DLP Policy Moving to Common Controls

[mdueltgen]

DLP now exists for Gmail, Google Chat, and Drive Docs

I aim to remove Drive Docs 7.1 and Chat 5.1 and make one consolidated DLP policy in common controls.

This would also cover Issue #286 and would close out PR #452 and PR #450

Below is my draft for the policy

`#### GWS.COMMONCONTROLS.18.1v0.3 Agencies SHOULD configure DLP rules to block or warn on sharing files with sensitive data.

• Rationale: Data Loss Prevention (DLP) rules help identify and limit the sharing of sensitive content, protecting agency information. Blocking and/or having warnings on these DLP-scanned files from being shared with users can reduce the risk of unintentional introduction of sensitive content.

• Last modified: June 20, 2024

• MITRE ATT&CK TTP Mapping

  • T1530: Data from Cloud Storage
  • T1048: Exfiltration Over Alternative Protocol
  • T1048:002: Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
  • T1213: Data from Information Repositories
  • T1213:001: Data from Information Repositories:Confluence
  • T1213:002: Data from Information Repositories:Sharepoint

Resources

• GWS Admin Help | Protect sensitive information using DLP
• GWS Admin Help | Use Workspace DLP to prevent data loss
• GWS Admin Help | Create DLP for Drive rules and custom content detectors
• GWS Admin Help | Prevent data leaks from Chat messages & attachments
• GWS Admin Help | Prevent data leaks in email & attachments

Prerequisites

• None

Implementation

GWS.COMMONCONTROLS.18.1v0.3 Instructions

1. Sign in to the Google Admin Console.
2. Select Menu -> Security -> Access and data control -> Data protection.
3. Click Manage Rules.
4. For each DLP rule necessary to meet the standards of an agency:
5. Click Add rule -> New rule or click Add rule -> New rule from template. For templates, select a template from the Templates page.
   • 1. For new rules:
   • 2. In the Name section, add the name and description of the rule.
   • 2. In the Scope section, apply this rule only to the entire domain or to selected organizational units or groups, and click Continue. If there's a conflict between organizational units and groups in terms of inclusion or exclusion, the group takes precedence.
   • 3. In the Apps section, choose the trigger for Google Drive, Drive files, Google Chat, Message sent, File uploaded,amd Gmail, Message sent then click Continue.
   • 4. In the Conditions section, click Add Condition.
   • 5. Configure appropriate content definition(s) based upon the agency's individual requirements and click Continue.
   • 6. In the Actions section, select the appropriate action to warn or block sharing for Google Chat, Gmail, and Google Drive based upon the agency's individual requirements.
   • 7. In the Alerting section, choose a severity level, and optionally, check Send to alert center to trigger notifications.
   • 8. Review the rule details, mark the rule as Active, and click Create.`

[buidav]

Closed by #469