This page describes the Vendor1 Security Assessment process at Google.
1 In this context, "vendor" is used as a placeholder and can refer to: vendors, suppliers, or partners.
High-Level Process
Google's security review process involves a number of steps depending on the type of engagement, and the specific work that you will be performing. At a high-level, the following steps will be followed in order to ensure the security and privacy of sensitive data, systems, and integration points:
Details
Questionnaires
Depending on the type of project, and sensitivity of data, Google may request that you complete one or more security questionnaires to better gauge your overall security posture and risk profile for the project. These questionnaires will produce findings2 within the shared resolution console for issues that are of high-risk nature.
Questionnaires are split into multiple categories, based on the type of project, sensitivity of data, and integration points with existing systems.
2 Findings are subject to our remediation guidelines.
Vendor Questionnaire
Why is this important?
The information obtained through the vendor questionnaire allows our engineers to understand where potential gaps may exist in your security program, and if they could lead to leaks or other unexpected security vulnerabilities. It is important to note that even though the project may not directly involve areas of the organization that we are asking questions about, the security of the whole organization is key to protecting sensitive data and preventing security incidents. Security cannot exist in isolation, and is an important part of the culture of an organization. Completion of this questionnaire is mainly the responsibility of the Google Vendor contact (Vendor organization employee).
Project Questionnaire
The Project Security questionnaire is designed to collect information surrounding the security and privacy of the project, or integration being performed as part of this project. This questionnaire includes details about your web application security practices, storage of data, and other technical security controls that relate to the project. Completion of this questionnaire is mainly the responsibility of your Google project contact (Google employee).
Why this is important?
The information obtained through the project security questionnaire helps us to better understand and evaluate the protections and controls directly relating to the project. These controls are often more technical in nature, and deal specifically with the project being evaluated. Where the vendor security practices questionnaire focuses in part on the organizational security aspects of security and privacy, the project security questionnaire dives deeper in areas of the specific project.
Remediation
After the questionnaire(s) relating to the project are completed, there may be a requirement to remediate some gaps in your security and privacy controls. During the remediation, we will note any findings or action items within the shared resolution console (see example screenshot below).
For more detailed guidance on Google's remediation requirements, including information about criticality ratings and timeframes, please see our Remediation Guidelines.
Penetration Testing
Depending on the type of project, Google may request that you share results from your most recent third-party penetration test(s). The exact coverage of these tests depends on the project, however the scope of the penetration test must include all infrastructure used as part of the project.
Testing usually falls into one or more of the following areas:
- Infrastructure penetration testing
- Eg. Public facing IP Ranges, Server security, etc...
- Application penetration testing
- Eg. Web Application, API/REST Interface, Chrome Extension testing, etc...
In some cases, certifications and compliance attestation received by the vendor might replace the need for a penetration test. For more detailed guidance on Google's penetration test requirements, including information about scoping and testing methodology, please see our Testing Guidelines.
Additional Testing
In some circumstances the Google Security Team may need to perform some level of in-house security testing on systems or integrations involved in the project you are undertaking. These reviews are designed to focus on integrations and ensure security and privacy of systems where we class the project as high risk. In these cases our internal security team will work with the internal Google contact managing the project to request access to a testing or staging instance, and work with you to arrange testing accounts and the required level of access. As with the questionnaire process, the security team will surface any issues that should be addressed through the resolution console for the project.
Design Review
Depending on the type of project, Google may need to review the design of any interaction or integrations that are planned. In most cases this will happen transparently and is handled internally as part of our internal review process. You may, however, be asked to provide input, and confirm technical information about your systems that arise as part of this process. Requests for information will come through the Google contact managing the project.
Contractual Protections
In instances where sensitive data or system integrations are involved, the project team may need to ensure contractual protections are in place to ensure appropriate compliance, protections, and guarantees are in place.
The contractual protections cover areas including:
- Appropriate monitoring, logging and retention of log data
- Appropriate hardening and defense-in-depth
- Processes and controls for data handling and sharing
- Regular security testing and third-party penetration testing
- etc...