Professional Documents
Culture Documents
GCP - (Fall-2022) GCP Soc 2.
GCP - (Fall-2022) GCP Soc 2.
GCP - (Fall-2022) GCP Soc 2.
m
co
n.
io
ac
rm
System and Organization Controls (SOC) 2 Type II Report
fo
Table of Contents
SECTION I - Google's Management Assertion ....................................................................... 1
SECTION II - Independent Service Auditor's Report.............................................................. 3
SECTION III - Description of the Google Cloud Platform System ......................................... 8
A. Overview of Operations ...................................................................................................... 9
B. Relevant Aspects of Internal Control .................................................................................34
C. Policies .............................................................................................................................35
D. Communications ...............................................................................................................39
E. Procedures........................................................................................................................40
m
F. Monitoring .........................................................................................................................48
co
G. Complementary User Entity Control Considerations .........................................................49
n.
SECTION IV - Description of Criteria, Controls, Tests and Results of Tests ......................53
io
Testing performed and results of tests of entity level controls ................................................54
ac
Control criteria and related controls for systems and applications..........................................54
rm
Criteria, Controls, Tests and Results of Tests ........................................................................55
fo
m
co
n.
io
ac
rm
fo
in
rv
se
z@
ue
sq
va
.
ra
au
1
Google Confidental Information
Google LLC
1600 Amphitheatre
Parkway
Mountain View, CA, 94043
We have prepared the accompanying "Description of the Google Cloud Platform System"
(Description) of Google LLC ("Google" or "Service Organization") in accordance with the criteria
for a description of a service organization’s system set forth in the Description Criteria DC section
m
200 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2
co
Report (Description Criteria). The Description is intended to provide report users with information
about the Google Cloud Platform System (System) that may be useful when assessing the risks
n.
arising from interactions with the System throughout the period 1 November 2021 to 31 October
io
2022, particularly information about system controls that the Service Organization has designed,
ac
implemented and operated to provide reasonable assurance that its service commitments and
rm
system requirements were achieved based on the trust services criteria for security, availability,
confidentiality, and privacy set forth in TSP section 100, 2017 Trust Services Criteria for Security,
fo
Availability, Processing Integrity, Confidentiality, and Privacy (applicable trust services criteria).
in
rv
Complementary user entity controls: The Description also indicates that certain trust services
se
criteria specified in the Description can be met only if complementary user entity controls assumed
in the design of Google’s controls are suitably designed and operating effectively, along with
z@
related controls at the Service Organization. The Description does not extend to controls of user
entities.
ue
sq
(a) The Description presents the System that was designed and implemented throughout the
period 1 November 2021 to 31 October 2022 in accordance with the Description Criteria
.
ra
(b) The controls stated in the Description were suitably designed to provide reasonable assurance
au
that the service commitments and system requirements would be achieved based on the
applicable trust services criteria, if the controls operated as described and if user entities
applied the complementary user entity controls assumed in the design of Google’s controls
throughout the period 1 November 2021 to 31 October 2022
(c) The Google controls stated in the Description operated effectively throughout the period 1
November 2021 to 31 October 2022 to achieve the service commitments and system
requirements based on the applicable trust services criteria, if user entities applied the
complementary user entity controls assumed in the design of Google’s controls throughout
the period 1 November 2021 to 31 October 2022
Google LLC
15 December 2022
2
Google Confidental Information
m
co
n.
io
ac
rm
fo
in
rv
se
z@
ue
sq
va
.
ra
au
3
Google Confidental Information
m
accompanying "Description of the Google Cloud Platform System" for the Infrastructure as a
co
Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS) provided to user
n.
entities throughout the period 1 November 2021 to 31 October 2022 (Description) in accordance
io
with the criteria for a description of a service organization’s system set forth in the Description
ac
Criteria DC section 200 2018 Description Criteria for a Description of a Service Organization’s
rm
System in a SOC 2 Report (Description Criteria) and the suitability of the design and operating
effectiveness of controls included in the Description throughout the period 1 November 2021 to
fo
31 October 2022 to provide reasonable assurance that the service commitments and system
in
requirements were achieved based on the trust services criteria for security, availability,
rv
confidentiality, and privacy set forth in TSP section 100, 2017 Trust Services Criteria for Security,
se
Availability, Processing Integrity, Confidentiality, and Privacy (applicable trust services criteria).
z@
Complementary user entity controls: The Description also indicates that Google’s controls can
provide reasonable assurance that certain service commitments and system requirements can
ue
be achieved only if complementary user entity controls assumed in the design of Google’s controls
sq
are suitably designed and operating effectively, along with related controls at the service
organization. Our examination did not extend to such complementary user entity controls and we
va
have not evaluated the suitability of the design or operating effectiveness of such complementary
.
ra
The information in the accompanying "SECTION V - Other Information Provided by Google LLC"
is presented by management of Google to provide additional information and is not part of
Google’s Description. Such information has not been subjected to the procedures applied in our
examination and, accordingly we express no opinion on it.
Google’s responsibilities
Google is responsible for its service commitments and system requirements and for designing,
implementing, and operating effective controls within the system to provide reasonable assurance
that the service commitments and system requirements were achieved. Google has provided the
accompanying assertion titled, "Google's Management Assertion" (Assertion), about the
presentation of the Description based on the Description Criteria and suitability of the design and
operating effectiveness of the controls described therein to provide reasonable assurance that
the service commitments and system requirements would be achieved based on the applicable
trust services criteria. Google is responsible for (1) preparing the Description and Assertion; (2)
the completeness, accuracy, and method of presentation of the Description and Assertion; (3)
providing the services covered by the Description; (4) identifying the risks that would threaten the
achievement of the service organization’s service commitments and system requirements; and
(5) designing, implementing, and documenting controls that are suitably designed and operating
effectively to achieve its service commitments and system requirements.
Service auditor’s responsibilities
m
Our responsibility is to express an opinion on the presentation of the Description and on the
co
suitability of the design and operating effectiveness of the controls described therein to achieve
the Service Organization’s service commitments and system requirements, based on our
n.
io
examination.
ac
Our examination was conducted in accordance with attestation standards established by the
rm
American Institute of Certified Public Accountants ("AICPA"). Those standards require that we
plan and perform our examination to obtain reasonable assurance about whether, in all material
fo
respects, (1) the Description is presented in accordance with the Description Criteria, and (2) the
in
controls described therein are suitably designed and operating effectively to provide reasonable
rv
assurance that the service organization’s service commitments and system requirements would
se
be achieved based on the applicable trust services criteria. The nature, timing, and extent of the
procedures selected depend on our judgment, including an assessment of the risk of material
z@
misstatement, whether due to fraud or error. We believe that the evidence we have obtained is
ue
An examination of a description of a service organization’s system and the suitability of the design
and operating effectiveness of controls involves:
va
• Performing procedures to obtain evidence about whether the controls stated in the Description
are presented in accordance with the Description Criteria
• Performing procedures to obtain evidence about whether controls stated in the Description
were suitably designed to provide reasonable assurance that the service organization
achieved its service commitments and system requirements based on the applicable trust
services criteria
• Assessing the risks that the Description is not presented in accordance with the Description
Criteria and that the controls were not suitably designed or operating effectively based on the
applicable trust services criteria
• Testing the operating effectiveness of those controls based on the applicable trust services
criteria
• Evaluating the overall presentation of the Description
Our examination also included performing such other procedures as we considered necessary in
the circumstances.
We are required to be independent of Google and to meet our other ethical responsibilities, as
applicable for examination engagements set forth in the Preface: Applicable to All Members and
Part 1 – Members in Public Practice of the Code of Professional Conduct established by the
AICPA.
m
Inherent limitations
co
The Description is prepared to meet the common needs of a broad range of users and may not,
n.
therefore, include every aspect of the system that each individual user may consider important to
io
its own particular needs.
ac
Because of their nature, controls at a service organization may not always operate effectively to
rm
provide reasonable assurance that the service organization’s service commitments and system
fo
requirements are achieved based on the applicable trust services criteria. Also, the projection to
in
the future of any evaluation of the fairness of the presentation of the Description, or conclusions
about the suitability of the design or operating effectiveness of the controls based on the
rv
applicable trust services criteria is subject to the risk that the system may change or that controls
se
The specific controls we tested and the nature, timing, and results of those tests are listed in the
sq
Opinion
ra
au
Restricted use
This report, including the description of tests of controls and results thereof in the Description of
Tests and Results, is intended solely for the information and use of Google, user entities of the
Google Cloud Platform System during some or all of the period 1 November 2021 to 31 October
2022 and prospective user entities, independent auditors and practitioners providing services to
such user entities who have sufficient knowledge and understanding of the following:
m
• The nature of the services provided by the service organization
co
• How the service organization’s system interacts with user entities, subservice organizations,
n.
or other parties, including complementary user entity controls assumed in the design of the
io
service organization's controls
•
ac
Internal control and its limitations
• User entity responsibilities and how they interact with related controls at the service
rm
organization
fo
• The applicable trust services criteria
in
• The risks that may threaten the achievement of the service organization's service
rv
commitments and system requirements and how controls address those risks
se
This report is not intended to be, and should not be, used by anyone other than these specified
z@
parties.
ue
sq
.va
15 December 2022
ra
San Jose, CA
au
m
co
n.
io
ac
rm
fo
in
rv
se
z@
ue
sq
va
.
ra
au
8
Google Confidental Information
Google LLC
1600 Amphitheatre
Parkway
Mountain View, CA, 94043
A. Overview of Operations
Google LLC (“Google” or “the Company”), an Alphabet subsidiary, is a global technology service
m
provider focused on improving the ways people connect with information. Google’s innovations in
co
web search and advertising have made Google’s website one of the most viewed Internet
destinations and its brand among the most recognized in the world. Google maintains one of the
n.
