AWS
Google CloudOverview
Policy Statement
A data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
This includes breaches that are a result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
A data breach can be broadly defined as a security incident that has affected the confidentiality, integrity, or availability of personal data. In short, there will be a data breach whenever any data is lost, destroyed, corrupted, or disclosed; if someone accesses the data or passes it on without proper authorization; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.
In compliance with the EU General Data Protection Regulation (GDPR), Data Protection Act 1998 (DPA), Health Information Technology for Economic and Clinical Health Act (HITECH), and Health Insurance Portability and Accountability (HIPAA), your organization have implemented the following policy concerning data breaches.
In the case of any data breach, your organization must notify all affected direct parties.
Scope
This procedure applies to all parties who access, process, or store your organization Information or Personal Data.
3rd Party Data Breach
If a 3rd Party data processor suffers a breach, they have a duty under contract and GDPR to inform your organization without undue delay as soon as they become aware of the breach.
your organization 3rd Parties who are identified as personal data processors include but are not limited to: payroll providers, benefits providers, security firms.
Procedures
Procedures and mapped controls
Breach Discovery and Investigation
If you become aware of, or become suspicious of, a potential data breach, you must notify your organization's DPO.
There is a data breach incident reporting form attached at the end of this policy which must be completed giving as much detail as possible and submitted directly to the data protection officer.
your organization will investigate, contain, and respond to any such breaches without undue delay of receipt of the submission. It is the your organization's CISO's job to determine who will be responsible for further investigating the data breach.
Mapped controls
Ensure CloudTrail is enabled in all regions
Ensure CloudTrail trails are integrated with CloudWatch Logs
Ensure AWS Config is enabled in all regions
Ensure VPC flow logging is enabled in all VPCs
Ensure that Object-level logging for write events is enabled for S3 bucket
Ensure that Object-level logging for read events is enabled for S3 bucket
Ensure sinks are configured for all Log entries
Containment
The data breach containment strategies are designed to:
- Remove active attackers from your systems
- Prevent further attacks
- Contain the incident
Steps for containing the data breach
- Isolate the threat - identify and remove active intruders and prevent further unauthorized access;
- Reset passwords - force password resets for all the accounts on the domain or authentication system;
- Implement Multi-Factor Authentication (MFA) - once you've isolated the threat and reset passwords, add MFA to any accounts;
- Do not destroy evidence - you may need to determine where the breach started and devise a plan to prevent it from happening again. Also, depending on what type of data has been a breach, this can influence whether you need to notify the breach or not.
Mapped controls
Eliminate use of the "root" user for administrative and daily tasks
Ensure no "root" user account access key exists
Ensure MFA is enabled for the "root" account
Ensure IAM Users receive permissions only through Groups
Ensure that corporate login credentials are used instead of Gmail accounts
Ensure Service Account has no Admin privileges
Ensure IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Ensure IAM policies that allow full "*:*" administrative privileges are not attached
Assessment of Risks
To assess the risk level, your organization will maintain a confidential breach register and measure the risk against certain criteria. In all cases where a breach has occurred, your organization will document it in the confidential breach register. The log of the breach will contain, but is not limited to:
- the origin of the breach (your organization or 3rd Party?) and the affected systems (list);
- the scope of the breach;
- the likely number of records affected by the data breach, especially ones which fall under the PHI, ePHI, or PII category and have special protection treatment;
- the likelihood of the breach impacting on the rights and freedoms of individuals;
- the business impact of the data breach: financial, reputation, operational downtime;
- any steps which have been taken to mitigate the impact of the breach;
- the sensitivity of the personal data subject to the breach.
