoggles/baselines/commoncontrols.md
@@ -14,7 +14,7 @@ This baseline is based on Google documentation and addresses the following:
 - [Login Challenges](#3-login-challenges)
 - [User Session Duration](#4-user-session-duration)
 - [Secure Passwords](#5-secure-passwords)
-- [Highly Privileged Accounts](#6-highly-privileged-accounts)
+- [Admin Privileged Accounts](#6-highly-privileged-accounts)
 - [Conflicting Account Management](#7-conflicting-account-management)
 - [Catastrophic Recovery Options](#8-catastrophic-recovery-options-for-super-admins)
 - [GWS Advanced Protection Program](#9-gws-advanced-protection-program)
@@ -516,11 +516,11 @@ To configure a strong password policy is configured, use the Google Workspace Ad
 #### GWS.COMMONCONTROLS.5.6v0.3 Instructions
 1.  Under **Expiration**, select **Never Expires.**
 
-## 6. Highly Privileged Accounts
+## 6. Admin Privileged Accounts
 
-Highly privileged accounts represent significant risk to an agency if compromised or if insiders use them in an unauthorized way. Highly privileged accounts share the same risk factors related to the catastrophic impacts on GWS services, user community and agency data, if compromised. This section supports the definition of highly privileged accounts based on permissions an account has and the controls necessary to protect them.
+Admin privileged accounts represent significant risk to an agency if compromised or if insiders use them in an unauthorized way. Admin privileged accounts share the same risk factors related to the catastrophic impacts on GWS services, user community and agency data, if compromised. This section defines admin privileged accounts as both pre-build and custom admin accounts, based on the permissions of an account.
 
-Some examples of privileged accounts include the pre-built GWS Admin Roles:
+Some examples of these privileged accounts include the pre-built GWS Admin Roles:
 
 -   Super Admin: This role possesses critical control over the entire GWS structure. It has access to all features in the Admin Console and Admin API and can manage every aspect of agency GWS accounts.
 -   User Management Admin: This account has rights to add, remove, and delete normal users in addition to managing all user passwords, security settings, and other management tasks that make it potentially crucial if compromised.
@@ -531,7 +531,7 @@ Some examples of privileged accounts include the pre-built GWS Admin Roles:
 ### Policies
 
 #### GWS.COMMONCONTROLS.6.1v0.3
-All highly privileged accounts SHALL leverage Google Account authentication with phishing-resistant MFA and not the agency's authoritative on-premises or federated identity system.
+All admin privileged accounts SHALL leverage Google Account authentication with phishing-resistant MFA and not the agency's authoritative on-premises or federated identity system.
 
 - _Rationale:_ Leveraging Google Account authentication with phishing resistant MFA for highly privileged accounts reduces the risks associated with a compromise of on-premises federation infrastructure. This makes it more challenging for an adversary to pivot from a compromised on-premises environment to the cloud with privileged access.
 - _Last modified:_ July 10, 2023