search

canada-ca / accelerators_accelerateurs-gcp

[GCP] Tools and templates to accelerate GC service delivery. Outils et modèles pour accélérer la prestation de services du GC.
MIT License
10 stars 8 forks source link

Control code to ITSG-33 mapping and labels - add code comments and GCP labelling #18

Open fmichaelobrien opened 2 years ago

fmichaelobrien commented 2 years ago

see also https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/2

We need a way to visually and programmatically link code to controls (in addition to control to code) - for human and IAC validation/reporting

For example which terraform module covers SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY

Doc only example: https://github.com/canada-ca/accelerators_accelerateurs-gcp/blob/main/guardrail-details/07-data-in-transit/guardrail-7-in-transit.md https://github.com/canada-ca/cloud-guardrails/blob/master/EN/07_Protect-Data-in-Transit.md

link/label to (I need to verify) SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY https://cyber.gc.ca/en/guidance/annex-3a-security-control-catalogue-itsg-33#a316sc8 ITSG_33_SC_8 and SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT https://cyber.gc.ca/en/guidance/annex-3a-security-control-catalogue-itsg-33#a316sc12 ITSG_33_SC_12

Code example: https://github.com/canada-ca/cloud-guardrails/blob/master/EN/05_Data-Location.md https://github.com/canada-ca/accelerators_accelerateurs-gcp/blob/main/guardrail-details/05-data-location/data-location.md

and https://github.com/canada-ca/accelerators_accelerateurs-gcp/blob/main/deployment-templates/Terraform/guardrails/1-guardrails/org-policy.tf#L6 https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/environments/common/main.tf#L84 link/label to ? SC-7 BOUNDARY PROTECTION ITSG_33_SC_7 https://cyber.gc.ca/en/guidance/annex-3a-security-control-catalogue-itsg-33#a316sc7 or PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS ITSG_33_PE_18 https://cyber.gc.ca/en/guidance/annex-3a-security-control-catalogue-itsg-33#a311pe18

fmichaelobrien commented 2 years ago

actually there are some control mappings back from code in

https://github.com/canada-ca/cloud-guardrails/blob/master/EN/01_Protect-Root-Account.md

Meeting with @Chris Carty and @Chris Daoust on DND/SSC security controls - thanks Guys for the pointer to the 3rd repo - missed (need more scrolling) the 1:n code to control mapping for the guardrails subset of the controls for example. We should be able to add labelling in the TF - https://github.com/canada-ca/cloud-guardrails/blob/master/EN/08_Segmentation.md

ie: AC‑4, SC‑7, SC‑7(5) in https://cyber.gc.ca/en/guidance/annex-3a-security-control-catalogue-itsg-33#a31ac4

fmichaelobrien commented 2 years ago

Add screencap (1 or more) evidence capture for each control