Add Data at Rest processing policy to Common Controls baseline

baselines/commoncontrols.md

@@ -1078,6 +1078,20 @@ The data storage region SHALL be set to be the United States for all users in th
   - [T1537: Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537/)
 
 #### GWS.COMMONCONTROLS.15.2v0.3
+Data SHALL be processed in the region selected for data at rest.
+
+- _Rationale:_ Without this policy, data could be processed in a region other than the United States, potentially exposing it unauthorized entities. Implementing this policy allows for data sovereignty over organizational data.
+- _Last modified:_ September 20, 2024
+
+- MITRE ATT&CK TTP Mapping
+  - [T1591: Gather Victim Organization Information](https://attack.mitre.org/techniques/T1591/)
+    - [T1591:001: Gather Victim Organization Information: Determine Physical Location](https://attack.mitre.org/techniques/T1591/001/)
+  - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
+  - [T1537: Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537/)
+  - [T1567: Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567/)
+    - [T1567:002: Exfiltration Over Web Service: Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002/)
+
+#### GWS.COMMONCONTROLS.15.3v0.3
 The supplemental data storage region SHALL NOT be set to 'Russian Federation'.
 
 - _Rationale:_ This policy is aligned with the concept of sovereignty, taking into account geopolitical and USG national security concerns. Keeping data out of Russia helps prevent official data from being subject to Russian law.
@@ -1106,6 +1120,14 @@ To configure Data Regions per the policy:
 6.	Click **Save**.
 
 #### GWS.COMMONCONTROLS.15.2v0.3 Instructions
+1. Sign in to the [Google Admin console](https://admin.google.com) as an administrator.
+2. Navigate to **Data** -\> **Compliance** -\> **Data Regions**.
+3. Click the **Region** card.
+4. Click the **Data processing** card.
+5. Select the radio button option: "**Process data in the region selected for data at rest**".
+6. Click **Save**.
+
+#### GWS.COMMONCONTROLS.15.3v0.3 Instructions
 To configure Supplemental Data Storage per the policy:
 1.	Sign in to the [Google Admin console](https://admin.google.com) as an administrator.
 2.	Navigate to **Account** -> **Account settings**.

drift-rules/GWS Drift Monitoring Rules - Common Controls as of 11-14-23.csv

@@ -32,7 +32,8 @@ GWS.COMMONCONTROLS.12.1v0.3,Google Takeout services SHALL be disabled for users.
 GWS.COMMONCONTROLS.13.1v0.3,"Required system-defined alerting rules, as listed in the Policy section, SHALL be active, with alerts enabled when available. Any system-defined rules not are considered optional but ought to be reviewed for consideration.",Admin Log Event,System Defined Rule Updated,N/A,N/A,rules/00gjdgxs1x4hrff,Needs Manual Verification of Status
 GWS.COMMONCONTROLS.14.1v0.3,The following critical logs SHALL be sent at a minimum.,Admin Log Event,Change Application Setting,"Data Sharing Settings between GCP and Google Workspace ""Sharing Options""",ENABLED,rules/00gjdgxs0yu1jgq,JK 09-19-23 @ 06:40
 GWS.COMMONCONTROLS.15.1v0.3,"The data storage region SHALL be set to be the United States for all users in the agency's GWS environment.",Admin Log Event,Change Application Setting,Location Policy,US,rules/00gjdgxs2k8ieyq,JK 12-05-23 @ 15:57
-GWS.COMMONCONTROLS.15.2v0.3,"The supplemental data storage region SHALL NOT be set to 'Russian Federation'.",Admin Log Event,Change Data Localization for Russia,N/A,false,rules/00gjdgxs3rufh17,Not Tested
+GWS.COMMONCONTROLS.15.2v0.3,"Data SHALL be processed in the region selected for data at rest.",Admin Log Event,Create Application Setting,DataProcessingRequirementsProto limit_to_storage_location,true,N/A,MD 09-20-24 @ 15:57
+GWS.COMMONCONTROLS.15.3v0.3,"The supplemental data storage region SHALL NOT be set to 'Russian Federation'.",Admin Log Event,Change Data Localization for Russia,N/A,false,rules/00gjdgxs3rufh17,Not Tested
 GWS.COMMONCONTROLS.16.1v0.3,"Service status for Google services that do not have an individual control SHOULD be set to OFF for everyone.",Admin Log Event,Toggle Service Enabled,DISABLE_UNLISTED_SERVICES, true, N/A, MD 09-12-2024 @ 11:12
 GWS.COMMONCONTROLS.16.2v0.3,"Early Access Apps Service Status SHOULD be set to OFF for everyone.", Admin Log Event,Toggle Service Enabled,Early Access Apps, false, N/A, MD 09-12-2024 @ 11:16
 GWS.COMMONCONTROLS.17.1v0.3,"Require multi party approval for sensitive admin actions SHALL be enabled.", Admin Log Event, Change Application Setting, Multi Party Approval (MPA) Control Multi Party Approval Control, enabled, N/A, MD 09-12-2024 @ 11:20