SlideShare a Scribd company logo

Security checklist - Google Workspace.pdf

G
GeovaniGonalves6

Security checklist - Google Workspace.pdf

Business
1 of 10
Download to read offline
Accounts Enforce multifactor authentication Require 2-Step Verification for users 2-Step Verification helps protect a user account from unauthorized access should someone manage to obtain their password. Protect your business with 2-Step Verification | Deploy 2-Step Verification Enforce security keys, at least for admins and other high-value accounts Security keys are small hardware devices used when signing in that provide second factor authentication that resists phishing. Deploy 2-Step Verification Protect passwords Help prevent password reuse with Password Alert Use Password Alert to make sure users don't use their corporate passwords on other sites. Prevent password reuse Use unique passwords A good password is the first line of defense to protect user and admin accounts. Unique passwords aren’t easily guessed. Also discourage password reuse across different accounts, such as email and online banking. Create a strong password & a more secure account Help prevent and remediate compromised accounts Regularly review activity reports and alerts Review activity reports for account status, admin status, and 2-Step Verification enrollment details. Account activity reports Set up admin email alerts Set up email alerts for potentially risky events, such as suspicious sign-in attempts, compromised mobile devices, or setting changes by another admin. Admin email alerts Add user login challenges Set up login challenges for suspicious login attempts. Users must enter a verification code that Google sends to their recovery phone number or recovery email address, or they must answer a challenge that only the account owner can solve. Verify a user’s identity with extra security | Add employee ID as a login challenge Identify and secure compromised accounts If you suspect an account may be compromised, suspend the account, investigate for malicious activity, and take action if necessary. Review mobile devices associated with the account Use the Email log search to review delivery logs for your domains Use the Security report to evaluate the exposure of the domain to data security risks. Verify if any malicious settings were created Identify and secure compromised accounts Turn off Google data download as needed If an account is compromised or the user leaves the company, prevent that user from downloading all their Google data with Google Takeout. Turn Takeout on or off for user
Prevent unauthorized access after an employee leaves To prevent data leaks, revoke a user’s access to your organization’s data when they leave. Maintain data security after an employee leaves Apps (Google Workspace only) Review third-party app access to core services Know and approve which third-party apps can access Google Workspace core services such as Gmail and Drive. Control which third-party & internal apps access Google Workspace data Block access to less secure apps Less secure apps don’t use modern security standards, such as OAuth, and increase the risk of accounts or devices being compromised. Control access to less secure apps Create a list of trusted apps Create an allowlist that specifies which third-party apps can access core Google Workspace services. Control which third-party & internal apps access Google Workspace data Control access to Google core services You can allow or block access to Google apps such as Gmail, Drive, and Calendar based on a device’s IP address, geographic origin, security policies, or OS. For example, you can allow Drive for desktop only on company-owned devices in specific countries/regions. Context-Aware Access overview Add another layer of encryption to users' apps data If your organization works with sensitive intellectual property or operates in a highly regulated industry, you can add client-side encryption to Gmail, Google Drive, Google Meet, and Google Calendar. About client-side encryption Calendar (Google Workspace only) Limit external calendar sharing Restrict external calendar sharing to free/busy information only. This reduces the risk of data leaks. Set calendar visibility and sharing options Warn users when they invite external guests By default, Calendar warns users when they invite external guests. This reduces the risk of data leaks. Make sure this warning is on for all users. Allow external invitations in Google Calendar events Google Chat and classic Hangouts (Google Workspace only) Limit who can chat externally Allow only the users with a specific need to send messages or create rooms with users outside your organization. This prevents external users from seeing previous internal discussions and reduces the risk of data leaks.
Turn on external chat options Warn users when chatting outside their domain (classic Hangouts only) Show users a warning when they chat with people outside their domain. When enabled, group chat conversations are split when the first person from outside the domain is added to the discussion. This prevents external users from seeing previous internal discussions and reduces the risk of data leaks. In Chat, external users and rooms are always marked "External." Turn on external chat options Set a chat invitation policy Determine which users can automatically accept chat invitations based on your organization’s policy on collaboration. Automatically accept chat invitations Chrome browser and Chrome OS devices Keep Chrome browser and Chrome OS updated To ensure your users have the latest security patches, allow updates. For Chrome browser, always allow updates. By default, Chrome OS devices update to the latest version of Chrome when it’s available. Make sure auto-updates are turned on for all your Chrome OS device users. Set Chrome policies for users or browsers | Manage updates on Chrome OS devices Force a relaunch to apply updates Set Chrome browser and Chrome OS devices to notify users that they need to relaunch their browsers or restart their devices for the update to apply, and force a relaunch after a set time if the user doesn’t take action. Notify users to restart to apply pending updates Set basic Chrome OS device and Chrome browser policies Set the following policies in your Google Admin console: Allow password manager (Allowed by default). Set Safe Browsing to Always enable. Prevent users from proceeding to malicious sites (don't allow users to bypass Safe Browsing warnings. Set Chrome policies for users Set advanced Chrome browser policies Prevent unauthorized access, dangerous downloads, and data leaks between sites by setting the following advanced policies: AllowedDomainsForApps—Allow access to your organization's Google services and tools only for accounts from the domains you specify. DownloadRestrictions—Block malicious downloads. SitePerProcess—Enable so that each site in Chrome browser runs as a separate process. With this option, even if a site bypasses the same-origin policy, the extra security will help stop the site from stealing users’ data from another website. Set Chrome Browser policies on managed PCs | Chrome Browser Enterprise Security Configuration Guide (Windows) Set a Windows desktop browser policy If your organization wants to use Chrome Browser but your users still need to access older websites and apps that require Internet Explorer, the Chrome Legacy Browser Support extension