world’s largest online index of websites and other content, and makes this information freely
io
available to anyone with an Internet connection. Google’s automated search technology helps
ac
people obtain nearly instant access to relevant information from their vast online index.
rm
Google Cloud Platform provides Infrastructure as a Service (IaaS), Software as a Service (SaaS),
fo
and Platform as a Service (PaaS), allowing businesses and developers to build and run any or all
of their applications on Google’s Cloud infrastructure. Customers can benefit from performance,
in
rv
Google’s product offerings for Google Cloud Platform (GCP) provide the unique advantage of
leveraging the resources of Google’s core engineering team while also having a dedicated team
z@
to develop solutions for the corporate market. As a result, these Google offerings are positioned
ue
to innovate at a rapid rate and provide the same level of service that users are familiar with on
google.com.
sq
Google Cloud Platform includes the following services, hereafter described collectively as “Google
va
• Artificial Intelligence (AI) and Machine Learning (ML) - innovative, scalable machine learning
au
services, with pre-trained models and the ability to generate tailored models
• Application Programming Interface (API) Management - develop, deploy, and manage APIs
on any Google Cloud back end
• Compute - a range of computing options tailored to match the size and needs of any
organization
• Data Analytics - tools to capture, process, store and analyze data on a single platform
• Databases - migrate, manage, and modernize data with secure, reliable, and highly available
relational and nonrelational databases
• Developer Tools - a collection of tools and libraries that help development teams work more
quickly and effectively
• Healthcare and Life Sciences - healthcare solution to protect sensitive data and maintain
compliance with numerous requirements across various domains, geographies, and
workloads
• Hybrid and Multi-cloud - connect on-premises or existing cloud infrastructure with Google
Cloud's scalability and innovation
• Internet of Things (IoT) - scalable, fully-managed IoT cloud services to connect, process,
store, and analyze data at the edge and in the cloud
• Management Tools - manage apps on GCP with a web-based console, mobile app, or Cloud
Shell for real time monitoring, logging, diagnostics, and configuration
• Media and Gaming - build user experiences and empower developers by minimizing
infrastructure complexity and accelerating data insights
• Migration - large-scale, secure online data transfers to Google Cloud Storage and databases
• Networking - a private network using software-defined networking and distributed systems
technologies to host and deliver services around the world
• Operations - suite of products to monitor, troubleshoot, and improve application performance
m
on Google Cloud environments
co
• Security and Identity - manage the security and access to cloud assets, supported by Google’s
n.
own protection of its infrastructure
•
io
Serverless Computing - deploy functions or apps as source code or as containers without
ac
worrying about the underlying infrastructure. Build full stack serverless applications with
Google Cloud’s storage, databases, machine learning, and more
rm
• Storage - scalable storage options and varieties for different needs and price points
•
fo
Other - additional GCP services supporting e-commerce, procurement, billing, and petabyte-
in
The Google Cloud Platform products covered in this system description consist of the following
se
services:
z@
AutoML Tables
• AutoML Translation
• AutoML Video
• AutoML Vision
• Contact Center AI (CCAI)
• Cloud Natural Language API
• Cloud Translation
• Cloud Vision
• Dialogflow
• Document AI
• Insights
• Notebooks (formerly AI Platform Notebooks)
• Speaker ID
• Speech-to-Text
• Talent Solution
• Text-to-Speech
• Vertex AI (formerly AI Platform)
• Video Intelligence API
• Apigee
• API Gateway
• Cloud Endpoints
• Compute
m
App Engine
•
co
Compute Engine
• Google Batch*
n.
io
• Data Analytics
ac
• BigQuery
• Cloud Composer
rm
•
fo
Cloud Data Fusion
• Cloud Life Sciences (formerly Google Genomics)
in
• Data Catalog
rv
• Dataflow
se
• Dataform*
z@
• Datalab***
• Dataproc
ue
• Pub/Sub
va
• Databases
.
ra
• Cloud Bigtable
au
• Cloud Spanner
• Cloud SQL
• Datastore
• Firestore
• AlloyDB (formerly Lux)
• Memorystore
• Developer Tools
• Artifact Registry
• Cloud Build
• Cloud SDK
• Cloud Source Repositories
• Cloud Workstations*
• Container Registry
• Cloud Healthcare
m
Connect
•
co
Google Kubernetes Engine
• Hub
n.
io
• Internet of Things (IoT)
ac
• IoT Core
rm
• Management Tools
fo
•
in
Cloud Console
•
rv
• Cloud Shell
z@
• Service Infrastructure
• Recommenders
ue
•
sq
• Game Servers
•
.
Media CDN*
ra
• Transcoder API*
au
• Migration
• Networking
• Cloud CDN
• Cloud DNS
• Cloud IDS (Cloud Intrusion Detection System)
• Cloud Interconnect
• Cloud Load Balancing
m
• Operations
co
• Cloud Debugger
n.
• Cloud Logging
io
• Cloud Monitoring
ac
• Cloud Profiler
• Cloud Trace rm
fo
• Security and Identity
in
• Access Approval
rv
• Access Transparency
z@
• Assured Workloads
• BeyondCorp Enterprise
ue
• Binary Authorization
sq
• Serverless Computing
• Cloud Functions
• Cloud Functions for Firebase
• Cloud Run (fully managed)
• Cloud Scheduler
• Cloud Tasks
• Datastream
• Eventarc
• Workflows
m
co
• Storage
n.
• Cloud Filestore
io
• Cloud Storage
ac
• Cloud Storage for Firebase
• Persistent Disk
rm
fo
• Other
in
• Google Cloud Threat Intelligence (GCTI) for Chronicle or Threat Intelligence for
se
Chronicle**
z@
• Cloud Billing
• Earth Engine
ue
• GCP Marketplace
sq
• Tables
va
* Indicates products in scope only for the period 1 May 2022 through 31 October 2022
.
ra
** Chronicle (Security Product) and Threat Intelligence for Chronicle are covered by separate
au
m
AI Platform Training and Prediction
co
AI Platform Training and Prediction is a managed service that enables users to easily build
n.
machine learning models with popular frameworks like TensorFlow, XGBoost and Scikit Learn. It
io
provides scalable training and prediction services that work on large datasets.
ac
Anti Money Laundering (AML) AI
rm
AML AI is a machine learning engine which takes customer data and training labels to create a
fo
tailored model covering an extensible typology of risks for AML along with governance
in
AutoML Natural Language enables customers to categorize input text into their own custom
z@
defined labels (supervised classification). Users can customize models to their own domain or
use case.
ue
sq
AutoML Tables
va
AutoML Tables enables data scientists, analysts, and developers to automatically build and
deploy machine learning models on structured data at increased speed and scale.
.
ra
au
AutoML Translation
AutoML Translation is a simple and scalable translation solution that allows businesses and
developers with limited machine learning expertise to customize the Google Neural Machine
Translation (GNMT) model for their own domain or use-case.
AutoML Video
AutoML Video delivers a simple and flexible machine learning service that lets businesses and
customer developers train custom and scalable video models for specific domains or use cases.
AutoML Vision
AutoML Vision is a simple and flexible machine learning service that lets businesses and
developers with limited machine learning expertise train custom and scalable vision models for
their own use cases.
m
co
Cloud Vision enables the understanding of image content by encapsulating machine learning
models in a Representational State Transfer (REST) API. It classifies images into thousands of
n.
categories, detects individual objects and faces within images, and finds and reads printed words
io
contained within images. It can be applied to build metadata on image catalogs, moderate
ac
offensive content, or enable new marketing scenarios through image sentiment analysis. It can
rm
also analyze images uploaded in the request and integrate with image storage on Google Cloud
Storage.
fo
CCAI is a solution for improving the customer experience in user contact centers using AI. CCAI
se
Dialogflow
ue
Dialogflow is a development suite for voice and text conversational apps including chatbots.
sq
Dialogflow is cross-platform and can connect to apps (on the web, Android, iOS, and IoT) or
va
Document AI
au
Document AI classifies and extracts structured data from documents to help streamline data
validation and automate business processes.
Insights
Insights Contact Center AI (CCAI) is aimed at contact centers. It features virtual agent and agent
assist, which improve the contact center experience during conversations. After completion,
conversations can be analyzed with AI models and algorithms to present valuable metrics to
customers.
Notebooks
Notebooks is a managed service that offers an integrated JupyterLab environment in which
machine learning developers and data scientists can create instances running JupyterLab that
come pre-installed with the latest data science and machine learning frameworks in a single click.
Speaker ID
Speaker ID allows customers to enroll user voice prints and later verify users against a previously
enrolled voice print.
Speech-to-Text
Speech-to-Text allows developers to convert audio to text by applying powerful neural network
models in an easy to use API.
Talent Solution
Talent Solution offers access to Google's machine learning, enabling company career sites, job
boards, ATS, staffing agencies, and other recruitment technology platforms to improve the talent
m
acquisition experience.
co
Text-to-Speech
n.
Text-to-Speech synthesizes human-like speech based on input text in a variety of voices and
io
languages.
ac
Vertex AI rm
Vertex AI is a service for managing the entire lifecycle of AI and machine learning development.
fo
With Vertex AI, one can (i) manage image, video, text, and tabular datasets and associated labels,
in
(ii) build machine learning pipelines to train and evaluate models using Google Cloud algorithms
rv
or custom training code, and (iii) deploy models for online or batch use cases all on scalable
se
managed infrastructure (including additional discovery points and API endpoints for functionality
z@
replacing the legacy services of AI Platform Data Labeling, AI Platform Training and Prediction,
AutoML Natural Language, AutoML Video, AutoML Vision, and AutoML Tables).
ue
Video Intelligence API makes videos searchable, and discoverable, by extracting metadata
va
through a REST API. It annotates videos stored in Google Cloud Storage and helps identify key
.
noun entities in a video and when they occur within the video.
ra
au
API Management
Apigee
Apigee is a full-lifecycle API management platform that lets customers design, secure, analyze,
and scale APIs, giving them visibility and control. Apigee is available as Apigee, a fully-managed
service, Apigee hybrid, a hybrid model that's partially hosted and managed by the customer, or
Apigee Private Cloud, an entirely customer hosted Premium Software solution. Apigee Private
Cloud is not in scope for this report.