Breach Notification
After a data breach occurs, your organization will notify employees, customers, 3rd Parties, authorities, and/or media:
| Data Owners | Interval¹ | Breach Log | Notify ICO² | Template | Method | |-------------------|-----------|------------|--------------|-----------|-------------------| | Employees | < 24 hrs | Yes | Yes | No | Verbally and email| | Customers | 24-48 hrs | Yes | Yes | Yes | Email | | 3rd Parties | < 48 hrs | No | No | No | Email | | Media | > 72 hrs | No | No | Yes | Email | | Others | > 72 hrs | Yes | Yes | No | Email preferred |
- ¹Interval: since the breach has been discovered
- ²ICO: Information Commissioner's Office
Delays: if a law enforcement official states to a covered entity or business associate that a notification, notice, or posting required under this subpart would impede a criminal investigation or cause damage to national security, a covered entity or business associate shall:
-
if the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting for the period specified by the official; or
-
if the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described in paragraph (a) of this section is submitted during that time.
Query logic
These are the stored checks tied to this policy.
AWS Multi-region cloud trails with logging enabled
Connectors
Covered asset types
Expected check: eq []
{
AWSLogging1 {...AssetFragment}
}
CloudTrail trails are integrated with CloudWatch Logs
Connectors
Covered asset types
Expected check: eq []
AWSLogging4{...AssetFragment}AWS Config is enabled in all regions
Connectors
Covered asset types
Expected check: eq []
AWSLogging5{...AssetFragment}VPC flow logging is enabled in all VPCs
Connectors
Covered asset types
Expected check: eq []
vpcs(where: {OR: [{hasFlowLog: null}, {hasFlowLog_NONE: {flowLogStatus: "ACTIVE"}}]}){...AssetFragment}Object-level logging for write events is enabled for S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { OR: [ { trailEventSelectorDataResources_ALL: { eventSelector: { NOT: { readWriteType_IN: ["All", "WriteOnly"] } } } } { trailEventSelectorDataResources_SOME: null } ] } ) {...AssetFragment}}Object-level logging for read events is enabled for S3 bucket
Connectors
Covered asset types
Expected check: eq []
{buckets( where: { OR: [ { trailEventSelectorDataResources_ALL: { eventSelector: { NOT: { readWriteType_IN: ["All", "ReadOnly"] } } } } { trailEventSelectorDataResources_SOME: null } ] } ) {...AssetFragment}}Sinks are configured for all Log entries
Connectors
Covered asset types
Expected check: eq []
GCPLogging2{...AssetFragment}Eliminate use of the "root" user for administrative and daily tasks
Connectors
Covered asset types
Expected check: eq []
AWSIAM1 {...AssetFragment}AWS Root users with access key
Connectors
Covered asset types
Expected check: eq []
{
rootUsers(
where: {
hasIAMUserCredentials: {
OR: [{ accessKey1Active: true }, { accessKey2Active: true }]
}
}
) {
connector {...AssetFragment}
}
}
MFA is enabled for the "root" account
Connectors
Covered asset types
Expected check: eq []
AWSIAM13{...AssetFragment}IAM Users receive permissions only through Groups
Connectors
Covered asset types
Expected check: eq []
iamUsers(where: { cloudProvider: "aws", iamPolicies_NOT: null }) {...AssetFragment}Corporate login credentials are used instead of Gmail accounts
Connectors
Covered asset types
Expected check: eq []
GCPIAM1{...AssetFragment}Ensure Service Account has no Admin privileges
Connectors
Covered asset types
Expected check: eq []
{
iamServiceAccounts(
where: {
hasIAMRole_SOME: {
OR: [
{ name: "roles/owner" }
{ name: "roles/editor" }
{ name_CONTAINS: "admin" }
]
}
}
) {
...AssetFragment
}
}IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level
Connectors
Covered asset types
Expected check: eq []
GCP110IAM6{...AssetFragment}IAM policies that allow full "*:*" administrative privileges are not attached to IAMRoles
Connectors
Covered asset types
Expected check: eq []
{iamRoles(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}}IAM policies that allow full "*:*" administrative privileges are not attached to IAMUsers
Connectors
Covered asset types
Expected check: eq []
iamUsers(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}IAM policies that allow full "*:*" administrative privileges are not attached to IAMGroups
Connectors
Covered asset types
Expected check: eq []
iamGroups(where:{iamPolicies_SOME: {iamPolicyStatements_SOME: {effect:"Allow",actions_INCLUDES: "*", resources_INCLUDES: "*"}}}){...AssetFragment}