lets users switch automatically between Chrome and another browser. Use Legacy Browser Support to support applications that require a legacy browser. Legacy browser support for Windows Mobile devices, computers, and other endpoints You can protect user accounts and their work data on mobile devices, tablets, laptops, and computers with Google endpoint management. For a complete list of recommendations, go to the Device management security checklist. Drive Limit sharing and collaboration outside your domain Set options or create rules for file sharing outside your organization Confine file sharing within the boundary of your domains by turning off sharing options or by creating trust rules (which give you more precise control over sharing). This reduces data leak and data exfiltration risks. If sharing is required outside of your organization because of business needs, you can define how sharing is done for organizational units, or you can designate domains on your allowlist. Restrict sharing outside allowed domains | Restrict sharing outside your organization | Create trust rules to restrict external sharing Warn users when they share a file outside your domain If you allow users to share files outside your domain, turn on a warning when a user does so. This allows users to confirm whether this action is the intended one, and reduces the risk of data leaks. Warn users when sharing outside Prevent users from publishing on the web Disable file publishing on the web. This reduces the risk of data leaks. Don't allow users to share files publicly Set general access options for file sharing Set the default access option for file sharing to Restricted. Only the file owner should have access until they share the file. Optionally, create custom sharing groups (target audiences) for users in different departments. Set file access options Limit file access to recipients only When a user shares a file via a Google product other than Docs or Drive (for example, by pasting a link in Gmail), Access Checker can check that the recipients can access the file. Set up Access Checker for Recipients only. This gives you control over the accessibility of links shared by your users, and reduces the risk of data leaks. Choose Access Checker options Prevent or limit the risk that external users can discover your organization’s group memberships To prevent users at another organization that uses Google Workspace from discovering your organization's group memberships, don't allow external organizations to share files with your users. Or, to limit this type of risk, allow external sharing only with allowlisted domains. If you use Google Drive sharing settings: For each organizational unit you want to protect from this risk, do one of the following: To prevent this risk, turn off external sharing and uncheck the option to allow your users to receive files from external users.
To limit this risk, allow external sharing only with allowlisted domains. For details, see Manage external sharing for your organization. If you use trust rules for Drive sharing: To limit this risk, first create a trust rule with the following settings: Scope—Organizational units or groups you want to protect from this risk Trigger—Drive > Receiving files Conditions—Allowlisted domains or external organizations that you trust Action—Allow For details, see Create a trust rule. Next, deactivate the default rule named [Default] Users in my organization can share with a warning and receive from anyone. For details, see View or edit trust rule details. Require Google sign-in for external collaborators Require external collaborators to sign in with a Google Account. If they don't have a Google Account, they can create one at no cost. This reduces the risk of data leaks. Turn off invitations to non-Google accounts outside your domain Limit who can move content from shared drives​ Allow only users in your organization to move files from their shared drives to a Drive location in a different organization. Control files stored on shared drives Control content sharing in new shared drives Restrict who can create shared drives, access content, or change the settings for new shared drives. Control sharing in shared drives Limit local copies of Drive data Disable access to offline docs To reduce the risk of data leaks, consider disabling access to offline docs. When docs are accessible offline, a copy of the document is stored locally. If you have a business reason to enable access to offline docs, enable this feature per organizational unit to minimize risk. Control offline use of Docs editors Disable desktop access to Drive Users can get desktop access to Drive with Google Drive for desktop. To reduce the risk of data leaks, consider disabling desktop access to Drive. If you decide to enable desktop access, enable it only for users with a critical business need. Turn off sync for your organization Control access to your data by third-party apps Don't allow Google Docs add-ons To reduce the risk of data leaks, consider not allowing users to install add-ons for Google Docs from the add-on store. To support a specific business need, you can deploy specific add-ons for Google Docs that are aligned with your organizational policy. Enable add-ons in Google Docs editors Protect sensitive data Block or warn on sharing files with sensitive data
To reduce the risk of data leaks, set up Data Loss Protection rules to scan files for sensitive data and take action when users try to share matching files externally. For example, you can block external sharing of documents that contain passport numbers and get an email alert. Use DLP for Drive to prevent data loss Gmail (Google Workspace only) Set up authentication and infrastructure Authenticate email with SPF, DKIM, and DMARC SPF, DKIM, and DMARC establish an email validation system that uses DNS settings to authenticate, digitally sign, and help prevent spoofing of your domain. Attackers sometimes forge the "From" address on email messages so they seem to come from a user in your domain. To prevent this, you can set up SPF and DKIM on all outbound email streams. Once SPF and DKIM are in place, you can set up a DMARC record to define how Google and other receivers should treat unauthenticated emails purporting to come from your domain. Prevent spam, spoofing & phishing with Gmail authentication Set up inbound email gateways to work with SPF SPF helps prevent your outgoing messages from being sent to spam, but a gateway can impact how SPF works. If you use an email gateway to route incoming email, make sure it’s set up properly for Sender Policy Framework (SPF). Set up an inbound mail gateway Enforce TLS with your partner domains Set the TLS setting to require a secure connection for email to (or from) partner domains. Require mail to be transmitted via a secure (TLS) connection Require sender authentication for all approved senders​ When you create an address list of approved senders who can bypass spam classification, require authentication. When sender authentication is turned off, Gmail can't verify the message was sent by the person it seems to come from. Requiring authentication reduces the risk of spoofing and phishing/whaling. Learn more about sender authentication. Customize spam filter settings Configure MX records for correct mail flow Configure the MX records to point to Google’s mail servers as the highest priority record to ensure correct mail flow to your Google Workspace domain users. This reduces the risk of data deletion (through lost email) and malware threats. Set up MX records for Google Workspace Gmail | ​ Google Workspace MX records values Protect users and organizations Disable IMAP/POP access IMAP and POP desktop clients let users access Gmail through third-party email clients. Disable POP and IMAP access for any users who don't explicitly need this access. This reduces data leak, data deletion, and data exfiltration risks. It also can reduce the threat of attacks because IMAP clients might not have similar protections to first-party clients. Turn IMAP and POP on and off for users Disable automatic forwarding Prevent users from automatically forwarding incoming mail to another address. This reduces the risk of data exfiltration through email forwarding, which is a common technique employed by