API Gateway
API Gateway is a fully-managed service that enables users to develop, deploy, and secure APIs
running on Google Cloud Platform.
Cloud Endpoints
Cloud Endpoints is a tool that provides services to develop, deploy, secure and monitor APIs
running on Google Cloud Platform.
Compute
App Engine
App Engine enables the building and hosting of web apps on the same systems that power Google
applications. App Engine offers fast development and deployment of applications without the need
to manage servers or other low-level infrastructure components. Scaling and software patching
are handled by App Engine on the user's behalf. App Engine also provides the ability to create
managed virtual machines (VMs). In addition, client APIs can be built for App Engine applications
m
using Google Cloud Endpoints.
co
Compute Engine
n.
io
Compute Engine offers scalable and flexible virtual machine computing capabilities in the cloud.
ac
With virtual machines that can boot in minutes, it offers many configurations including custom
machine types that can be optimized for specific use cases as well as support for Graphics
rm
Processing Units (GPUs), Tensor Processing Units (TPUs) and Local Solid State Drive (SSD).
fo
Additionally, customers can enable Shielded VMs to provide advanced platform security.
in
Google Batch
rv
Batch is a fully managed service that lets users schedule, queue, and execute batch processing
se
workloads on Compute Engine virtual machine (VM) instances. Batch provisions resources and
z@
manages capacity on users’ behalf, allowing user batch workloads to run at scale.
ue
Data Analytics
sq
BigQuery
va
BigQuery is a fully managed, petabyte-scale analytics data warehouse that features scalable data
.
ra
storage and the ability to perform ad hoc queries on multi-terabyte datasets. BigQuery allows
users to share data insights via the web and control access to data based on business needs.
au
Cloud Composer
Cloud Composer is a managed workflow orchestration service that can be used to author,
schedule, and monitor pipelines that span across clouds and on-premises data centers.
Cloud Data Fusion
Cloud Data Fusion is a fully managed, cloud native, enterprise data integration service for building
and managing data pipelines. Cloud Data Fusion provides a graphical interface that allows
customers to build scalable data integration solutions to cleanse, prepare, blend, transfer, and
transform data.
m
the Apache Beam Software Development Kits (SDKs) with composable primitives for building
co
data-processing pipelines for batch or continuous processing. This service manages the lifecycle
of Compute Engine resources for the processing pipeline(s) and provides a monitoring interface
n.
for understanding pipeline health.
io
ac
Dataform
rm
Dataform is a service for data analysts to develop, test, version control, and schedule complex
SQL workflows for data transformation in BigQuery. Dataform lets users manage data
fo
transformation in the Extraction, Loading, and Transformation (ELT) process for data integration.
in
After raw data is extracted from source systems and loaded into BigQuery, Dataform helps users
rv
Datalab
z@
visualization of data on Google Cloud Platform. It provides analytical and storage services to
analyze data on the platform.
sq
va
Dataproc
.
ra
other related open source data processing tools. With Cloud Dataproc, clusters can be created
and deleted on-demand and sized to fit whatever workload is at hand.
Looker Studio (formerly Data Studio)
Looker Studio is a visualization and business intelligence product that enables users to connect
to multiple datasets and turn their data into informative, easy to share, and fully customizable
dashboards and reports.
Pub/Sub
Pub/Sub provides reliable, many-to-many, asynchronous messaging between applications.
Publisher applications can send messages to a topic while other applications can subscribe to
that topic to receive the messages. By decoupling senders and receivers, Cloud Pub/Sub allows
communication between independent applications.
Databases
Cloud Bigtable
Cloud Bigtable is a low-latency, fully managed, highly scalable NoSQL database service. It is
designed for the retention and serving of data from gigabytes to petabytes in size.
Cloud Spanner
Cloud Spanner is a fully managed, scalable, relational database service. It is designed to provide
a scalable online transaction processing (OLTP) database with high availability and ACID
(Atomicity, Consistency, Isolation, Durability) transactions with synchronous replication of data
across regions.
m
Cloud SQL
co
Cloud SQL is a service to create, configure, and use managed third-party relational databases in
n.
Google Cloud Platform. Cloud SQL maintains, manages, and administers those databases.
io
Datastore
ac
Datastore is a highly-scalable NoSQL database for mobile and web applications. It provides query
rm
capabilities, atomic transitions, index, and automatically scales up and down in response to load.
fo
Firestore
in
rv
Firestore is a fully managed, scalable, serverless NoSQL document database for mobile, web,
se
and server development. It provides query capabilities, live synchronization and offline support.
z@
AlloyDB is an enterprise grade database product that combines the familiarity of open source DB
front-ends, like PostgreSQL, with custom-built storage, query and connectivity layers for superior
sq
Memorystore
.
ra
Memorystore for Redis (Remote Dictionary Server) provides a fully managed in-memory data
au
store service for GCP. Cloud Memorystore can be used to build application caches that provide
low latency data access. Cloud Memorystore is compatible with the Redis protocol, allowing
seamless migration with no code changes.
Developer Tools
Artifact Registry
Artifact Registry is a service for managing container images and packages. It is integrated with
Google Cloud tooling and runtimes and comes with support for native artifact protocols. This
makes it simple to integrate it with user CI/CD tooling to set up automated pipelines.
Cloud Build
Cloud Build allows for the creation of container images from application source code located in
Google Cloud Storage or in a third-party service (e.g., Github, Bitbucket). Created Container
images can be stored in Container Registry and deployed on Container Engine, Compute Engine,
App Engine Flexible Environment or other services to run applications from Docker containers.
Cloud SDK
Cloud SDK is a set of command-line tools for the Google Cloud Platform that can be run
interactively or in automated scripts. These tools can be used to manage supported Google Cloud
Platform products, including Compute Engine virtual machines, Kubernetes clusters, network and
firewall configurations, and disk storage.
Cloud Source Repositories
Cloud Source Repositories provides Git version control to support collaborative development of
any application or service as well as a source browser that can be used to browse the contents
m
of repositories and view individual files from within the Cloud Console. Cloud Source Repositories
co
and related tools (e.g., Cloud Debugger) can be used to view debugging information alongside
n.
code during application runtime.
io
Cloud Workstations
ac
Cloud Workstations provides preconfigured, customizable, and secure managed development
rm
environments on Google Cloud. Cloud Workstations is accessible through a browser-based
fo
Integrated Development Environment (IDE), from multiple local code editors (such as IntelliJ IDEA
Ultimate or VS Code), or through SSH. Instead of manually setting up development environments,
in
users can create a workstation configuration specifying user environments in a reproducible way.
rv
se
Container Registry
z@
Container Registry is a private Docker image storage system on Google Cloud Platform.
ue
Firebase Test Lab provides cloud-based infrastructure for testing apps on physical and virtual
va
devices. Developers can test their apps across a wide variety of devices with Firebase Test Lab.
.
Google Cloud Deploy is a managed service that automates delivery of user applications to a
series of target environments in a defined promotion sequence. When users want to deploy
updated applications, users create a release, whose lifecycle is managed by a delivery pipeline.
Healthcare and Life Sciences
Cloud Healthcare
Cloud Healthcare provides managed services and an API to store, process, manage, and retrieve
healthcare data in a variety of industry standard formats.
Hybrid and Multi-cloud
The scope of the services included in this report is limited to the services managed by Google
and does not extend to the application of the services in other cloud service providers'
environments by the user entity. Refer to the Terms of Services (https://cloud.google.com/terms/
services) for additional details.
m
co
Anthos Service Mesh is a managed service mesh service that includes (i) a managed certificate
authority that issues cryptographic certificates that identify customer workloads within the Anthos
n.
Service Mesh for mutual authentication, and (ii) telemetry for customers to manage and monitor
io
their services. Customers receive details showing an inventory of services, can understand their
ac
service dependencies, and receive metrics for monitoring their services. Anthos Service Mesh is
rm
provided as a service and as a software. The Anthos Service Mesh software offering is not in
scope for this report.
fo
Cloud Run for Anthos enables customers to run stateless containers on Anthos. Cloud Run for
se
Anthos is provided as a service and as a software. The Cloud Run for Anthos software offering is
not in scope for this report.
z@
Connect
ue
Connect is a service that allows users to connect Kubernetes clusters to Cloud. This enables both
sq
users and Google-hosted components to interact with clusters through a connection to the in-
va
Google Kubernetes Engine, powered by the open source container scheduler Kubernetes, runs
containers on Google Cloud Platform. Kubernetes Engine manages provisioning and maintaining
the underlying virtual machine cluster, scaling applications, and operational logistics such as
logging, monitoring, and cluster health management.
Hub
Hub is a centralized control-plane that enables a user to centrally manage features and services
on customer-registered clusters running in a variety of environments, including Google’s cloud,
on-premises in customer data centers, or other third-party clouds.
m
from Cloud Console.
co
Cloud Console App
n.
