Remediation Guidelines for Google Providers

This document describes Google's expectations for remediation of issues discovered during our vendor security assessment process. Google takes the security of data very seriously, and will always try to ensure that projects are completed in the most secure way possible. We appreciate the assistance of our vendors to achieve this goal.

The guidelines outlined in this document reflect our expectations for average projects. We reserve the right to maintain stricter requirements for projects that handle sensitive data or otherwise are considered higher risk.

Summary

After the questionnaire(s) relating to the project are completed, there may be a requirement to remediate some gaps in your security and privacy controls. During the assessment process, we will note any findings or action items with the Resolution Console (see example screenshot below).

An example of the appearance of the resolution console showing information such as details, documents, and the review status

The identified findings have one of four classifications (P0-P3). Depending on the classification, Google has different expectations regarding if and when the respective issues must be remediated (marked as Blocker/Non-Blocker):

For more information on responding to findings in the Resolution Console, see Structured Responses.


Details

Critical [P0] Issues

Critical issues are defined as issues that:

  • expose PII/SPII,
  • result in server compromise,
  • represent serious threat to uptime, users, data, reputation, services or networks,
  • indicate severe shortcomings in a company's security program.

Google expects critical issues to be addressed before the engagement commences. In cases where the engagement includes the sharing of data, these issues need to be addressed, or compensating controls implemented, before any data is shared. Fixing these issues is required for the Google Security Team to recommend proceeding with the engagement.

Failure to remediate P0 issues can have a negative impact on the current project and future engagements with Google.

High [P1] Severity Issues

High severity issues are defined as issues that:

  • can be used as part of an attack that results in exposed PII/SPII,
  • have increased complexity to exploit, but would result in a serious threat to uptime, users, data, reputation, services or networks,
  • are caused by missing or weak security controls that we consider important.

High severity issues are typically expected to be addressed within 90 days of the engagement starting. We expect our vendors to outline to us how they are planning to address these issues, and when we can expect them to be resolved. High severity issues that are not addressed within the agreed upon timeframe may limit Google's ability to progress on the project. In some cases Google may request high severity issues to be addressed prior to starting an engagement if we feel that data is at risk as a result of the number or type of issues identified.

Failure to remediate P1 issues can have a negative impact on long-term engagements and future engagements with Google.

Medium [P2] Severity Issues

Medium severity issues are defined as issues that:

  • have some impact, but would not expose sensitive data, interrupt important services or cause long-term harm,
  • are of a more theoretical nature, or can only be used alongside other security issues,
  • are caused by missing or weak security controls that we consider good to have.

Vendors are encouraged to address these issues to improve their security. Recurring or long-term projects may require these issues to be put in place prior to contract renewal/extension.

Informational [P3] Issues

Informational issues are defined as issues that:

  • have minimal impact with no risk of sensitive information leakage,
  • are missing defence-in-depth measures.

Although those issues are purely informational, resolving them will further increase the Vendors' security.


Structured Responses

When responding to actionable issues, a dropdown list allows you to select the type of control that is in place to address the issue. The following options are available:

  • Pending – This is the default status.
  • Resolved – If the item has been fully resolved, select this option. Add a comment describing the fix where appropriate (verification by a Google Security Engineer pending).
  • Verified (usage reserved)
  • Won't fix –  If the issue is not intended to / cannot be fixed, select this option.
  • Mitigated technical control – If there is a technical control that will be put in place to mitigate the issue, select this option. A Google Security Engineer will evaluate the control and respond accordingly.
  • Mitigated policy control –  If there is a policy control that will be put in place to mitigate the issue, select this option. A Google Security Engineer will evaluate the control and respond accordingly.
  • Question unclear – If a question in one of the questionnaires was unclear, select this option.
  • Verifier rejected (usage reserved)
  • Fix by – Select the date by when you expect the issue to be fixed.
  • Other – If none of the other options are suitable, select this option.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Search
Clear search
Close search
Main menu
12272090951841895072
true
Search Help Center
true
true
true
true
true
5186267
false
false