attackers. Disable automatic forwarding Enable comprehensive mail storage Comprehensive mail storage ensures that a copy of all sent and received mail in your domain— including mail sent or received by non-Gmail mailboxes—is stored in the associated users' Gmail mailboxes. Enable this setting to reduce the risk of data deletion and, if you use Google Vault, ensure mail is retained or held Set up comprehensive mail storage | Comprehensive mail storage and Vault Don't bypass spam filters for internal senders Turn off Bypass spam filters for internal senders, because any external addresses added to groups are treated as internal addresses. By turning off this setting, you can make sure all user email is filtered for spam, including mail from internal senders. This reduces the risk of spoofing and phishing/whaling. Customize spam filter settings Add spam headers setting to all default routing rules Spam headers help maximize the filtering capacity of downstream email servers and reduce the risks of spoofing and phishing/whaling. When you set up default routing rules, check the Add X- Gm-Spam and X-Gm-Phishy headers box so that Gmail adds these headers to indicate the spam and phishing status of the message. For example, an administrator at a downstream server can use this information to set up rules that handle spam and phishing differently from clean mail. Configure default routing Enable enhanced pre-delivery message scanning When Gmail identifies that an email message may be phishing, this setting enables Gmail to perform additional checks on the message. Use enhanced pre-delivery message scanning Enable external recipient warnings Gmail detects if an external recipient in an email response is not someone a user interacts with regularly, or isn't present in a user’s Contacts. When you configure this setting, your users receive a warning and an option to dismiss. Configure an external recipient warning Enable additional attachment protection Google scans incoming messages to protect against malware, even if the additional malicious attachment protections settings aren't enabled. Turning on additional attachment protection can catch email that previously wasn't identified as malicious. Turn on attachment protection Enable additional link and external content protection Google scans incoming messages to protect against malware, even if the additional malicious link and content protections settings aren't enabled. Turning on additional links and external images protection can catch email that previously wasn't identified as phishing. Turn on external images and links protection Enable additional spoofing protection Google scans incoming messages to protect against spoofing even if additional spoofing protections settings aren't enabled. Turning on additional spoofing and authentication protection can, for example, reduce the risk of spoofing based on similar domain names or employee names. Turn on spoofing and authentication protection
Security considerations for daily Gmail tasks Take care when overriding spam filters To avoid an increase in spam, exercise thought and care if you override Gmail’s default spam filters. If you add a domain or an email address to the approved senders list, require authentication. Otherwise, senders with no authentication can bypass Gmail’s spam filters. Be cautious if you add IP addresses to the email allowlist, particularly if you add large ranges of IP addresses via CIDR notation. If you forward messages to your Google Workspace domain through an inbound gateway, add the IP addresses of your inbound gateway to the inbound gateway settings and not the email allowlist. Monitor and tune compliance rules to help prevent spam and phishing. Tailor Gmail settings for an organization Don't include domains in the approved senders list If you set up approved senders, and if you checked Bypass spam filters for messages received from addresses or domains within these approved senders lists, remove any domains from your approved sender list. Excluding domains from the approved senders list reduces the risk of spoofing and phishing/whaling. Customize spam filter settings Don't add IP addresses to your allowlist In general, mail sent from IP addresses on your allowlist isn't marked as spam. To take full advantage of the Gmail spam filtering service and for best spam classification results, IP addresses of your mail servers and partner mail servers that are forwarding email to Gmail should be added to an Inbound mail gateway, and not an IP allowlist. Add IP addresses to allow lists in Gmail | Set up an inbound mail gateway Protect sensitive data Scan and block emails with sensitive data To reduce the risk of data leaks, scan outgoing emails with predefined Data Loss Protection detectors to take action when users receive or send messages with sensitive content. For example, you can block users from sending messages that contain credit card numbers and get an email alert. Scan your email traffic using DLP rules Google Groups Use groups designed for security Ensure only select users can access sensitive apps and resources by managing them with security groups. This reduces the risk of data leaks. Provide more secure access to data & resources Add security conditions to admin roles Allow only certain admins to control security groups. Designate other admins that can only control nonsecurity groups. This reduces the risk of data leaks and malicious insider threats. Assign specific admin roles Set up private access to your groups Select the Private setting to limit access to members of your domain. (Group members can still receive email from outside the domain.) This reduces the risk of data leaks.
Next steps—Monitoring, investigation, and remediation Set Groups for Business sharing options Limit group creation to admins Allow only admins to create groups. This reduces the risk of data leaks. Set Groups for Business sharing options Customize your group access settings Recommendations: Allow or disable members and messages from outside your domain. Set up message moderation. Set visibility of groups. Perform other actions, according to your company policies. Set who can view, post, and moderate Disable some access settings for internal groups The following settings allow anyone on the internet to join the group, send messages, and view the discussion archives. Disable these settings for internal groups: Public access Also grant this access to anyone on the internet Also allow anyone on the internet to post messages Assign access levels to a group Enable spam moderation for your groups You can have messages sent to the moderation queue with or without notifying moderators, immediately reject spam messages, or allow the messages to be posted without moderation. Approve or block new posts Sites (Google Workspace only) Block sharing sites outside the domain Block users from sharing sites outside the domain to reduce the risk of data leaks. To support a critical business need, you could enable sharing outside the domain. If you do so, display a warning when users share sites outside the domain. Set Google Sites sharing options | Set sharing options: classic Sites Vault (Google Workspace only) Treat accounts with Vault privileges as sensitive Protect accounts assigned to Vault administrator roles the same way you protect super admin accounts. Security best practices for administrator accounts Regularly audit Vault activity Users with Vault privileges can search and export other users’ data, as well as change retention rules that can purge data you need to keep. Monitor Vault activity to ensure that only approved data access and retention policies occur. Audit Vault user activity
Review your security settings and investigate activity Regularly visit the security center to review your security posture, investigate incidents, and take action based on that information. About the security center Review the Admin audit log Use the Admin audit log to review a history of every task performed in the Google Admin console, which admin performed the task, the date, and the IP address from which the admin signed in. Admin audit log

