HITRUST CSF 11.5 - Google Cloud
This page lists all 72 policies in the HITRUST CSF 11.5 pack for Google Cloud.
| Policy Name | Description | Framework Reference | Framework Specification |
|---|---|---|---|
| kms-key-iam | Require proper access controls for Cloud KMS key IAM policies | 01.a Access Control Policy | A privilege management process shall be implemented and include the allocation of different levels of access privileges, the authorization process for such privileges, and the maintenance of all privileges on a system. |
| service-account-restricted-names | Restrict default service account creation with prohibited names | 01.b User Registration | There shall be a formal user registration and de-registration procedure in place governing the allocation of access rights to all information systems and services. |
| iam-no-broad-roles | Enforce least privilege access control by prohibiting overly broad roles | 01.c Privilege Management | A privilege management process shall be implemented to ensure that the allocation of access rights is appropriately restricted. |
| pubsub-topic-iam-least-privilege | Enforce least privilege IAM policies for Pub/Sub topics | 01.c Privilege Management | A privilege management process shall be implemented and include the allocation of different levels of access privileges, the authorization process for such privileges, and the maintenance of all privileges on a system. |
| pubsub-subscription-iam-least-privilege | Enforce least privilege IAM policies for Pub/Sub subscriptions | 01.c Privilege Management | A privilege management process shall be implemented and include the allocation of different levels of access privileges, the authorization process for such privileges, and the maintenance of all privileges on a system. |
| cloudfunctions-iam-source-restrictions | Require Cloud Functions IAM bindings to configure source restrictions | 01.c Privilege Management | A privilege management process shall be implemented to ensure that the allocation of access rights is appropriately restricted. |
| service-account-key | Ensure proper service account key usage and prohibit insecure authentication methods | 01.p Secure Log-on Procedures | Secure logon procedures shall be implemented to prevent unauthorized access. Where password authentication is used, the system shall enforce a secure password policy. |
| cloudfunctions-execution-time | Limit Cloud Functions execution time to prevent extended access | 01.u Limitation of Connection Time | Connection times shall be limited to minimize the opportunity for unauthorized access. |
| bucket-iam-least-privilege | Enforce least privilege access for Cloud Storage bucket IAM policies | 01.v Information Access Restriction | Access rights shall be regularly reviewed and updated according to business requirements and personal changes. The access to information and application system functions shall be restricted according to business requirements and defined and documented in the access control policy. |
| private-service-connect | Require Private Service Connect endpoints to have restrictive security policies | 01.v Information Access Restriction | Access to information shall be restricted to authorized users and limited to authorized uses. |
| compute-instance-encrypted-attached-disk | Require Compute Engine instances to have encrypted attached disks | 06.d Data Protection and Privacy of Covered Information | Information in storage shall be protected from unauthorized disclosure, modification and destruction. The organization shall implement appropriate technical, physical and procedural safeguards to protect information assets from unauthorized access, use, disclosure, disruption, modification or destruction. |
| compute-instance-encrypted-boot-disk | Require Compute Engine instances to have encrypted boot disks | 06.d Data Protection and Privacy of Covered Information | Information in storage shall be protected from unauthorized disclosure, modification and destruction. The organization shall implement appropriate technical, physical and procedural safeguards to protect information assets from unauthorized access, use, disclosure, disruption, modification or destruction. |
| instance-template-encrypted-disk | Require instance templates to have encrypted disks | 06.d Data Protection and Privacy of Covered Information | Information in storage shall be protected from unauthorized disclosure, modification and destruction. The organization shall implement appropriate technical, physical and procedural safeguards to protect information assets from unauthorized access, use, disclosure, disruption, modification or destruction. |
| instance-template-encrypted-boot-disk | Require instance templates to have encrypted boot disks | 06.d Data Protection and Privacy of Covered Information | Information in storage shall be protected from unauthorized disclosure, modification and destruction. The organization shall implement appropriate technical, physical and procedural safeguards to protect information assets from unauthorized access, use, disclosure, disruption, modification or destruction. |
| gke-secrets-encryption | Require GKE clusters to have Application-layer Secrets Encryption enabled | 06.d Data Protection and Privacy of Covered Information | Information in storage shall be protected from unauthorized disclosure, modification and destruction. The organization shall implement appropriate technical, physical and procedural safeguards to protect information assets from unauthorized access, use, disclosure, disruption, modification or destruction. |
| bucket-customer-managed-kms | Require Cloud Storage buckets to use customer-managed Cloud KMS keys for encryption | 06.d Data Protection and Privacy of Covered Information | Information in storage shall be protected from unauthorized disclosure, modification and destruction. The organization shall implement appropriate technical, physical and procedural safeguards to protect information assets from unauthorized access, use, disclosure, disruption, modification or destruction. |
| bucket-versioning | Require Cloud Storage buckets to have versioning enabled for data protection | 06.d Data Protection and Privacy of Covered Information | Information in storage shall be protected from unauthorized disclosure, modification and destruction. The organization shall implement appropriate technical, physical and procedural safeguards to protect information assets from unauthorized access, use, disclosure, disruption, modification or destruction. |
| pubsub-encryption | Require Pub/Sub topics to have encryption enabled with customer-managed Cloud KMS keys | 06.d Data Protection and Privacy of Covered Information | Cryptographic controls shall be used in compliance with all relevant agreements, laws and regulations. |
