Google Vendor Security Assessment (VSA) Process

This page describes the Vendor1 Security Assessment process at Google.

The process outlined in this document reflects our expectations for standard projects. We reserve the right to maintain stricter requirements for projects that handle particularly sensitive data or are otherwise considered higher risk.

1 In this context, "vendor" is used as a placeholder and can refer to: vendors, suppliers, or partners.


High-Level Process

Google's security review process involves a number of steps depending on the type of engagement, and the specific work that you will be performing. At a high-level, the following steps will be followed in order to ensure the security and privacy of sensitive data, systems, and integration points:


Details

Questionnaires

Depending on the type of project, and sensitivity of data, Google may request that you complete one or more security questionnaires to better gauge your overall security posture and risk profile for the project. These questionnaires will produce findings2 within the shared resolution console for issues that are of high-risk nature.

Questionnaires are split into multiple categories, based on the type of project, sensitivity of data, and integration points with existing systems.

2 Findings are subject to our remediation guidelines.

Vendor Questionnaire

Why is this important?

The information obtained through the vendor questionnaire allows our engineers to understand where potential gaps may exist in your security program, and if they could lead to leaks or other unexpected security vulnerabilities. It is important to note that even though the project may not directly involve areas of the organization that we are asking questions about, the security of the whole organization is key to protecting sensitive data and preventing security incidents. Security cannot exist in isolation, and is an important part of the culture of an organization. Completion of this questionnaire is mainly the responsibility of the Google Vendor contact (Vendor organization employee).

Project Questionnaire

The Project Security questionnaire is designed to collect information surrounding the security and privacy of the project, or integration being performed as part of this project. This questionnaire includes details about your web application security practices, storage of data, and other technical security controls that relate to the project. Completion of this questionnaire is mainly the responsibility of your Google project contact (Google employee).

Why this is important?

The information obtained through the project security questionnaire helps us to better understand and evaluate the protections and controls directly relating to the project. These controls are often more technical in nature, and deal specifically with the project being evaluated. Where the vendor security practices questionnaire focuses in part on the organizational security aspects of security and privacy, the project security questionnaire dives deeper in areas of the specific project.

Remediation

After the questionnaire(s) relating to the project are completed, there may be a requirement to remediate some gaps in your security and privacy controls. During the remediation, we will note any findings or action items within the shared resolution console (see example screenshot below).

An example of the appearance of the resolution console showing information such as details, documents, and the review status

For more detailed guidance on Google's remediation requirements, including information about criticality ratings and timeframes, please see our Remediation Guidelines.

Penetration Testing

Depending on the type of project, Google may request that you share results from your most recent third-party penetration test(s). The exact coverage of these tests depends on the project, however the scope of the penetration test must include all infrastructure used as part of the project.

Testing usually falls into one or more of the following areas:

  • Infrastructure penetration testing
    • Eg. Public facing IP Ranges, Server security, etc...
  • Application penetration testing
    • Eg. Web Application, API/REST Interface, Chrome Extension testing, etc...

In some cases, certifications and compliance attestation received by the vendor might replace the need for a penetration test. For more detailed guidance on Google's penetration test requirements, including information about scoping and testing methodology, please see our Testing Guidelines.

Additional Testing

In some circumstances the Google Security Team may need to perform some level of in-house security testing on systems or integrations involved in the project you are undertaking. These reviews are designed to focus on integrations and ensure security and privacy of systems where we class the project as high risk. In these cases our internal security team will work with the internal Google contact managing the project to request access to a testing or staging instance, and work with you to arrange testing accounts and the required level of access. As with the questionnaire process, the security team will surface any issues that should be addressed through the resolution console for the project.

Design Review

Depending on the type of project, Google may need to review the design of any interaction or integrations that are planned. In most cases this will happen transparently and is handled internally as part of our internal review process. You may, however, be asked to provide input, and confirm technical information about your systems that arise as part of this process. Requests for information will come through the Google contact managing the project.

Contractual Protections

In instances where sensitive data or system integrations are involved, the project team may need to ensure contractual protections are in place to ensure appropriate compliance, protections, and guarantees are in place.

The contractual protections cover areas including:

  • Appropriate monitoring, logging and retention of log data
  • Appropriate hardening and defense-in-depth
  • Processes and controls for data handling and sharing
  • Regular security testing and third-party penetration testing
  • etc...
This portion of the process sits outside the oversight of Google's Security and Privacy team. For more information, please contact the Google contact who is managing the project.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Search
Clear search
Close search
Google apps
Main menu