Cloud Console App is a native mobile app that provides monitoring, alerting, and the ability to
io
take actions on resources.
ac
Cloud Deployment Manager rm
Cloud Deployment Manager is an infrastructure management service which automates creation,
fo
Cloud Shell
se
Cloud Shell provides command-line access to Google Cloud Platform resources through an in-
z@
browser Linux shell backed by a temporary Linux VM in the cloud. It allows projects and resources
to be managed without having to install additional tools on systems and comes equipped and
ue
configured with common developer tools such as text editors, a MySql client and Kubernetes.
sq
Recommenders
va
across services to help use Google Cloud Platform in a more secure, cost-effective, and efficient
au
manner.
Service Infrastructure
Service Infrastructure is a foundational platform for creating, managing, securing, and consuming
APIs and services. It includes:
• Service Management API, which lets service producers manage their APIs and services;
• Service Consumer Management API, which lets service producers manage their relationships
with their service consumers;
• Service Control API, which lets managed services integrate with Service Infrastructure for
admission control and telemetry reporting functionality; and
• Service Usage API, which lets service consumers manage their usage of APIs and services.
m
Transcoder API
co
Transcoder API can batch convert media files into optimized formats to enable streaming across
n.
web, mobile, and living room devices. It provides fast, easy to use, large-scale processing of
advanced codecs while utilizing Google’s storage, networking, and delivery infrastructure.
io
ac
Migration
rm
BigQuery Data Transfer Service
fo
BigQuery Data Transfer Service automates data movement from Software as a Service (SaaS)
in
Database Migration Service is a fully managed migration service that enables users to perform
high fidelity, minimal-downtime migrations at scale. Users can use Database Migration Service to
ue
migrate from on-premises environments, Compute Engine, and other clouds to certain Google
sq
Cloud-managed databases.
va
Migrate for Compute Engine V5.0 and up is a fully-managed migration service that enables users
au
to migrate workloads at scale into Google Cloud Compute Engine with minimal down time by
utilizing replication-based migration technology.
Storage Transfer Service
Storage Transfer Service provides the ability to import large amounts of online data into Google
Cloud Storage. It can transfer data from Amazon Simple Storage Service (Amazon S3) and other
HTTP/HTTPS locations as well as transfer data between Google Cloud Storage buckets.
Networking
Cloud CDN
Cloud Content Delivery Network (CDN) uses Google’s distributed network edge points of
presence to cache HTTP(S) load balanced content.
Cloud DNS
Cloud DNS is a fully managed Domain Name System (DNS) service which operates a
geographically diverse network of high-availability authoritative name servers. Cloud DNS
provides a service to publish and manage DNS records for applications and services.
Cloud IDS (Cloud Intrusion Detection System)
Cloud IDS is a managed service that aids in detecting certain malware, spyware, command-and-
control attacks, and other network-based threats.
Cloud Interconnect
Cloud Interconnect offers enterprise-grade connections to Google Cloud Platform. This solution
m
provides direct connection between on-premise networks and GCP Virtual Private Cloud.
co
Cloud Load Balancing
n.
Cloud Load Balancing is a distributed, software-defined, managed service for all traffic (HTTP(S),
io
TCP/SSL, and UDP) to computing resources. Cloud Load Balancing rapidly responds to changes
ac
in traffic, network, backend health and other related conditions.
rm
Cloud NAT
fo
Cloud Network Address Translation (NAT) enables virtual machine instances in a private network
in
Cloud Router
z@
Cloud Router enables dynamic Border Gateway Protocol (BGP) route updates between a Virtual
Private Cloud (VPC) network and an external network, typically an on-premise network.
ue
Cloud VPN
sq
Cloud Virtual Private Network (VPN) provides connections between on-premises or other external
va
networks to Virtual Private Clouds on GCP via an IPsec connection or can be used to connect
.
ra
m
co
Spectrum Access System enables users to access the Citizens Broadband Radio Service (CBRS)
in the United States, the 3.5 GHz band that is available for shared commercial use. Users can
n.
use Spectrum Access System to register CBRS devices, manage CBRS deployments, and
io
access a non-production test environment.
ac
Traffic Director rm
Traffic Director is Google Cloud Platform's traffic management service for open-source service
fo
meshes.
in
rv
Virtual Private Cloud is a comprehensive set of managed networking capabilities for Google Cloud
z@
Cloud Debugger
va
Cloud Debugger provides the ability to inspect the call-stack and variables of a running cloud
application in real-time without stopping it. It can be used in test, production or any other
.
ra
Cloud Logging
Cloud Logging is a hosted solution that helps users gain insight into the health, performance and
availability of their applications running on Google Cloud Platform and other public cloud
platforms. It includes monitor dashboards to display key metrics, define alerts and report on the
health of cloud systems. The components of Cloud Logging that run on other public cloud
platforms are not in scope for this report.
Cloud Monitoring
Cloud Monitoring provides visibility into the performance, uptime, and overall health of cloud-
powered applications. Cloud Monitoring collects metrics, events, and metadata from certain
Services, hosted uptime probes, application instrumentation, alert management, notifications and
a variety of application components.
Cloud Profiler
Cloud Profiler continuously gathers and reports source-level performance information from
production services. It provides key information to determine what functions in code consume the
most memory and CPU cycles so insights can be gained on how code operates to improve
performance and optimize computing resources.
Cloud Trace
Cloud Trace collects latency data from applications and displays it in the Google Cloud Platform
Console. It automatically analyzes trace data to generate in-depth performance reports that help
identify and locate performance bottlenecks.
Security and Identity
m
co
Access Approval
n.
Access Approval allows customers to approve eligible manual, targeted access by Google
io
administrators to their data or workloads prior to access being granted.
ac
Access Context Manager
rm
Access Context Manager allows customer administrators to define attribute-based access control
fo
for projects, apps and resources.
in
Access Transparency
rv
se
Access Transparency captures near real-time logs of certain manual, targeted accesses by
Google personnel, and provides them via Cloud Logging accounts.
z@
Assured Workloads
ue
Assured Workloads provides functionality to create security controls that are enforced on
sq
customer cloud environment and can assist with compliance requirements (e.g. FedRAMP
va
Moderate compliance).
.
ra
BeyondCorp Enterprise
au
m
stored and managed in a third-party key management system deployed outside Google's
co
infrastructure.
n.
Cloud Hardware Security Module (HSM)
io
Cloud HSM is a cloud-hosted Hardware Security Module (HSM) service for hosting encryption
ac
keys and performing cryptographic operations.
rm
Cloud Key Management Service (KMS)
fo
Cloud KMS is a cloud-hosted key management service that manages encryption for cloud
in
services. It enables the generation, use, rotation, and destruction of encryption keys.
rv
se
Firebase Authentication
z@
Firebase Authentication is a fully managed user identity and authentication system providing
backend services enabling sign-in and sign-up experiences for an application or service.
ue
Google Cloud Identity-Aware Proxy (Cloud IAP) is a tool that helps control access to applications
va
Identity & Access Management (IAM) enables the administration and authorization of accesses
to specific resources and provides a unified view into security policies across entire organizations
with built-in auditing.
Identity Platform
Identity Platform is a customer identity and access management (CIAM) platform delivered by
Google Cloud enabling organizations to add identity management and user security to their
applications or services.
Key Access Justifications (KAJ)
Key Access Justifications (KAJ) provides a justification for every request sent through Cloud EKM
for an encryption key that permits data to change state from at-rest to in-use.
m
Resource Manager API allows users to programmatically manage Google Cloud Platform
co
container resources (such as Organizations and Projects) to group and hierarchically organize
other Google Cloud Platform resources. This hierarchical organization enables users to manage
n.
common aspects of resources such as access control and configuration settings.
io
ac
Risk Manager
rm
Risk Manager allows customers to scan their cloud environments and generate reports around
their compliance with industry-standard security best practices, including CIS benchmarks.
fo
Customers then have the ability to share these reports with insurance providers and brokers.
in
rv
Secret Manager
se
Secret Manager provides a secure method for storing API keys, passwords, certificates, and other
z@
sensitive data.
Security Command Center
ue
sq
Security Command Center is a log monitoring and security scanning tool that generates analytics
and dashboards to help customers to prevent, detect, and respond to Google Cloud security and
va
data threats.
.
ra
VirusTotal
au
VirusTotal enables organizations to research and hunt for malware, to investigate security
incidents, to automate analysis, and to keep user investigations private and secure.
VPC Service Controls
VPC Service Controls provides administrators with the ability to configure security perimeters
around resources of API based cloud services (such as Cloud Storage, BigQuery, Bigtable) and
limit access to authorized VPC networks.
Web Risk API
Web Risk API is a Google Cloud service that lets client applications check URLs against Google's
constantly updated lists of unsafe web resources.
Serverless Computing
Cloud Functions
Cloud Functions is a serverless compute solution that runs single-purpose functions in response
to GCP events and HTTP calls (webhooks). Cloud Functions can be triggered asynchronously by
Cloud Pub/Sub, Cloud Storage, GCP infrastructure events, and Firebase products. Cloud
Functions scales automatically to meet request load and the user does not need to manage
servers or the runtime environment.
Cloud Functions for Firebase
Cloud Functions for Firebase are developer tools used for development and deployment of
Google Cloud Functions. Cloud Functions enable developers to run their own backend code that
m
executes automatically based on HTTP requests and Firebase and Google Cloud Platform
co
events. Developers functions are stored in Google’s cloud and run in a managed Node.js
n.
environment.
io
Cloud Run (fully managed)
ac
Cloud Run (fully managed) is a serverless, managed compute platform that automatically scales
rm
stateless HTTP containers, running requests or event-driven stateless workloads. Cloud Run
fo
provides the flexibility to run services on a fully managed environment.
in
Cloud Scheduler
rv
Cloud Scheduler is a fully managed enterprise-grade cron job scheduler. It allows customers to
se
schedule jobs, including batch, big data jobs, cloud infrastructure operations, and more. It also
z@
acts as a single interface for managing automation tasks, including retries in case of failure to
reduce manual toil and intervention.
ue
Cloud Tasks
sq
va
Cloud Tasks is a fully managed service that allows customers to manage the execution, dispatch,
and delivery of a large number of distributed tasks.