| bucket-lifecycle | Require Cloud Storage buckets to have lifecycle management policies configured | 06.d Data Protection and Privacy of Covered Information | Information in storage shall be protected from unauthorized disclosure, modification and destruction. The organization shall implement appropriate technical, physical and procedural safeguards to protect information assets from unauthorized access, use, disclosure, disruption, modification or destruction. |
| hardcoded-secrets | Prohibit hardcoded secrets in code and configuration | 06.d Data Protection and Privacy of Covered Information | Information in storage shall be protected from unauthorized disclosure, modification and destruction. |
| cloudsql-secure-credentials | Require Cloud SQL instances to use secure master credentials management | 06.d Data Protection and Privacy of Covered Information | Information in storage shall be protected from unauthorized disclosure, modification and destruction. |
| pubsub-message-retention | Require Pub/Sub subscriptions to have appropriate message retention policies | 06.d Data Protection and Privacy of Covered Information | Information in storage shall be protected from unauthorized disclosure, modification and destruction. |
| bucket-dlp-access | Require Cloud Storage buckets to have appropriate access for data classification services like Cloud DLP | 06.d Data Protection and Privacy of Covered Information | Information in storage shall be protected from unauthorized disclosure, modification and destruction. The organization shall implement appropriate technical, physical and procedural safeguards to protect information assets from unauthorized access, use, disclosure, disruption, modification or destruction. |
| cloudfunctions-documentation | Require Cloud Functions to have adequate documentation | 09.b Change Management | Changes to information processing facilities and systems shall be controlled through appropriate change management procedures. |
| resource-labeling | Require all GCP resources to have proper labeling for change tracking | 09.b Change Management | Changes to information processing facilities and systems shall be controlled through the use of formal change management procedures. |
| environment-label | Require all labelable resources to have an environment label | 09.d Separation of Development Test and Operational Environments | Segregation of test, development and operational environments shall be maintained to ensure that the test and development environments do not adversely impact the operational environment. |
| single-environment-stack | Ensure all resources in a stack belong to the same environment | 09.d Separation of Development Test and Operational Environments | Segregation of test, development and operational environments shall be maintained to ensure that the test and development environments do not adversely impact the operational environment. |
| bucket-access-logging | Require Cloud Storage buckets to have access logging enabled for audit trails | 09.e Service Delivery | Automated logging procedures shall be implemented to enable monitoring and detection of security events. |
| gke-private-endpoints | Require GKE cluster API endpoints to be private | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| firewall-ssh-rdp | Enforce firewall rule restrictions for SSH and RDP access | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications which use the network, and to protect information in transit. |
| firewall-strict | Enforce strict firewall rules with explicit allow/deny configuration | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications which use the network, and to protect information in transit. |
| bucket-no-public-read | Require Cloud Storage buckets to disallow public read access | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| cloudsql-private-ip | Require Cloud SQL instances to be deployed with private IP only | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications which use the network, and to protect information in transit. |
| compute-no-public-ip | Require Compute Engine instances to disallow public IP addresses | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| instance-template-no-public-ip | Require instance templates to disallow public IP addresses | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| bucket-uniform-access | Require Cloud Storage buckets to have uniform bucket-level access enabled | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications using the network, including information in transit. |
| cloud-armor | Require public-facing applications to have Cloud Armor protection | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications which use the network, and to protect information in transit. |
| cloud-cdn-armor | Require Cloud CDN to have Cloud Armor configuration for DDoS protection | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications which use the network, and to protect information in transit. |
| database-network-access | Enforce strict network access controls for database resources | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications which use the network, and to protect information in transit. |
| firewall-no-http-ingress | Require firewall rules to disallow inbound HTTP traffic from unauthorized sources | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications which use the network, and to protect information in transit. |
| firewall-no-public-ingress | Require firewall rules to disallow public internet ingress unless specifically authorized | 09.m Network Controls | Networks shall be managed and controlled in order to protect the organization from threats and to maintain security for the systems and applications which use the network, and to protect information in transit. |
| subnetwork-flow-logs | Require subnetworks to have flowLogsConfig enabled | 09.z Publicly Available Information | Information shall be protected from unauthorized disclosure or modification to protect the organization from malicious attacks or unauthorized access attempts. |
| load-balancer-logging | Require Cloud Load Balancers to configure access logging | 09.z Publicly Available Information | Information shall be protected from unauthorized disclosure or modification to protect the organization from malicious attacks or unauthorized access attempts. |
| cloud-build-logging | Require Cloud Build triggers to have secure logging configurations | 09.z Publicly Available Information | Information shall be captured and maintained to support monitoring and auditing of security events and system activity. |
| bigtable-change-streams | Require Bigtable tables to have change streams enabled for change tracking | 10.c Control of Internal Processing | Controls shall be in place to ensure the correct processing of information in applications. |
