Certification Summary | Google Apps for Work

Google Security Audits and Certifications At Google, ensuring the security of our users is a top priority, and we are constantly assessing how we can make our services even more secure. Google regularly undergoes independent verification of security, privacy and compliance controls. This means an independent auditor examines the controls present in our data centers, infrastructure and operations. These audits and certifications by accredited third-party auditors help verify the data protection technologies and processes Google is using, and show our commitment to protecting user data. Among the certifications that Google Apps for Work, Google Drive for Work (Google Apps Unlimited) and Google Apps for Education have achieved are ISO 27001, ISO 27018, SOC 2 and SOC 3. In this paper we will provide additional details about those certifications and audits.

International Standards Organization (ISO) 27001 Certification International Standards Organization (ISO) 27001 Certification is a widely recognized, internationally accepted independent security standard. Google’s ISO 27001:2013 certification covers the systems, applications, people, technology, processes and data centers supporting Google Apps for Work and Google Apps for Education editions. Google’s compliance with the ISO 27001 standard was certified by EY CertifyPoint, an ISO certification body accredited by the Dutch Accreditation Council, a member of the International Accreditation Forum (IAF). Certificates issued by EY CertifyPoint are recognized as valid certificates in all countries with an IAF membership.1 The ISO 27001 certification is composed of 114 controls. Highlights of Google’s certification include certifying: • Information security policies

• Physical and environmental security

• Organization of information security • Operations security Auditors: EY CertifyPoint

• Asset management

• Logical security

• Access control

• Incident management

• Cryptography Issue Date: April 15, 2015

International Standards Organization (ISO) 27018 ISO/IEC 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in a public cloud computing environment. The standard provides further implementation guidance on 14 of the 114 controls in ISO 27002 and contains 25 additional controls specifically focused on the processing of PII. EY has verified Google’s assertion that the privacy practices and contractual commitments for Google Apps for Work and Google Apps for Education meet the objectives defined by ISO/IEC 27018:2014. Issue Date: July 15, 2015 1

IAF Member Countries

SOC 2 Type II and SOC 3 Audits A Service Organization Control (SOC) report has a predefined set of principles and related criteria that are defined by American Institute of Certified Public Accountants (AICPA) and must be met to achieve an unqualified report. The criteria for SOC 2 are widely recognized. The SOC 3 report asserts publicly that Google Apps for Work is in conformity with the AICPA criteria for security, availability, process integrity and confidentiality.

Auditors: EY LLP

EY issued an unqualified opinion with zero exceptions on any control objectives or control activities during the period covered for the report for Google Apps for Work, Google Drive for Work (Google Apps Unlimited) and Google Apps for Education. The principles covered in the reports include: • Security: The system is protected against unauthorized access (physical and logical). • Availability: The system has mechanisms to prevent or quickly correct any service outages, including redundant sites that are in place for business continuity and backup and recovery of customer data. • Processing Integrity: The system performs as you expect it to. Data is preserved to be the way you left it the last time you logged on. • Confidentiality: The system has controls so data that is stored in the cloud is shared with only the people you wish to share it with. Major control objectives and control activities covered by the audit include the following: • Logical security controls provide reasonable assurance that logical access to production systems is restricted to authorized individuals. • Data center physical security controls provide reasonable assurance that Google data centers and corporate offices are protected. • Incident management controls provide reasonable assurance that problems and/or incidents are properly responded to, recorded, investigated and resolved. • Change management controls provide reasonable assurance that application and configuration changes are tracked, approved, tested and validated. • Organization and administration controls provide reasonable assurance that management provides the infrastructure and mechanisms to track and communicate initiatives, monitor compliance within the company and provide security training for the risks that impact Google. • System availability controls provide reasonable assurance that redundant sites are in place for services and recovery of customer data is possible. Time period covered: 1 May 2014 to 30 April 20152

Updated: September 2015

2

Due to the nature of SOC, these audits will always reflect a time frame that has passed. Audit reports measure point-in-time controls, so though the audit date may be in the past, this audit is current and has not expired.

Google Apps for Work and Google Apps for Education security audits and certification summary.

Products and Services Covered Google Drive Google Hangouts Gmail Google Calendar Google Docs Google Sheets Google Slides Google Apps Vault Google Sites Google Admin console3 Google Contacts Google Apps Script Google+ Google Now Google Groups Google Talk Google Classroom (Google for Education) Apps Script Directory API4 Reports API5 SAML Based SSO API

Formerly Control Panel Formerly Directory Sync, and Provisioning API 5 Formerly Reporting API, and Audit API 3 4

© 2015 Google Inc. All rights reserved. Google and the Google logo are trademarks of Google Inc. All other company and product names may be trademarks of the respective companies with which they are associated. DS2030-1210