.
ra
Datastream
au
Datastream is a serverless and easy-to-use change data capture (CDC) and replication service
that allows users to synchronize data streams across heterogeneous databases and applications
reliably and with minimal latency. Datastream supports streaming changes to data from Oracle
and MySQL databases into Cloud Storage.
Eventarc
Eventarc is a fully-managed service for eventing on Google Cloud Platform. Eventarc connects
various Google Cloud services together, allowing source services (e.g., Cloud Storage) to emit
events that are delivered to target services (e.g., Cloud Run or Cloud Functions).
Workflows
Workflows is a fully-managed service for reliably executing sequences of operations across
microservices, Google Cloud services, and HTTP-based APIs
Storage
Cloud Filestore
Cloud Filestore is a service for fully managed Network File System (NFS) file servers for use with
applications running on Compute Engine virtual machines (VMs) instances or Google Kubernetes
Engine clusters.
Cloud Storage
Cloud Storage is Google Cloud Platform's unified object/blob storage. It is a RESTful service for
storing and accessing data on Google Cloud Platform's infrastructure. It combines the simplicity
of a consistent API and latency across different storage classes with reliability, scalability,
performance and security of Google Cloud Platform.
m
co
Cloud Storage for Firebase
n.
Cloud Storage for Firebase adds customizable Google security (via Firebase Security Rules for
io
Cloud Storage) to file uploads and downloads for Firebase apps. Cloud Storage for Firebase is
ac
backed by Google Cloud Storage, a service for storing and accessing data on Google's
infrastructure. rm
Persistent Disk
fo
in
Persistent Disk provides a persistent virtual disk for use with Google Compute Engine and Google
rv
Kubernetes Engine compute instances. It is available in both SSD (Solid State Drive) and HDD
(Hard Disk Drive) variations.
se
z@
Other
Cloud Billing
ue
sq
Cloud Billing provides methods to programmatically manage billing for projects on the Google
Cloud Platform.
va
Chronicle’s product offering (“Chronicle”) allows enterprise customers to better analyze their own
au
security telemetry through enhanced, curated analytics and investigative visualizations enabling
enterprises to more rapidly detect, prevent and block harm to their systems, networks and data.
Google Cloud Threat Intelligence (GCTI) or Threat Intelligence for Chronicle
Google Cloud Threat Intelligence is a service extension for Chronicle that hunts for threats in
external customer environments. This effort includes active research for new and emerging
threats. It also includes focused batch hunting that extracts suspicious logs warranting either
special review or logs that should be automatically sent to customers.
Earth Engine
Earth Engine combines a multi-petabyte catalog of satellite imagery and geospatial datasets with
planetary-scale analysis capabilities. Scientists, researchers, and developers can use Earth
Engine to detect changes, map trends, and quantify differences on the Earth's surface.
GCP Marketplace
Google Cloud Platform (GCP) Marketplace offers ready-to-go development stacks, solutions, and
services from third-party partners and Google to accelerate development. It enables the
deployment of production-grade solutions, obtains direct access to partner support, and receives
a single bill for both GCP and third-party services.
Tables
Tables is a lightweight collaborative database to help organize and automate tasks or processes
for small teams and businesses.
Data Centers
m
The above products are serviced from data centers operated by Google around the world. Below
co
is a list of Google's production data center locations that host the above products and operations
for Google Cloud Platform:
n.
io
North America, South America
ac
• Arcola (VA), United States of America
• Ashburn (1) (VA), United States of America
rm
• Ashburn (2) (VA), United States of America
fo
m
• Frankfurt (3), Hesse, Germany
co
• Frankfurt (4), Hesse, Germany
n.
• Frankfurt (5), Hesse, Germany
io
• Frankfurt (6), Hesse, Germany
ac
• Frankfurt (7), Hesse, Germany
• Fredericia, Denmark rm
• Ghlin, Hainaut, Belgium
fo
• Hamina, Finland
in
• Middenmeer, Netherlands
.
ra
• Changhua, Taiwan
• Delhi, India
• Hong Kong (1), Hong Kong
m
• Seoul (2), South Korea
co
• Sydney (1), NSW, Australia
n.
• Sydney (2), NSW, Australia
io
• Sydney (3), NSW, Australia
ac
• Sydney (4), NSW, Australia⁺
• Wenya, Singapore rm
fo
⁺ Indicates data centers in scope only for the period 1 May 2022 through 31 October 2022
in
As defined by the American Institute of Certified Public Accountants (AICPA), internal control is a
process affected by an entity’s board of directors, management, and other personnel and consists
z@
consciousness of its people. It is the foundation for all other components of internal control,
providing discipline and structure
va
communication systems. These enable the entity’s people to capture and exchange
au
• Policies (Control Environment and Risk Assessment) – The entity has defined and
documented its policies relevant to the particular principle
• Communications (Information and Communication) – The entity has communicated its defined
policies to responsible parties and authorized users of the system
• Procedures (Control Activities) – The entity placed in operation procedures to achieve
objectives in accordance with its defined policies
• Monitoring (Monitoring Activities) – The entity monitors the system and takes action to
maintain compliance with its defined policies
With respect to internal controls and relevant customers, Google defines Customers as enterprise
users that have entered into an agreement, under which Google has agreed to provide Google
Cloud Platform services as a data processor.
m
C. Policies
co
Internal Control Environment
n.
io
Google has designed its internal control environment with the objective of providing reasonable,
ac
but not absolute, assurance as to the security, availability, confidentiality, and privacy of the
rm
financial and user information, as well as the protection of assets from unauthorized use or
disposition. Management has established and maintains an internal control structure that monitors
fo
compliance with established policies and procedures.
in
Google has established internal compliance teams utilizing scalable processes to efficiently
rv
manage core infrastructure and product-related security, availability, confidentiality, and privacy
se
controls.
z@
To maintain internal compliance, Google has established a disciplinary process for non-
ue
compliance with the Code of Conduct, security and privacy policies, and other personnel
requirements which could include dismissal, lawsuits, and/or criminal prosecution.
sq
The organization utilizes technologies to support the workforce in both remote and office work
va
computer equipment and other hardware consider staff adjustments in order to maintain business
operations and ensure safety of personnel.
au
Service Commitments
Commitments are declarations made by management to customers regarding the performance
of the Google Cloud Platform System. Commitments to customers are communicated via Terms
of Service, Google Cloud Platform Service Level Agreements, and/or Data Processing
Agreements. Data Processing Agreements define the security and privacy obligations which the
processors must meet to satisfy the organization's obligations regarding the processing and
security of customer data.
System Requirements
Google has established internal policies and processes to support the delivery of Google Cloud
Platform System products to customers. These internal policies are developed in consideration
of legal and regulatory obligations, to define Google’s organizational approach and system
requirements.
The delivery of these services depends upon the appropriate internal functioning of system
requirements defined by Google to meet customer commitments.
The following processes and system requirements function to meet Google’s commitments to
customers with respect to the terms governing the security and privacy of customer data:
• Access Security: Google maintains data access and logical security policies, designed to
prevent unauthorized persons and/or systems from gaining access to systems used to
process personal data. Access to systems is restricted based on the principle of least privilege
• Change Management: Google requires standard change management procedures to be
applied during the design, development, deployment, and maintenance of Google
applications, systems, and services
• Incident Management: Google monitors security event logs and alerts to determine the
m
validity of security or privacy threats. Potential threats, including threats related to security and
co
privacy are escalated to the appropriate team including incident management. Google’s
n.
dedicated security personnel will promptly investigate and respond to potential and known
incidents
io
• Data Management: Google complies with any obligations applicable to it with respect to the
ac
processing of Customer Personal Data. Google processes data in accordance with Google
rm
Cloud Platform Terms of Service and/or Data Processing Agreements, and complies with
fo
applicable regulations
• Data Security: Google maintains data security and privacy policies and implements technical
in
steps to ensure compliance with the security measures by its employees, contractors, and
z@
practices of third-party suppliers to ensure they provide a level of security and privacy
sq
appropriate to their access to data and the scope of the services they are engaged to provide.
Google conducts routine inspections of subprocessors to ensure their continued compliance
va
with the agreed upon security and privacy requirements. Google defines security and privacy
.
ra
practices that must be applied to the processing of data and obtains contractual commitments
from suppliers to comply with these practices.
au
Hiring Practices
Google has designed formal global hiring practices to help ensure that new, rehired, or transferred
employees are qualified for their functional responsibility. Every employee has a written job
description that lists qualifications, such as requisite skills and experience, which candidates must
meet in order to be hired by Google. Where local labor law or statutory regulations permit, Google
may conduct criminal, credit, and/or security checks on all potential employees as well as
verification of the individual’s education, previous employment, and referrals. The specifics or
extent of background checks performed depend on the position and location for which the
individual is applying.
Upon acceptance of employment, all employees are required to execute a confidentiality
agreement as well as acknowledge receipt and compliance with Google's Employee Handbook.
The confidentiality and privacy of customer data is emphasized in the handbook and also during
m
provide risk management support through policy guidelines and internal consulting services.
co
n.