Recommended

Best practices to shape and secure your 1:1 program for Windows
Best practices to shape and secure your 1:1 program for WindowsBest practices to shape and secure your 1:1 program for Windows
Best practices to shape and secure your 1:1 program for WindowsSecurly
 
Best practices to shape and secure your 1:1 program for Chromebooks
Best practices to shape and secure your 1:1 program for ChromebooksBest practices to shape and secure your 1:1 program for Chromebooks
Best practices to shape and secure your 1:1 program for ChromebooksSecurly
 
Unit4 NMA working with user accounts WINDOWS SERVER 2008
Unit4 NMA working with user accounts WINDOWS SERVER 2008Unit4 NMA working with user accounts WINDOWS SERVER 2008
Unit4 NMA working with user accounts WINDOWS SERVER 2008Sangeetha Rangarajan
 
3 windowssecurity
3 windowssecurity3 windowssecurity
3 windowssecurityricharddxd
 
Security Policy Checklist
Security Policy ChecklistSecurity Policy Checklist
Security Policy Checklistbackdoor
 
Best Practices for Security in Microsoft SharePoint 2013
Best Practices for Security in Microsoft SharePoint 2013Best Practices for Security in Microsoft SharePoint 2013
Best Practices for Security in Microsoft SharePoint 2013AntonioMaio2
 
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...AntonioMaio2
 
Webhawk as-software
Webhawk as-softwareWebhawk as-software
Webhawk as-softwareDivyanisetia
 

Recommended

Best practices to shape and secure your 1:1 program for Windows
Best practices to shape and secure your 1:1 program for WindowsBest practices to shape and secure your 1:1 program for Windows
Best practices to shape and secure your 1:1 program for WindowsSecurly
 
Best practices to shape and secure your 1:1 program for Chromebooks
Best practices to shape and secure your 1:1 program for ChromebooksBest practices to shape and secure your 1:1 program for Chromebooks
Best practices to shape and secure your 1:1 program for ChromebooksSecurly
 
Unit4 NMA working with user accounts WINDOWS SERVER 2008
Unit4 NMA working with user accounts WINDOWS SERVER 2008Unit4 NMA working with user accounts WINDOWS SERVER 2008
Unit4 NMA working with user accounts WINDOWS SERVER 2008Sangeetha Rangarajan
 
3 windowssecurity
3 windowssecurity3 windowssecurity
3 windowssecurityricharddxd
 
Security Policy Checklist
Security Policy ChecklistSecurity Policy Checklist
Security Policy Checklistbackdoor
 
Best Practices for Security in Microsoft SharePoint 2013
Best Practices for Security in Microsoft SharePoint 2013Best Practices for Security in Microsoft SharePoint 2013
Best Practices for Security in Microsoft SharePoint 2013AntonioMaio2
 
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...AntonioMaio2
 
Webhawk as-software
Webhawk as-softwareWebhawk as-software
Webhawk as-softwareDivyanisetia
 
70 640 Lesson06 Ppt 041009
70 640 Lesson06 Ppt 04100970 640 Lesson06 Ppt 041009
70 640 Lesson06 Ppt 041009Coffeyville Community College
 
Technology in Law Practice
Technology in Law PracticeTechnology in Law Practice
Technology in Law PracticeStephanie Kimbro Dolin
 
Soonr IT Buyer's Guide
Soonr IT Buyer's GuideSoonr IT Buyer's Guide
Soonr IT Buyer's GuideReece Gaumont
 
Total Security MAC User Guide
Total Security MAC User GuideTotal Security MAC User Guide
Total Security MAC User GuideQUICK HEAL TECHNOLOGIES LIMITED
 
Windows10Security
Windows10SecurityWindows10Security
Windows10SecurityBezawit Woldegebriel
 
Zero trust deck 2020
Zero trust deck 2020Zero trust deck 2020
Zero trust deck 2020Guido Marchetti
 
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07blusmurfydot1
 
Locking Down Your Data: Best Practices for Database Security
Locking Down Your Data: Best Practices for Database SecurityLocking Down Your Data: Best Practices for Database Security
Locking Down Your Data: Best Practices for Database SecurityFredReynolds2
 
Best practices to shape and secure your 1:1 Chromebook program
Best practices to shape and secure your 1:1 Chromebook programBest practices to shape and secure your 1:1 Chromebook program
Best practices to shape and secure your 1:1 Chromebook programSecurly
 
Combating Cyber Crime by Priyanka Tomar @ OWASP Delhi July, 2014 Meeting
Combating Cyber Crime by Priyanka Tomar @ OWASP Delhi July, 2014 MeetingCombating Cyber Crime by Priyanka Tomar @ OWASP Delhi July, 2014 Meeting
Combating Cyber Crime by Priyanka Tomar @ OWASP Delhi July, 2014 MeetingOWASP Delhi
 
EndPoint Vault (Demo Walkthrough)
EndPoint Vault (Demo Walkthrough)EndPoint Vault (Demo Walkthrough)
EndPoint Vault (Demo Walkthrough)EndPoint Cloud Vault
 
Managing security settings in windows server with group policy
Managing security settings in windows server with group policyManaging security settings in windows server with group policy
Managing security settings in windows server with group policyMiguel de la Cruz
 
Vofflps
VofflpsVofflps
Vofflpszuri_lovebuzz
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security amiable_indian
 
MMS 2015: What is ems and how to configure it
MMS 2015: What is ems and how to configure itMMS 2015: What is ems and how to configure it
MMS 2015: What is ems and how to configure itPeter Daalmans
 
70 640 Lesson08 Ppt 041009
70 640 Lesson08 Ppt 04100970 640 Lesson08 Ppt 041009
70 640 Lesson08 Ppt 041009Coffeyville Community College
 
Rules of Behavior
Rules of BehaviorRules of Behavior
Rules of BehaviorGovCloud Network
 
2018 11-29 - Future Of SharePoint - SharePoint Keynote and Security
2018 11-29 - Future Of SharePoint - SharePoint Keynote and Security2018 11-29 - Future Of SharePoint - SharePoint Keynote and Security
2018 11-29 - Future Of SharePoint - SharePoint Keynote and SecurityCreate IT
 
Data Loss Prevention and Compliance in Microsoft 365 Safeguarding Your Tenant...
Data Loss Prevention and Compliance in Microsoft 365 Safeguarding Your Tenant...Data Loss Prevention and Compliance in Microsoft 365 Safeguarding Your Tenant...
Data Loss Prevention and Compliance in Microsoft 365 Safeguarding Your Tenant...ArethaSimons
 
NGN ICT beheer - applicatie distributie
NGN ICT beheer - applicatie distributieNGN ICT beheer - applicatie distributie
NGN ICT beheer - applicatie distributieRichard van Delft
 
Pitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deckPitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deckHajeJanKamps
 
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,noida100girls
 

More Related Content

Similar to Security checklist - Google Workspace.pdf

Soonr IT Buyer's Guide
Soonr IT Buyer's GuideSoonr IT Buyer's Guide
Soonr IT Buyer's GuideReece Gaumont
 
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07blusmurfydot1
 
Locking Down Your Data: Best Practices for Database Security
Locking Down Your Data: Best Practices for Database SecurityLocking Down Your Data: Best Practices for Database Security
Locking Down Your Data: Best Practices for Database SecurityFredReynolds2
 
