Google Vendor Security Assessment (VSA) Process

This page describes the Vendor1 Security Assessment process at Google.

The process outlined in this document reflects our expectations for standard projects. We reserve the right to maintain stricter requirements for projects that handle particularly sensitive data or are otherwise considered higher risk.

1 In this context, "vendor" is used as a placeholder and can refer to: vendors, suppliers, or partners.

High-Level Process

Google's Vendor security assessment review process involves a number of steps depending on the type of engagement, and the specific work that you will be performing. At a high-level, the following steps will be followed in order to ensure the security and privacy of sensitive data, systems, and integration points:

SecurityScorecard

Google utilizes an external company, SecurityScorecard, to conduct part of the VSA process. As you go through the VSA process, you may be contacted by SecurityScorecard.

 

Details

Questionnaires

Depending on the type of project, and sensitivity of data, Google may request that you complete one or more security questionnaires to better gauge your overall security posture and risk profile for the project. These questionnaires will produce findings2 within the shared resolution console for issues that are of high-risk nature.

Questionnaires are split into multiple categories, based on the type of project, sensitivity of data, and integration points with existing systems.

2 Findings are subject to our remediation guidelines.

Vendor Questionnaire

Why is this important?

The information obtained through the vendor questionnaire allows our engineers to understand where potential gaps may exist in your security program, and if they could lead to leaks or other unexpected security vulnerabilities. It is important to note that even though the project may not directly involve areas of the organization that we are asking questions about, the security of the whole organization is key to protecting sensitive data and preventing security incidents. Security cannot exist in isolation, and is an important part of the culture of an organization. This questionnaire should be completed by a security contact at the Vendor organization.

Project Questionnaire

The Project Security questionnaire is designed to collect information surrounding the security and privacy of the project, or integration being performed as part of this project. This questionnaire includes details about your web application security practices, storage of data, and other technical security controls that relate to the project. Completion of this questionnaire is mainly the responsibility of the Google Vendor Manager.

Why is this important?

The information obtained through the project questionnaire helps us to better understand and evaluate the protections and controls directly relating to the project. These controls are often more technical in nature, and deal specifically with the project being evaluated. Where the vendor questionnaire focuses in part on the organizational security aspects of security and privacy, the project security questionnaire dives deeper in areas of the specific project.

Remediation

After the questionnaire(s) relating to the project are completed, there may be a requirement to remediate some gaps in your security and privacy controls. During the remediation, we will note any findings or action items within the shared resolution console (see example screenshot below).

An example of the appearance of the resolution console showing information such as details, documents, and the review status

For more detailed guidance on Google's remediation requirements, including information about criticality ratings and timeframes, please see our Remediation Guidelines.

Penetration Testing

Depending on the type of security documentation provided, Google may request a Pentest as evidence of the Company’s security posture.

Google may require a Pentest of any SaaS application that will be used by Google.

For more detailed guidance on Google's penetration test requirements, including information about scoping and testing methodology, please see our Testing Guidelines.

  • If applications require a Pentest but are not accessible without authentication, the 3P vendor must work with the Pentest provider to provide credentials.
  • The scope of the Pentest must include all infrastructure, applications, and endpoints used to provide services to Google, directly or indirectly.
  • The largest portion of the Pentest must use manual methods for identifying security vulnerabilities.

For more detailed guidance on Google's penetration test requirements, including information about scoping and testing methodology, please see our Testing Guidelines.

Security Documentation

Certifications (SOC 2 Type II report, SOC 3 report, ISO 27001 certifications) may be requested to assess vendor security controls and better understand the Company’s vendor infrastructure.

Additional Testing

In some circumstances the Google Security Team may need to perform some level of in-house security testing on systems or integrations involved in the project you are undertaking. These reviews are designed to focus on integrations and ensure security and privacy of systems where we class the project as high risk. In these cases our internal security team will work with the internal Google contact managing the project to request access to a testing or staging instance, and work with you to arrange testing accounts and the required level of access. As with the questionnaire process, the security team will surface any issues that should be addressed through the resolution console for the project.

Design Review

Depending on the type of project, Google may need to review the design of any interaction or integrations that are planned. In most cases this will happen transparently and is handled internally as part of our internal review process. You may, however, be asked to provide input, and confirm technical information about your systems that arise as part of this process. Requests for information will come through the Google contact managing the project.

Contractual Protections

In instances where sensitive data or system integrations are involved, the project team may need to ensure contractual protections are in place to ensure appropriate compliance, protections, and guarantees are in place.

The contractual protections cover areas including:

  • Appropriate monitoring, logging and retention of log data
  • Appropriate hardening and defense-in-depth
  • Processes and controls for data handling and sharing
  • Regular security testing and third-party penetration testing
  • etc...
This portion of the process sits outside the oversight of Google's Security and Privacy team. For more information, please contact the Google contact who is managing the project.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Contact us Tell us more and we’ll help you get there
false
Search
Clear search
Close search
Main menu
10263401721850736680
true
Search Help Center
true
true
true
true
true
5186267
false
false