Google develops and maintains a risk management framework to manage risk to an acceptable
level for Google Cloud Platform. Google has developed vulnerability management guidelines and
io
regularly analyzes the vulnerabilities associated with the system environment. Google takes into
ac
consideration various threat sources such as insider attacks, external attacks, errors and
rm
omissions, and third-party related issues such as inadvertent disclosure of Google confidential
information (for example, payroll data) by a third party.
fo
in
Factors, including threat-source motivation and capability, nature of the vulnerability, and
rv
existence and effectiveness of current controls, are considered in determining the probability that
se
a potential vulnerability may be exposed. The likelihood that a potential vulnerability could be
exposed by a given threat-source is designated by Google as high, medium, or low.
z@
Google then determines the potential adverse impact resulting from a successful exploitation of
ue
vulnerabilities. The highest priority is given to any potential compromise of user data.
sq
The level of risk and remediation priority for a particular threat/vulnerability pair is expressed as a
va
function of:
.
ra
regarding their analysis. Remediation of security and privacy deficiencies are tracked through
internal tools and remediation plans.
Third-Party Risk Management
Google may utilize third-party vendors to support Google Cloud Platform. Prior to onboarding,
Google completes the nondisclosure agreement (NDA) then performs the vendor security
assessments (VSA) on all vendors with whom Google shares confidential or sensitive information,
including user data. A VSA is an important health check of a vendor’s operational security posture.
It assesses if a vendor adheres to generally accepted security and data protection best practices.
The outcome of a VSA is a risk assessment and an approval that determines if a vendor should
or can be used. At a high level, each of these assessments involves:
m
An initial risk assessment to determine if a VSA is required or not such as instances where
vendors handle, collect, or access any User Data, or Business Data that is classified as Need-
co
to-Know
n.
• A risk-based review of the policies, processes and controls the vendor has in place compared
io
to generally accepted security best practices using questionnaire-based information gathering
ac
• A tailored risk assessment for Mergers and Acquisitions due diligence or third-party risk
rm
management in partnerships, joint ventures, and other complex relationships.
• Reviewing and citing independent verification of the security state of systems relevant to
fo
A subset of vendors are considered to be subprocessors based on the data sharing relationship
rv
between the vendor and Google. Google utilizes subprocessors to support Google Cloud
se
Platform, and has established expectations for subprocessors related primarily to security and
z@
privacy. The meeting of these expectations are subject to periodic review by Google. However,
subprocessors do not manage or perform any Google Cloud Platform controls tested herein.
ue
Google maintains a Subprocessor Audit Program that is tasked with the periodic information
sq
security and privacy assessment of subprocessors using ISO 27001 as the baseline. Google
va
SOC 2 reports, or onsite/virtual inspections. In the case that Google identifies any deviations in
ra
the performance of subprocessor controls, findings are evaluated by Google and discussed with
au
the subprocessors upon completion of the audit. When applicable, remediation plans are put in
place to timely resolve issues.
Google has also implemented a Subprocessor Data Processing Agreement (SDPA) to contract
with subprocessors. The SDPA defines the security and privacy obligations which the
subprocessor must meet to satisfy Google's obligations regarding customer data, prior to Google
granting such access. Per the Data Processing Addendum, Google notifies the customer prior to
onboarding a new subprocessor. Information about the subprocessor including function and
location is externally published (see https://cloud.google.com/terms/subprocessors and
https://workspace.google.com/intl/en/terms/subprocessors.html).
Data Confidentiality and Privacy
Google has established training programs for privacy and information security to support data
confidentiality. All Google personnel are required to complete these training programs within 90
days of joining the organization and annually thereafter. All new product and product-feature
launches that include collection, processing, or sharing of user data are required to go through an
internal security and privacy design review process. These reviews are performed by the security,
legal, and privacy teams. Databases and web sites exist to track and monitor progress of Google
Cloud Platform project developments. In addition to the preventative controls, Google has also
established detective measures to investigate and determine the validity of security threats. In the
case of an incident there are incident response processes to report and handle events related to
topics such as security and confidentiality. Google establishes confidential agreements, including
nondisclosure agreements, for preserving confidentiality of information and software exchange
with external parties.
For government agency data requests, Google has mechanisms in place to record and track
transfers and disclosures of users data to third parties. Customers are notified of third party data
requests in accordance with any procedure and time period agreed in the contract, unless such
m
disclosure is prohibited by law. As a data processor, Google limits disclosures of customer data
co
to disclosures that are legally required or authorized by the data controller.
n.
Internal Functions and Policies
io
ac
Formal organizational structures exist and are available to Google personnel on the Company’s
intranet. The intranet provides drill-down functionality for identifying personnel in the functional
rm
operations team. Google has developed and documented formal policies, procedures, and job
fo
descriptions for operational areas including data center operations, security administration,
in
system and hardware change management, hiring, training, performance appraisals, terminations
rv
and incident escalation. These policies and procedures have been designed to segregate duties
and enforce responsibilities based on job functionality. Google has also developed the Data
se
Security Policy, Data Classification Guidelines and Security Labels for Google Information and
z@
Privacy policies to establish procedures for information labeling and handling in accordance with
the Google guidelines. Additionally, Google maintains policies that define the requirements for
ue
the use of cryptography and policies for securing mobile devices to help ensure company and
sq
customer data are protected. Policies are reviewed annually, and other materials derived from
va
policies, like guidelines, FAQs, and other related documents are reviewed and updated as
needed.
.
ra
D. Communications
au
m
for reporting potential security and privacy concerns or incidents. Google has also implemented
various methods of communication to help ensure that user entities understand Google’s
co
commitments to security, availability, and confidentiality for Google Cloud Platform; and to help
n.
ensure that significant events are communicated to user entities in a timely manner. The primary
io
conduit for communication is the Google web site, which is made available to all user entities.
ac
This includes blog postings on the Official Google Blog and various product specific blogs support
forums, and release notes. Google provides 24 x 7 assistance, including online and phone support
rm
to address customers’ concerns. Customer service and/or technical support representatives are
fo
also an important communication channel, as they maintain records of problems reported by the
in
user entity. Customer service representatives also assist in communicating information regarding
rv
new issues and/or developments, changes in services, and other information. Additionally,
se
As a data processor, Google limits processing to what is specified in the contracts with the
ue
controller or as otherwise required under applicable data protection laws. Customer data is
sq
processed in accordance with the Data Processing Addendum and is externally published (see
https://cloud.google.com/terms/data-processing-terms and
va
responsible for communicating choices available to users regarding collection, use, retention,
ra
disclosure and disposal of personal information. Google does provide customers with
au
E. Procedures
Information Security Program
Google’s Information Security program is designed to safeguard information assets against
unauthorized use, disclosure, modification, damage or loss. The program includes educating
Google personnel about security related issues, assessing current policies and developing new
policies, assisting in strengthening technical measures to protect corporate resources, and
developing mechanisms to react to incidents and events that could affect Google’s information
assets.
Google has dedicated security teams responsible for educating Google personnel about security
and assisting product teams with security design. Information security is managed by a dedicated
m
unauthorized use, access, disclosure, modification, damage, or loss, as well as the privacy of
co
customer data. The program includes, but is not limited to, developing and managing privacy
n.
policies, developing privacy requirements for products and services including reviewing data
io
usage to ensure processing of customer data is in accordance with the applicable data protection
ac
agreements entered into between Google and customers based on applicable data protection
laws and regulations, and developing mechanisms to react to privacy incidents and events that
rm
could affect Google’s information assets and customer data. Google has dedicated privacy teams
fo
responsible for educating Google personnel about privacy, assisting product teams with privacy
in
design, and overseeing privacy practices at the company. Google has privacy policies that have
rv
been reviewed and approved by management and are published and communicated to
employees and vendors with access to the Google environment. Google’s privacy policies
se
describe privacy objectives, provide a privacy framework and required practices, and emphasize
z@
the importance of privacy to Google’s business. Privacy policies are reviewed at least annually.
Procedures and guidelines are updated as needed.
ue
Google’s role as a data processor and the scope of the processing are defined in the applicable
sq
https://workspace.google.com/terms/dpa_terms.html)
.
ra
The Google Cloud Platform system architecture utilizes a fully redundant network infrastructure.
Border routers that provide the connection point between the Google Cloud Platform and any
Internet Service Providers are designed to run in a redundant configuration. Where border routers
are in use, firewalls are also implemented to operate in a redundant configuration.
Google has implemented perimeter devices to protect the Google network from external attacks.
Google segregates networks based on the types of services, users, and information systems. The
network is managed via specialized tools. Google employs automated tools to inventory network
devices and machines. Authorized security and network engineers access the network devices
(production routers and switches) to monitor, maintain, manage and secure the network through
these tools.
Network monitoring mechanisms are in place to detect and disconnect access to the Google
network from unauthorized devices. Configurations of perimeter devices are centrally managed.
Current and previous versions of each router configuration are maintained. Google has
documented procedures and checklists for configuring and installing new servers, routers and
switches on the network. The network is documented in network diagrams and configuration
documents describing the nature of, and requirements applicable to, Google’s production
networks. This documentation resides within an access-restricted portion of the corporate
intranet.
Google has a firewall configuration policy that defines acceptable ports that may be used on a
Google firewall. Only authorized services and protocols that meet Google’s requirements are
permitted access to the network. The firewalls are designed to automatically deny all unauthorized
packets not configured as acceptable. Administrative access to the firewalls is limited to
authorized administrative personnel using the Secure Shell (SSH) protocol and two-factor
authentication. Changes to network configurations are peer reviewed and approved prior to
deployment. Google has implemented automated controls on network devices to identify
m
distributed denial of service (DDOS) attacks. Google has established incident response
co
processes to report and handle such events (see the Incident Management section).
n.