Best practices to shape and secure your 1:1 Chromebook program
Best practices to shape and secure your 1:1 Chromebook programBest practices to shape and secure your 1:1 Chromebook program
Best practices to shape and secure your 1:1 Chromebook programSecurly
 
Combating Cyber Crime by Priyanka Tomar @ OWASP Delhi July, 2014 Meeting
Combating Cyber Crime by Priyanka Tomar @ OWASP Delhi July, 2014 MeetingCombating Cyber Crime by Priyanka Tomar @ OWASP Delhi July, 2014 Meeting
Combating Cyber Crime by Priyanka Tomar @ OWASP Delhi July, 2014 MeetingOWASP Delhi
 
Managing security settings in windows server with group policy
Managing security settings in windows server with group policyManaging security settings in windows server with group policy
Managing security settings in windows server with group policyMiguel de la Cruz
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security amiable_indian
 
MMS 2015: What is ems and how to configure it
MMS 2015: What is ems and how to configure itMMS 2015: What is ems and how to configure it
MMS 2015: What is ems and how to configure itPeter Daalmans
 
2018 11-29 - Future Of SharePoint - SharePoint Keynote and Security
2018 11-29 - Future Of SharePoint - SharePoint Keynote and Security2018 11-29 - Future Of SharePoint - SharePoint Keynote and Security
2018 11-29 - Future Of SharePoint - SharePoint Keynote and SecurityCreate IT
 
Data Loss Prevention and Compliance in Microsoft 365 Safeguarding Your Tenant...
Data Loss Prevention and Compliance in Microsoft 365 Safeguarding Your Tenant...Data Loss Prevention and Compliance in Microsoft 365 Safeguarding Your Tenant...
Data Loss Prevention and Compliance in Microsoft 365 Safeguarding Your Tenant...ArethaSimons
 
NGN ICT beheer - applicatie distributie
NGN ICT beheer - applicatie distributieNGN ICT beheer - applicatie distributie
NGN ICT beheer - applicatie distributieRichard van Delft
 

Similar to Security checklist - Google Workspace.pdf (20)

70 640 Lesson06 Ppt 041009
70 640 Lesson06 Ppt 04100970 640 Lesson06 Ppt 041009
70 640 Lesson06 Ppt 041009
 
Technology in Law Practice
Technology in Law PracticeTechnology in Law Practice
Technology in Law Practice
 
Soonr IT Buyer's Guide
Soonr IT Buyer's GuideSoonr IT Buyer's Guide
Soonr IT Buyer's Guide
 
Total Security MAC User Guide
Total Security MAC User GuideTotal Security MAC User Guide
Total Security MAC User Guide
 
Windows10Security
Windows10SecurityWindows10Security
Windows10Security
 
Zero trust deck 2020
Zero trust deck 2020Zero trust deck 2020
Zero trust deck 2020
 
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
 
Locking Down Your Data: Best Practices for Database Security
Locking Down Your Data: Best Practices for Database SecurityLocking Down Your Data: Best Practices for Database Security
Locking Down Your Data: Best Practices for Database Security
 
Best practices to shape and secure your 1:1 Chromebook program
Best practices to shape and secure your 1:1 Chromebook programBest practices to shape and secure your 1:1 Chromebook program
Best practices to shape and secure your 1:1 Chromebook program
 
Combating Cyber Crime by Priyanka Tomar @ OWASP Delhi July, 2014 Meeting
Combating Cyber Crime by Priyanka Tomar @ OWASP Delhi July, 2014 MeetingCombating Cyber Crime by Priyanka Tomar @ OWASP Delhi July, 2014 Meeting
Combating Cyber Crime by Priyanka Tomar @ OWASP Delhi July, 2014 Meeting
 
EndPoint Vault (Demo Walkthrough)
EndPoint Vault (Demo Walkthrough)EndPoint Vault (Demo Walkthrough)
EndPoint Vault (Demo Walkthrough)
 
Managing security settings in windows server with group policy
Managing security settings in windows server with group policyManaging security settings in windows server with group policy
Managing security settings in windows server with group policy
 
Vofflps
VofflpsVofflps
Vofflps
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security
 
MMS 2015: What is ems and how to configure it
MMS 2015: What is ems and how to configure itMMS 2015: What is ems and how to configure it
MMS 2015: What is ems and how to configure it
 
70 640 Lesson08 Ppt 041009
70 640 Lesson08 Ppt 04100970 640 Lesson08 Ppt 041009
70 640 Lesson08 Ppt 041009
 
Rules of Behavior
Rules of BehaviorRules of Behavior
Rules of Behavior
 
2018 11-29 - Future Of SharePoint - SharePoint Keynote and Security
2018 11-29 - Future Of SharePoint - SharePoint Keynote and Security2018 11-29 - Future Of SharePoint - SharePoint Keynote and Security
2018 11-29 - Future Of SharePoint - SharePoint Keynote and Security
 
Data Loss Prevention and Compliance in Microsoft 365 Safeguarding Your Tenant...
Data Loss Prevention and Compliance in Microsoft 365 Safeguarding Your Tenant...Data Loss Prevention and Compliance in Microsoft 365 Safeguarding Your Tenant...
Data Loss Prevention and Compliance in Microsoft 365 Safeguarding Your Tenant...
 
NGN ICT beheer - applicatie distributie
NGN ICT beheer - applicatie distributieNGN ICT beheer - applicatie distributie
NGN ICT beheer - applicatie distributie
 

Recently uploaded

Pitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deckPitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deckHajeJanKamps
 
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,noida100girls
 
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607dollysharma2066
 
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCRashishs7044
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCRashishs7044
 
Islamabad Escorts | Call 03274100048 | Escort Service in Islamabad
Islamabad Escorts | Call 03274100048 | Escort Service in IslamabadIslamabad Escorts | Call 03274100048 | Escort Service in Islamabad
Islamabad Escorts | Call 03274100048 | Escort Service in IslamabadAyesha Khan
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessSeta Wicaksana
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppelCorporation
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCRashishs7044
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africaictsugar
 
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In.../:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...lizamodels9
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsApsara Of India
 
Progress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitProgress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitHolger Mueller
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCRashishs7044
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaoncallgirls2057
 
Marketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet CreationsMarketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet Creationsnakalysalcedo61
 