| cloudfunctions-kms-env-vars | Require Cloud Functions environment variables to be encrypted with Cloud KMS | 10.d Message Integrity | Messages shall be protected against unauthorized modification. Integrity controls shall be applied to detect unauthorized modification of information. |
| cloudfunctions-logging | Require Cloud Functions to have logging configuration enabled | 10.e Output Data Validation | Output data shall be validated to ensure that stored data is not corrupted as a result of processing errors or deliberate acts. |
| cloudsql-ssl | Require Cloud SQL connections to use SSL/TLS encryption | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, laws and regulations. |
| persistent-disk-customer-kms | Require Persistent Disks to use customer-managed encryption keys | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, laws and regulations, and with risk management requirements identified through the risk assessment process. |
| kms-key-rotation | Require Cloud KMS keys to have key rotation enabled | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, laws and regulations. |
| bigquery-dataset-kms | Require BigQuery datasets to use customer-managed Cloud KMS keys | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, laws and regulations, and with risk management requirements identified through the risk assessment process. |
| load-balancer-tls | Require Cloud Load Balancers to disallow unencrypted traffic | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, laws and regulations. |
| cloud-cdn-origin-tls | Require Cloud CDN to use secure TLS to origin | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, laws and regulations. |
| dataflow-kms | Require Dataflow jobs and pipelines to use customer-managed Cloud KMS keys | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, laws and regulations, and with risk management requirements identified through the risk assessment process. |
| kms-key-configuration | Require proper Cloud KMS key creation and configuration | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, laws and regulations. |
| instance-template-customer-kms | Require instance templates to use customer-managed Cloud KMS keys for disk encryption | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, laws and regulations, and with risk management requirements identified through the risk assessment process. |
| artifactregistry-customer-kms | Require Artifact Registry repositories to use customer-managed Cloud KMS keys for encryption | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, laws and regulations, and with risk management requirements identified through the risk assessment process. |
| filestore-customer-kms | Require Filestore instances to use customer-managed Cloud KMS keys for encryption | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, laws and regulations. |
| secretmanager-customer-kms | Require Secret Manager secrets to use customer-managed Cloud KMS keys | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, laws and regulations. |
| kms-key-lifecycle | Require proper Cloud KMS key deletion and lifecycle management | 10.f Policy on the Use of Cryptographic Controls | Cryptographic controls shall be used in compliance with all relevant agreements, laws and regulations. |
| artifactregistry-immutable-images | Require Artifact Registry repositories to disallow mutable images for security and compliance | 10.h Control of Operational Software | There shall be restrictions on the installation of software by users. Controls shall be in place to restrict access to program source code. |
| cloudfunctions-runtime-versions | Restrict Cloud Functions to approved runtime versions only | 10.h Control of Operational Software | There shall be restrictions on the installation of software by users. Controls shall be in place to restrict access to program source code. |
| cloudsql-patching | Require Cloud SQL instances to use managed service patching | 10.k Change Control Procedures | Change control procedures shall be established to ensure adequate assessment and authorization of all changes to information processing facilities. |
| compute-osconfig-vulnerability | Require OS Config agent for vulnerability management on compute instances | 10.m Control of Technical Vulnerabilities | Vulnerabilities shall be identified and associated with risk levels. Technical vulnerabilities of information systems shall be managed in a timely fashion. |
| bucket-multi-region | Require Cloud Storage buckets to have multi-region replication for business continuity | 12.a Including Information Security in the Business Continuity Management | Information security continuity shall be embedded in the organization’s business continuity management systems. |
| cloudsql-backup | Require Cloud SQL instances to have backup retention enabled | 12.a Including Information Security in the Business Continuity Management | Information security continuity shall be embedded in the organization’s business continuity management systems. |
| cloudsql-high-availability | Require Cloud SQL instances to have high availability configuration across zones | 12.a Including Information Security in the Business Continuity Management | Information security continuity shall be embedded in the organization’s business continuity management systems. |
| pubsub-dead-letter-queue | Require Pub/Sub subscriptions to have dead letter queue configuration | 12.a Including Information Security in the Business Continuity Management | Information security continuity shall be embedded in the organization’s business continuity management systems. |
| cloud-tasks-retry-configuration | Require Cloud Tasks queues to have proper retry configuration for business continuity | 12.a Including Information Security in the Business Continuity Management | Information security continuity shall be embedded in the organization’s business continuity management systems. |
| load-balancer-multi-zone | Require Cloud Load Balancers to be configured across multiple zones for high availability | 12.a Including Information Security in the Business Continuity Management | Information security continuity shall be embedded in the organization’s business continuity management systems. |
| load-balancer-health-checks | Require Cloud Load Balancers to enable health checks for monitoring backend instance health | 12.a Including Information Security in the Business Continuity Management | Information security continuity shall be embedded in the organization’s business continuity management systems. |
| firestore-pitr | Firestore databases must have Point-In-Time Recovery (PITR) enabled for business continuity | 12.a Including Information Security in the Business Continuity Management | Information security continuity shall be embedded in the organization’s business continuity management systems. |
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.