Authentication, Authorization, and Administration
io
ac
Strong authentication and access controls are implemented to restrict access to Google Cloud
Platform production systems, internal support tools, and customer data. Machine-level access
rm
restriction relies on Google-developed distributed authentication service based on Transport
fo
Layer Security (TLS) certificates which helps to positively identify the resource access requester.
in
This service also offers transport encryption to enhance data confidentiality in transit. Google uses
rv
encryption to secure user data in transit between Google production facilities. Access to internal
support tools, those used by Google operational staff to maintain and troubleshoot the systems
se
for Google Cloud Platform is controlled via Access Control Lists (ACLs) thus limiting the use of
z@
these tools to only those individuals that have been specifically authorized.
ue
Digital certificates used for machine authentication and data encryption are issued by an internal
sq
Google certificate authority. Encryption is used to protect user authentication and administrator
sessions transmitted over the internet. Remote access to the Google corporate machines requires
va
a Google issued digital certificate installed on the connecting device and two-factor authentication.
.
ra
Google follows a formal process to grant or revoke employee access to Google resources.
au
Lightweight Directory Access Protocol (LDAP), Kerberos, and a Google proprietary system that
utilizes Secure Shell (SSH) and TLS certificates help provide secure and flexible access. These
mechanisms are designed to grant access rights to systems and data only to authorized users.
Both user and internal access to customer data are restricted through the use of unique user
account IDs. Access to sensitive systems and applications requires two-factor authentication in
the form of unique user IDs, strong passwords, security keys, and/or certificates. Periodic reviews
of access lists are implemented to help ensure access to customer data (and other need-to-know
data) is appropriate and authorized. Access to production machines, network devices and support
tools is managed via an access group management system. Membership in these groups must
be approved by respective group administrators. User group memberships are reviewed on a
semiannual basis under the direction of the group administrators to ensure that access has been
removed for employees who no longer have a business need for such access.
Access authorization in Google Cloud Platform is enforced at all relevant layers of the system.
The granting or modification of access rights is based on the user’s job responsibilities or on a
need-to-know basis and must be authorized and approved by the user’s functional manager or
system owners. Approvals are managed by workflow tools and logged. Production system access
is granted only to individuals who have completed the required security and privacy training and
require this level of access to perform required tasks. Access to all corporate and production
resources are automatically removed upon submission of a termination request by the manager
of any departing employee, or by the appropriate Human Resources manager.
Password Guidelines
Google personnel are required to authenticate using valid credentials prior to resetting their
password. Passwords are managed in accordance with a set of password construction,
m
protection, and management guidelines, which enforce the following:
co
• Minimum length
n.
• Complexity
io
• History
ac
• Idle time lockout setting
rm
Password configuration requirements are enforced by internal systems. In addition to the security
fo
requirements enforced during configuration, internal passwords are subject to cryptographic
in
Google has supplemented passwords with a two-factor authentication requirement for internal
se
personnel to access sensitive internal corporate and production services and to access Google
z@
Cloud Platform in the production environment from the corporate network. Two-factor
authentication provides additional protection to prevent user account manipulation in case the
ue
Google Cloud Platform end users can also authenticate in one of three ways:
va
• Using a two-step authentication process that includes their user ID, password, and a security
ra
key
au
• Through the Security Assertion Markup Language (SAML) based Single Sign-On (SSO)
process which uses the user entity’s own account management system to authenticate users
and a certificate with an embedded public key, which is registered with Google for each
customer entity
Physical Access — Data Center Physical Security
Google maintains consistent policies and standards across its data centers (e.g. Google-Owned
and Third-Party Owned) for physical security to help protect production servers, network devices,
and network connections within Google data centers. Guidelines for evaluating the security of
data centers are described in Google’s data center security evaluation criteria. Additionally, data
center personnel perform periodic surveys and reviews of data centers. Data centers that house
Google Cloud Platform systems and infrastructure components are reviewed periodically for
ongoing security compliance. A security report is then created summarizing any observations,
deviations, or action items. This report is presented to executive management for review and
approval. Corrective actions are taken when necessary. The data center security evaluation
criteria elements include:
m
visitors, or contractors, must identify themselves as well as show proof of identity to Security
co
Operations.
n.
Valid proof of identity consists of (1) a photo ID issued by Google or (2) a governmental entity.
io
Only validated visitors and authorized Google employees and contractors are permitted to enter
ac
the data centers. Authorized Google Data Center Approvers must approve all visitors in advance
rm
for the specific data center and internal areas they wish to visit.
fo
After the individual’s access authorization is verified, the visit is logged, and access is granted for
in
the specified dates and times. These logs are retained by Google security for review as needed.
rv
Visitors are provided a temporary badge and must be escorted by an authorized Google employee
to access areas beyond the lobby. When the visitors leave the data center, they must return the
se
visitor badge.
z@
Only authorized Google employees or contractors permanently working at the data centers are
ue
permitted to request standing access to the facility areas needed for their role and responsibilities.
Data center access requests must be made through internal tools and require the approval of
sq
authorized data center personnel. All other Google employees and authorized contractors
va
requiring temporary data center access must also have an approved access request and register
.
at the guard station upon arrival. User access lists to data center server areas are reviewed on a
ra
Data centers are equipped with fire detection alarms and protection equipment. Data center
server floors and network infrastructure are connected to redundant power sources in addition to
emergency power which is available in the event of a loss of power. Google performs preventative
and regular maintenance on fire detection and protection equipment, UPS, generators, HVAC
and emergency lighting systems. Please refer to Section A. Overview of Operations above for
a list of Google's data center locations.
Change Management
Changes to Google Cloud Platform are delivered as software releases. Change Management
policies, including code reviews, are in place, and procedures for tracking, testing, approving, and
validating changes are documented and implemented. Each service has documented release
processes that specify the procedures to be used, including definition of the scope of changes to
be delivered, source code control, code review, building, testing, and record keeping.
The change process starts with a developer checking out a copy of the head source code files
from the source code management system to modify them. Once development is complete, the
developer initiates applicable testing and code reviews. Once the change has received the
appropriate code review the change can be submitted, making it the new head version. Google
requires that a code reviewer be independent of the developer who authored the change and
follows Google’s coding standards.
Once the code is merged, it can be used to build software binaries. During the build process, code
is subject to automated testing, the results of which are monitored by engineers. Successfully
built binaries can be migrated to staging or QA environments where they can be subject to
additional review. When software is ready for deployment to production, it is deployed in a
controlled manner, with monitoring in place to notify engineers of anomalies in the deployment.
The process from build to release is aided by several tools that automate tasks, including testing
m
and deployment. Employees at Google have the ability to view changes, however, access to
co
modify code and approve changes is controlled via functionality of internal tools that supports the
n.
build and release process.
io
Tools are also utilized to detect deviations from pre-defined Operating System (OS) configurations
ac
on production machines and correct them automatically. This allows for an easy roll out of updates
rm
to system files in a consistent manner and helps ensure that machines remain in a known current
state.
fo
in
Vulnerability Management
rv
The goal of Google’s Vulnerability Management program is to investigate and respond to all
se
vulnerabilities are detected, classified, and remediated at Google. As part of this program, the
security operations team conducts network vulnerability scans to detect vulnerabilities in software,
ue
systems, and network devices. These scans are conducted on an ongoing basis, to identify and
sq
Also, external third-party penetration tests are performed on an annual basis for a predetermined
subset of the services included in the Google Cloud Platform, and corrective actions are taken as
.
ra
necessary. The subset of services included in any given year are determined by the Google
au
Security and Engineering Compliance teams and is based on their understanding of the
organization’s current risk environment, as well as the organization’s current regulatory and
compliance requirements.
Incident Management
Dedicated on-call personnel and incident response teams are responsible for managing,
responding to, and tracking incidents. These teams are organized into formalized shifts and are
responsible for helping resolve emergencies 24 x 7. Incident response policies are in place and
procedures for handling incidents are documented.
Incident Alert and Recording
Log sources are used to generate alerts whenever an anomaly occurs. Production monitoring
tools, in response to an anomaly, automatically generate alerts to relevant teams based on the
anomaly configurations set by each team. An anomaly may also be manually documented by a
Google employee when an issue is identified or in response to a customer service request.
Production systems are configured to send system events to monitoring and alerting tools. Google
personnel use these tools to respond to potential incidents, including security and privacy
incidents.
Alerts capture information necessary for initial response (e.g., origin, service description,
impacted area, etc.). Alerts are addressed by relevant teams to identify if the anomaly indicates
an issue or potential issue. If necessary, incidents are created for alerts that require additional
investigation. Additional details can be added to the incident to supplement the initial alert(s). The
incident is assigned an initial severity level to prioritize mitigation efforts to incidents of greatest
impact. Each severity level has been formally defined to capture the importance of each
m
incident/problem type. There are established roles and responsibilities for personnel tasked with
co
incident management, including the identification, assignment, managed remediation, and
communication of incidents.
n.
io
Incident Escalation
ac
Google has documented escalation procedures and communication protocols that address the
rm
handling of incidents and notifying appropriate individuals. Escalated issues are treated with
higher urgency and often shared with a wider audience.
fo
in
Alert escalation is facilitated by an internal escalation tool or manual escalation based on Google-
rv
wide and team-specific escalation criteria. Production monitoring tools are integrated with the alert
se
manager tool and communicate with the escalation tool via email and notification to on-call via
pager. The escalation time and contacts are defined in the escalation tool configuration files. This
z@
leads to automated escalation if the tool does not receive an acknowledgement from the notified
ue
contacts.
sq
Incident Resolution
va
After gathering the necessary information about the incident, the incident ticket is assigned to the
.
appropriate support area based on the nature of the problem and/or the root cause. Incidents are
ra
notifying customers of data security and privacy incidents that affect their accounts in accordance
with disclosure laws or contractual agreements are established and implemented.
Data Retention and Deletion
Google has procedures in place to dispose of confidential and need-to-know information
according to the Google data retention and deletion policy. Additionally, Google maintains defined
terms regarding the return, transfer, and disposal of user data and makes these terms available
to customers.