The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024christinemoorman
 
Vip Female Escorts Noida 9711199171 Greater Noida Escorts Service
Vip Female Escorts Noida 9711199171 Greater Noida Escorts ServiceVip Female Escorts Noida 9711199171 Greater Noida Escorts Service
Vip Female Escorts Noida 9711199171 Greater Noida Escorts Serviceankitnayak356677
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Kirill Klimov
 

Recently uploaded (20)

Pitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deckPitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deck
 
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
 
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
 
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
 
Islamabad Escorts | Call 03274100048 | Escort Service in Islamabad
Islamabad Escorts | Call 03274100048 | Escort Service in IslamabadIslamabad Escorts | Call 03274100048 | Escort Service in Islamabad
Islamabad Escorts | Call 03274100048 | Escort Service in Islamabad
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful Business
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africa
 
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In.../:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
 
Progress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitProgress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst Summit
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
 
Marketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet CreationsMarketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet Creations
 
The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024
 
Vip Female Escorts Noida 9711199171 Greater Noida Escorts Service
Vip Female Escorts Noida 9711199171 Greater Noida Escorts ServiceVip Female Escorts Noida 9711199171 Greater Noida Escorts Service
Vip Female Escorts Noida 9711199171 Greater Noida Escorts Service
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024
 

Security checklist - Google Workspace.pdf

  • 1. Accounts Enforce multifactor authentication Require 2-Step Verification for users 2-Step Verification helps protect a user account from unauthorized access should someone manage to obtain their password. Protect your business with 2-Step Verification | Deploy 2-Step Verification Enforce security keys, at least for admins and other high-value accounts Security keys are small hardware devices used when signing in that provide second factor authentication that resists phishing. Deploy 2-Step Verification Protect passwords Help prevent password reuse with Password Alert Use Password Alert to make sure users don't use their corporate passwords on other sites. Prevent password reuse Use unique passwords A good password is the first line of defense to protect user and admin accounts. Unique passwords aren’t easily guessed. Also discourage password reuse across different accounts, such as email and online banking. Create a strong password & a more secure account Help prevent and remediate compromised accounts Regularly review activity reports and alerts Review activity reports for account status, admin status, and 2-Step Verification enrollment details. Account activity reports Set up admin email alerts Set up email alerts for potentially risky events, such as suspicious sign-in attempts, compromised mobile devices, or setting changes by another admin. Admin email alerts Add user login challenges Set up login challenges for suspicious login attempts. Users must enter a verification code that Google sends to their recovery phone number or recovery email address, or they must answer a challenge that only the account owner can solve. Verify a user’s identity with extra security | Add employee ID as a login challenge Identify and secure compromised accounts If you suspect an account may be compromised, suspend the account, investigate for malicious activity, and take action if necessary. Review mobile devices associated with the account Use the Email log search to review delivery logs for your domains Use the Security report to evaluate the exposure of the domain to data security risks. Verify if any malicious settings were created Identify and secure compromised accounts Turn off Google data download as needed If an account is compromised or the user leaves the company, prevent that user from downloading all their Google data with Google Takeout. Turn Takeout on or off for user
  • 2. Prevent unauthorized access after an employee leaves To prevent data leaks, revoke a user’s access to your organization’s data when they leave. Maintain data security after an employee leaves Apps (Google Workspace only) Review third-party app access to core services Know and approve which third-party apps can access Google Workspace core services such as Gmail and Drive. Control which third-party & internal apps access Google Workspace data Block access to less secure apps Less secure apps don’t use modern security standards, such as OAuth, and increase the risk of accounts or devices being compromised. Control access to less secure apps Create a list of trusted apps Create an allowlist that specifies which third-party apps can access core Google Workspace services. Control which third-party & internal apps access Google Workspace data Control access to Google core services You can allow or block access to Google apps such as Gmail, Drive, and Calendar based on a device’s IP address, geographic origin, security policies, or OS. For example, you can allow Drive for desktop only on company-owned devices in specific countries/regions. Context-Aware Access overview Add another layer of encryption to users' apps data If your organization works with sensitive intellectual property or operates in a highly regulated industry, you can add client-side encryption to Gmail, Google Drive, Google Meet, and Google Calendar. About client-side encryption Calendar (Google Workspace only) Limit external calendar sharing Restrict external calendar sharing to free/busy information only. This reduces the risk of data leaks. Set calendar visibility and sharing options Warn users when they invite external guests By default, Calendar warns users when they invite external guests. This reduces the risk of data leaks. Make sure this warning is on for all users. Allow external invitations in Google Calendar events Google Chat and classic Hangouts (Google Workspace only) Limit who can chat externally Allow only the users with a specific need to send messages or create rooms with users outside your organization. This prevents external users from seeing previous internal discussions and reduces the risk of data leaks.
  • 3. Turn on external chat options Warn users when chatting outside their domain (classic Hangouts only) Show users a warning when they chat with people outside their domain. When enabled, group chat conversations are split when the first person from outside the domain is added to the discussion. This prevents external users from seeing previous internal discussions and reduces the risk of data leaks. In Chat, external users and rooms are always marked "External." Turn on external chat options Set a chat invitation policy Determine which users can automatically accept chat invitations based on your organization’s policy on collaboration. Automatically accept chat invitations Chrome browser and Chrome OS devices Keep Chrome browser and Chrome OS updated To ensure your users have the latest security patches, allow updates. For Chrome browser, always allow updates. By default, Chrome OS devices update to the latest version of Chrome when it’s available. Make sure auto-updates are turned on for all your Chrome OS device users. Set Chrome policies for users or browsers | Manage updates on Chrome OS devices Force a relaunch to apply updates Set Chrome browser and Chrome OS devices to notify users that they need to relaunch their browsers or restart their devices for the update to apply, and force a relaunch after a set time if the user doesn’t take action. Notify users to restart to apply pending updates Set basic Chrome OS device and Chrome browser policies Set the following policies in your Google Admin console: Allow password manager (Allowed by default). Set Safe Browsing to Always enable. Prevent users from proceeding to malicious sites (don't allow users to bypass Safe Browsing warnings. Set Chrome policies for users Set advanced Chrome browser policies Prevent unauthorized access, dangerous downloads, and data leaks between sites by setting the following advanced policies: AllowedDomainsForApps—Allow access to your organization's Google services and tools only for accounts from the domains you specify. DownloadRestrictions—Block malicious downloads. SitePerProcess—Enable so that each site in Chrome browser runs as a separate process. With this option, even if a site bypasses the same-origin policy, the extra security will help stop the site from stealing users’ data from another website. Set Chrome Browser policies on managed PCs | Chrome Browser Enterprise Security Configuration Guide (Windows) Set a Windows desktop browser policy If your organization wants to use Chrome Browser but your users still need to access older websites and apps that require Internet Explorer, the Chrome Legacy Browser Support extension