Google Security Audits and Certifications - G Suite

(Google Apps Unlimited) and Google Apps for Education have achieved are ISO 27001, ISO 27018, SOC 2 and SOC 3. In this paper we will provide additional ...
Download PDF
753KB Sizes 1 Downloads 308 Views
Report

Recommend Documents

Google Security Audits and Certifications Services
Public Accountants (AICPA) and must be met to achieve an unqualified report. The criteria and report are widely recognized, and easily aligned with or compared to ISO 27001, National Institute for Standards & Technology (NIST). 800-53 and/or Control
Google Security Audits and Certifications - Services
Google's certification include certifying: • Information security policies. • Organization of information security. • Asset management. • Access control. • Cryptography. 1 IAF Member Countries - http://www.iaf.nu//articles/IAF_MEMBERS_SIGNA
G Suite Security and Trust
international privacy and data protection standards. ISO 27018 guidelines include not using your data for advertising, ensuring that your data in. G Suite services remains yours, providing you with tools to delete and export your data, protecting you
G Suite security best practices
Tip: On the 2-Step Verification page, you can print a one-time passcode that allows you to sign in when you're away from your phone. It's quicker than entering a verification code. You can also choose to use a Security Key . You insert it into your c
Google for Work Security and Compliance Whitepaper - G Suite
Service availability. Independent Third-Party Certifications 10 .... Google hosts regular internal conferences to raise awareness and drive innovation in security ...
Jamboard - G Suite
the walls of your company. Better saving and sharing. All your work is saved in ... Cutting-edge hardware and software designed for today's dynamic workplace.
Box for G Suite
popular business applications like Adobe Acrobat, Salesforce, IBM, Slack and more. “Box and G Suite together allow us to leverage Docs for working files, like.
FISC Security Reference Response Guide - G Suite
design, how we store data, network and internet connectivity, and the software services themselves. This. “redundancy of everything” includes the handling of ...
(deprecated) Privacy & Security: G Suite for Education.pdf ...
privacy and security commitments. HOW SOME OF OUR TOOLS ARE USED IN SCHOOLS: 60 million. 5 million. 7 of 8. Students and teachers use G Suite for Education. Ivy League Universities use G Suite for Education. Businesses use G Suite. google.com/edu/tru
FISC Security Reference Response Guide - G Suite
videos: Google Security Whitepaper: https://cloud.google.com/security/whitepaper#state-of-the-art_data_centers. Data Center Introduction Video: ..... Storage Room (1. Location). F24 Do not install any signs indicating the names of rooms. To prevent u
FISC Security Reference Response Guide - G Suite
Google's data centers are geographically distributed to minimize the effects of regional ..... at security operations consoles, and at remote monitoring desks. More details can be .... computer room and data storage room. Google is certified to ...
Billing and Payments - G Suite
Add more users at any time. ○. You can't reduce your number of users until it's time to renew your contract. ○. If you cancel before the year is up, you still pay for a full year. ○. Recommended for organizations with a constant or growing work
Meet Drive - G Suite
Sign in to your Google Admin console with your G Suite email address and password. 2. From the dashboard, click Apps. 3. Click G Suite. 4. Click Drive from the ...
Impo contacts - G Suite
Make sure you've signed out of your G Suite account. Go to Contacts and sign in with ... Your contacts will start importing to Gmail. 2.2. Impo your contacts from ...
Google+ Cheat Sheet - G Suite
3 Find or follow people. 4 Follow or create collections, which group posts around a topic. Learning Center gsuite.google.com/learning-center.
HIPAA BAA - G Suite
following URL: www.google.com/work/apps/terms/2015/1/hipaa_functionality.html ... Functionality to Customer's Notification Email Address (whichever date is ...
G Suite Cloud Platform
Barrow Street. Dublin 4. 30 December 2016. Re: Application for a common opinion regarding Google Apps (now G-Suite utilisation of model contract clauses.
Business Enterprise Basic Product Suite Designed ... - G Suite
per mo. Basic. $10/user per mo. Call Us. Product Suite. Intelligent office suite. Secure cloud-based ... Native apps for Android and iOS. Presentations. External ...
Transforming retail collaboration across ... - G Suite
leadership decided to partner with Google Apps for Work in order to modernize operations, foster collaboration, and reignite innovation. Travis Perkins launched ...
Give Google voice commands - G Suite
Download the Google app on your Android or iPhone device and tell Google what you want. Say “Ok Google,” (or tap. Speak. ) then ask for flight status information, look for hotels, calculate the tip, check stocks or the weather, or get spoken traf
Add an administrator - G Suite
Next to Recovery email , select Add recovery email . If you're prompted, retype your password and click Add recovery email again. 5. Enter your recovery email ...
Gmail setup for administrators - G Suite
From the dashboard, click Apps. 3. Click G Suite. 4. Scroll down and click Gmail from your list of services. Find Gmail in your Google Admin console. Click a step ...