  • 4. lets users switch automatically between Chrome and another browser. Use Legacy Browser Support to support applications that require a legacy browser. Legacy browser support for Windows Mobile devices, computers, and other endpoints You can protect user accounts and their work data on mobile devices, tablets, laptops, and computers with Google endpoint management. For a complete list of recommendations, go to the Device management security checklist. Drive Limit sharing and collaboration outside your domain Set options or create rules for file sharing outside your organization Confine file sharing within the boundary of your domains by turning off sharing options or by creating trust rules (which give you more precise control over sharing). This reduces data leak and data exfiltration risks. If sharing is required outside of your organization because of business needs, you can define how sharing is done for organizational units, or you can designate domains on your allowlist. Restrict sharing outside allowed domains | Restrict sharing outside your organization | Create trust rules to restrict external sharing Warn users when they share a file outside your domain If you allow users to share files outside your domain, turn on a warning when a user does so. This allows users to confirm whether this action is the intended one, and reduces the risk of data leaks. Warn users when sharing outside Prevent users from publishing on the web Disable file publishing on the web. This reduces the risk of data leaks. Don't allow users to share files publicly Set general access options for file sharing Set the default access option for file sharing to Restricted. Only the file owner should have access until they share the file. Optionally, create custom sharing groups (target audiences) for users in different departments. Set file access options Limit file access to recipients only When a user shares a file via a Google product other than Docs or Drive (for example, by pasting a link in Gmail), Access Checker can check that the recipients can access the file. Set up Access Checker for Recipients only. This gives you control over the accessibility of links shared by your users, and reduces the risk of data leaks. Choose Access Checker options Prevent or limit the risk that external users can discover your organization’s group memberships To prevent users at another organization that uses Google Workspace from discovering your organization's group memberships, don't allow external organizations to share files with your users. Or, to limit this type of risk, allow external sharing only with allowlisted domains. If you use Google Drive sharing settings: For each organizational unit you want to protect from this risk, do one of the following: To prevent this risk, turn off external sharing and uncheck the option to allow your users to receive files from external users.
  • 5. To limit this risk, allow external sharing only with allowlisted domains. For details, see Manage external sharing for your organization. If you use trust rules for Drive sharing: To limit this risk, first create a trust rule with the following settings: Scope—Organizational units or groups you want to protect from this risk Trigger—Drive > Receiving files Conditions—Allowlisted domains or external organizations that you trust Action—Allow For details, see Create a trust rule. Next, deactivate the default rule named [Default] Users in my organization can share with a warning and receive from anyone. For details, see View or edit trust rule details. Require Google sign-in for external collaborators Require external collaborators to sign in with a Google Account. If they don't have a Google Account, they can create one at no cost. This reduces the risk of data leaks. Turn off invitations to non-Google accounts outside your domain Limit who can move content from shared drives​ Allow only users in your organization to move files from their shared drives to a Drive location in a different organization. Control files stored on shared drives Control content sharing in new shared drives Restrict who can create shared drives, access content, or change the settings for new shared drives. Control sharing in shared drives Limit local copies of Drive data Disable access to offline docs To reduce the risk of data leaks, consider disabling access to offline docs. When docs are accessible offline, a copy of the document is stored locally. If you have a business reason to enable access to offline docs, enable this feature per organizational unit to minimize risk. Control offline use of Docs editors Disable desktop access to Drive Users can get desktop access to Drive with Google Drive for desktop. To reduce the risk of data leaks, consider disabling desktop access to Drive. If you decide to enable desktop access, enable it only for users with a critical business need. Turn off sync for your organization Control access to your data by third-party apps Don't allow Google Docs add-ons To reduce the risk of data leaks, consider not allowing users to install add-ons for Google Docs from the add-on store. To support a specific business need, you can deploy specific add-ons for Google Docs that are aligned with your organizational policy. Enable add-ons in Google Docs editors Protect sensitive data Block or warn on sharing files with sensitive data
  • 6. To reduce the risk of data leaks, set up Data Loss Protection rules to scan files for sensitive data and take action when users try to share matching files externally. For example, you can block external sharing of documents that contain passport numbers and get an email alert. Use DLP for Drive to prevent data loss Gmail (Google Workspace only) Set up authentication and infrastructure Authenticate email with SPF, DKIM, and DMARC SPF, DKIM, and DMARC establish an email validation system that uses DNS settings to authenticate, digitally sign, and help prevent spoofing of your domain. Attackers sometimes forge the "From" address on email messages so they seem to come from a user in your domain. To prevent this, you can set up SPF and DKIM on all outbound email streams. Once SPF and DKIM are in place, you can set up a DMARC record to define how Google and other receivers should treat unauthenticated emails purporting to come from your domain. Prevent spam, spoofing & phishing with Gmail authentication Set up inbound email gateways to work with SPF SPF helps prevent your outgoing messages from being sent to spam, but a gateway can impact how SPF works. If you use an email gateway to route incoming email, make sure it’s set up properly for Sender Policy Framework (SPF). Set up an inbound mail gateway Enforce TLS with your partner domains Set the TLS setting to require a secure connection for email to (or from) partner domains. Require mail to be transmitted via a secure (TLS) connection Require sender authentication for all approved senders​ When you create an address list of approved senders who can bypass spam classification, require authentication. When sender authentication is turned off, Gmail can't verify the message was sent by the person it seems to come from. Requiring authentication reduces the risk of spoofing and phishing/whaling. Learn more about sender authentication. Customize spam filter settings Configure MX records for correct mail flow Configure the MX records to point to Google’s mail servers as the highest priority record to ensure correct mail flow to your Google Workspace domain users. This reduces the risk of data deletion (through lost email) and malware threats. Set up MX records for Google Workspace Gmail | ​ Google Workspace MX records values Protect users and organizations Disable IMAP/POP access IMAP and POP desktop clients let users access Gmail through third-party email clients. Disable POP and IMAP access for any users who don't explicitly need this access. This reduces data leak, data deletion, and data exfiltration risks. It also can reduce the threat of attacks because IMAP clients might not have similar protections to first-party clients. Turn IMAP and POP on and off for users Disable automatic forwarding Prevent users from automatically forwarding incoming mail to another address. This reduces the risk of data exfiltration through email forwarding, which is a common technique employed by
  • 7. attackers. Disable automatic forwarding Enable comprehensive mail storage Comprehensive mail storage ensures that a copy of all sent and received mail in your domain— including mail sent or received by non-Gmail mailboxes—is stored in the associated users' Gmail mailboxes. Enable this setting to reduce the risk of data deletion and, if you use Google Vault, ensure mail is retained or held Set up comprehensive mail storage | Comprehensive mail storage and Vault Don't bypass spam filters for internal senders Turn off Bypass spam filters for internal senders, because any external addresses added to groups are treated as internal addresses. By turning off this setting, you can make sure all user email is filtered for spam, including mail from internal senders. This reduces the risk of spoofing and phishing/whaling. Customize spam filter settings Add spam headers setting to all default routing rules Spam headers help maximize the filtering capacity of downstream email servers and reduce the risks of spoofing and phishing/whaling. When you set up default routing rules, check the Add X- Gm-Spam and X-Gm-Phishy headers box so that Gmail adds these headers to indicate the spam and phishing status of the message. For example, an administrator at a downstream server can use this information to set up rules that handle spam and phishing differently from clean mail. Configure default routing Enable enhanced pre-delivery message scanning When Gmail identifies that an email message may be phishing, this setting enables Gmail to perform additional checks on the message. Use enhanced pre-delivery message scanning Enable external recipient warnings Gmail detects if an external recipient in an email response is not someone a user interacts with regularly, or isn't present in a user’s Contacts. When you configure this setting, your users receive a warning and an option to dismiss. Configure an external recipient warning Enable additional attachment protection Google scans incoming messages to protect against malware, even if the additional malicious attachment protections settings aren't enabled. Turning on additional attachment protection can catch email that previously wasn't identified as malicious. Turn on attachment protection Enable additional link and external content protection Google scans incoming messages to protect against malware, even if the additional malicious link and content protections settings aren't enabled. Turning on additional links and external images protection can catch email that previously wasn't identified as phishing. Turn on external images and links protection Enable additional spoofing protection Google scans incoming messages to protect against spoofing even if additional spoofing protections settings aren't enabled. Turning on additional spoofing and authentication protection can, for example, reduce the risk of spoofing based on similar domain names or employee names. Turn on spoofing and authentication protection
  • 8. Security considerations for daily Gmail tasks Take care when overriding spam filters To avoid an increase in spam, exercise thought and care if you override Gmail’s default spam filters. If you add a domain or an email address to the approved senders list, require authentication. Otherwise, senders with no authentication can bypass Gmail’s spam filters. Be cautious if you add IP addresses to the email allowlist, particularly if you add large ranges of IP addresses via CIDR notation. If you forward messages to your Google Workspace domain through an inbound gateway, add the IP addresses of your inbound gateway to the inbound gateway settings and not the email allowlist. Monitor and tune compliance rules to help prevent spam and phishing. Tailor Gmail settings for an organization Don't include domains in the approved senders list If you set up approved senders, and if you checked Bypass spam filters for messages received from addresses or domains within these approved senders lists, remove any domains from your approved sender list. Excluding domains from the approved senders list reduces the risk of spoofing and phishing/whaling. Customize spam filter settings Don't add IP addresses to your allowlist In general, mail sent from IP addresses on your allowlist isn't marked as spam. To take full advantage of the Gmail spam filtering service and for best spam classification results, IP addresses of your mail servers and partner mail servers that are forwarding email to Gmail should be added to an Inbound mail gateway, and not an IP allowlist. Add IP addresses to allow lists in Gmail | Set up an inbound mail gateway Protect sensitive data Scan and block emails with sensitive data To reduce the risk of data leaks, scan outgoing emails with predefined Data Loss Protection detectors to take action when users receive or send messages with sensitive content. For example, you can block users from sending messages that contain credit card numbers and get an email alert. Scan your email traffic using DLP rules Google Groups Use groups designed for security Ensure only select users can access sensitive apps and resources by managing them with security groups. This reduces the risk of data leaks. Provide more secure access to data & resources Add security conditions to admin roles Allow only certain admins to control security groups. Designate other admins that can only control nonsecurity groups. This reduces the risk of data leaks and malicious insider threats. Assign specific admin roles Set up private access to your groups Select the Private setting to limit access to members of your domain. (Group members can still receive email from outside the domain.) This reduces the risk of data leaks.
  • 9. Next steps—Monitoring, investigation, and remediation Set Groups for Business sharing options Limit group creation to admins Allow only admins to create groups. This reduces the risk of data leaks. Set Groups for Business sharing options Customize your group access settings Recommendations: Allow or disable members and messages from outside your domain. Set up message moderation. Set visibility of groups. Perform other actions, according to your company policies. Set who can view, post, and moderate Disable some access settings for internal groups The following settings allow anyone on the internet to join the group, send messages, and view the discussion archives. Disable these settings for internal groups: Public access Also grant this access to anyone on the internet Also allow anyone on the internet to post messages Assign access levels to a group Enable spam moderation for your groups You can have messages sent to the moderation queue with or without notifying moderators, immediately reject spam messages, or allow the messages to be posted without moderation. Approve or block new posts Sites (Google Workspace only) Block sharing sites outside the domain Block users from sharing sites outside the domain to reduce the risk of data leaks. To support a critical business need, you could enable sharing outside the domain. If you do so, display a warning when users share sites outside the domain. Set Google Sites sharing options | Set sharing options: classic Sites Vault (Google Workspace only) Treat accounts with Vault privileges as sensitive Protect accounts assigned to Vault administrator roles the same way you protect super admin accounts. Security best practices for administrator accounts Regularly audit Vault activity Users with Vault privileges can search and export other users’ data, as well as change retention rules that can purge data you need to keep. Monitor Vault activity to ensure that only approved data access and retention policies occur. Audit Vault user activity
  • 10. Review your security settings and investigate activity Regularly visit the security center to review your security posture, investigate incidents, and take action based on that information. About the security center Review the Admin audit log Use the Admin audit log to review a history of every task performed in the Google Admin console, which admin performed the task, the date, and the IP address from which the admin signed in. Admin audit log