Storage Media Security
Integrity checks are in place at the application level and file system level to ensure data integrity.
At the application level, checksum comparison is performed to protect against upload corruptions.
m
File system consistency checks are also deployed at the storage layer using user-level programs
co
which verify the integrity of the data. At the machine level, an integrity check system is used to
n.
synchronize system files on the root partition of production machines with a standard base image.
io
Google utilizes barcodes and asset tags to track the status and location of data center equipment
ac
from acquisition to installation, retirement, and destruction. If a component fails to pass a
rm
performance test at any point during its lifecycle, it is removed from inventory and retired. Google
hard drives leverage technologies, like Full Disk Encryption (FDE) and drive locking, to protect
fo
data at rest. Personally Identifiable Information (PII) on removable media leaving Google facilities
in
When a hard drive is retired, authorized individuals verify that the disk is erased by writing zeros
se
to the drive and performing a multiple-step verification process to help ensure the drive contains
z@
no data. If the drive cannot be erased for any reason, it is stored securely until it can be physically
destroyed. Physical destruction of disks is a multi-stage process beginning with a crusher that
ue
deforms the drive, followed by a shredder that breaks the drive into small pieces, which are then
sq
recycled at a secure facility. Each data center adheres to a strict disposal policy and any variances
are immediately addressed.
va
Redundant Architecture
.
ra
au
Disaster Recovery
To minimize service interruption due to hardware failure, natural disaster, or other catastrophes,
Google designs its infrastructure and services to be resilient to failures of software, hardware or
facilities. Redundant architecture and resources are distributed across at least two (2)
geographically dispersed data centers to support the availability of services. Network connections
between the data centers help ensure swift failover. Management of the data centers is also
distributed to provide location-independent, around-the-clock coverage and system
administration.
Google’s Disaster Recovery program enables continuous and automated disaster readiness,
response, and recovery of Google’s business, systems, and data. Google conducts disaster
recovery testing on an annual basis to provide a coordinated venue for infrastructure and
m
application teams to test communication plans, failover scenarios, operational transition, and
co
other emergency responses. Teams that participate in the disaster recovery exercise develop
testing plans and post-mortems which document the results and lessons learned from the tests.
n.
io
F. Monitoring
ac
Functional areas across the organization are accountable for designing, implementing and
rm
operating controls to reduce risk across the organization, and engage with management for
fo
assessing controls. Management performs periodic assessments of the control environment for
in
specific areas, such as identity management, source code management and authentication
rv
infrastructure controls. Google plans and coordinates system security and privacy-related audits
with the relevant stakeholders before conducting such activities in order to reduce the impact on
se
internal and consumer users. Independent Internal Audit teams also perform regular audits over
z@
these areas of the control environment and the reports associated with the audits are made
available to the audit committee and stakeholders. In addition, monitoring activities have been
ue
described below to communicate how monitoring is performed for Google Cloud Platform.
sq
Security Monitoring
va
Google has implemented monitoring tools to detect and report security events. Antivirus, phishing
.
ra
detection, and antimalware/antispam tools are also in place to protect Google's information
au
assets. Google also maintains security event logs for privileged access, access to user data,
authorized access attempts, and unauthorized access attempts. Logical access to security event
logs is restricted to authorized personnel. Security event logs are monitored continuously using a
Google proprietary Security Event Management (SEM) system to detect intrusion attempts and
other security related events. The SEM is supplemented with codified logic which creates the
“hunts” that trigger automated alerts to security personnel. The security alerts are generated for
further investigation (manual and automated hunts) based on predefined thresholds. When a
vulnerability has been identified, the Security team determines the appropriate response and
tracks the issue through resolution. The owners of the affected component(s) determine the
appropriate response, based on the severity and defined response criteria of the vulnerability.
Availability Monitoring
Resource management procedures are also established to monitor, maintain, and evaluate
capacity demand. Google uses a dashboard that provides details such as resource footprint,
central processing unit capacity, and random-access memory availability to monitor resource
availability across their data centers and to validate that data has been replicated to more than
one location.
Confidentiality Monitoring
Google has established incident response processes to report and handle events related to
confidentiality as described under Incident Management above.
Privacy Monitoring
As described above, Google restricts and monitors access to customer data to only those with a
valid business purpose, and further restricts the processing of customer data to authorized
individuals. Google has an incident monitoring and response program designed to alert and take
action if unauthorized access is discovered. New products and services are reviewed prior to
m
launch to ensure customer data use is in accordance with the Data Processing Addendum.
co
G. Complementary User Entity Control Considerations
n.
io
Google Cloud Platform is designed with the assumption that user entities (also referred to as
ac
customers) would implement certain policies, procedures, and controls. In certain situations, the
application of specific or additional controls at the user entity may be necessary to achieve the
rm
applicable trust criteria stated in the description. Therefore, each user’s controls must be
fo
evaluated in conjunction with the controls summarized in Section III and Section IV of this report.
in
This section describes those additional policies, procedures, and controls that Google
rv
recommends user entities should consider to complement Google’s policies, procedures, and
se
controls. Management of the user entity and the user entity’s auditor should consider whether the
z@
System
.
•
ra
Customers are responsible for establishing organizational policies and procedures for the use
au
• Customers are responsible for ensuring that end-users are trained on the organizational
policies and procedures relevant to the use of the Google Cloud Platform System
• Customers are responsible for defining, documenting, and making available to users
procedures for the operation of their instance of the Google Cloud Platform System
• Customers are responsible for identifying and managing the inventory of information assets
on the Google Cloud Platform System
Logical Access
• Customers are responsible for defining and maintaining policies and procedures governing
the customer's administration of access to the Google Cloud Platform System
• Customers are responsible for provisioning service availability, user roles, and sharing
permissions within the Google Cloud Platform System consistent with customer organizational
m
policies
co
• Customers are responsible for implementing secure log-on procedures to access the Google
n.
Cloud Platform System consistent with customer access management policies
•
io
Customers are responsible for provisioning, maintaining, and disabling users’ access in
ac
accordance with customer access management policies
• Customers are responsible for reviewing users' access rights periodically, consistent with
rm
customer organizational policies, to mitigate the risk of inappropriate access
fo
• Customers are responsible for enabling and enforcing the use of two-step verification on
in
Customers are responsible for establishing procedures to allocate the initial password to
access the Google Cloud Platform System to end-users when Google password
se
authentication is used
z@
• Customers are responsible for training users on the use and disclosure of passwords used to
authenticate to the Google Cloud Platform System
ue
• Customers are responsible for assigning responsibilities for the operation and monitoring of
sq
Customers are responsible for configuring GCP Marketplace permissions in Google Cloud
Platform consistent with customer’s internal policies (GCP Marketplace contains enterprise
.
ra
• Customers are responsible for restricting access to and monitoring the use of Application
Programming Interfaces (APIs) available in the Google Cloud Platform System
• Customers are responsible for enabling logging and monitoring functionalities to detect
administrator activity, customer support activity, security events, system errors, and data
deletions to support customer incident management processes
• Customers are responsible for configuring domain settings related to integration with other
systems within the customer's environment consistent with customer policies
• Customers are responsible for configuring the Google Cloud Platform System mobile device
options consistent with customer policies and procedures
• Customers are responsible for the deployment, configuration and modification of default
security settings for cloud products including virtual machines in accordance with their
information security requirements
Change Management
• Customers are responsible for ensuring that individuals creating and/or updating profiles or
changing the product configurations are authorized
• Customers are responsible for ensuring any application software which they deploy onto the
Google Cloud Platform System follows their specific software change management policies
and procedures
• Customers are responsible for reviewing and testing features, builds, and product releases,
including Application Programming Interfaces (APIs), to evaluate their impact prior to
deploying into production environments, as applicable
• Customers are responsible for configuring test and/or development environments in their
instance of the Google Cloud Platform System, as applicable, and restricting access to data
m
in these environments
• Customers are responsible for ensuring that user data is exported and deleted from the
co
Google Cloud Platform System before or within a reasonable amount of time after termination
n.
• Customers are responsible for periodically reviewing the configuration of the Google Cloud
io
Platform System to ensure it is consistent with their policies and procedures
ac
• Customers are responsible for managing and testing configurations that support their
rm
business and operational resiliency objectives, and for considering Google Cloud Platform
architecture recommendations
fo
in
Physical Security
rv
• Customers are responsible for ensuring appropriate physical security controls over all devices
se
Customers are responsible for ensuring any devices that access the Google Cloud Platform
System or contain customer data are properly handled, secured, and transported as defined
ue
Incident Management
va
relevant information security incidents pertaining to the use of the Google Cloud Platform
System
au
• Customers are responsible for ensuring they have business recovery and backup procedures
over their non-Google managed information systems that access the Google Cloud Platform
System
• Customers are responsible for configuring data storage locations that support their business
and operational resiliency requirements
Privacy
m
Customers are responsible for ensuring that administrators do not send unnecessary
employee personal data when escalating support requests to service providers, including
co
Google
n.
io
ac
rm
fo
in
rv
se
z@
ue
sq
.va
ra
au
m
co
n.
io
ac
rm
fo
in
rv
se
z@
ue
sq
va
.
ra
au
53
Google Confidental Information
m
data center semiannually that is reviewed and approved by Google management. We perform
co
site visits of the data centers on a rotation schedule to corroborate, through independent
n.
procedures (including observation and inspection), the controls are implemented as described
within Google’s review. We designed the visit schedule to ensure that each data center is visited
io
at least once every three years and that new in-scope data centers are visited in the period they
ac
are brought into scope. rm
Control criteria and related controls for systems and applications
fo
in
On the pages that follow, the applicable control criteria and the controls to achieve the criteria
rv
have been specified by, and are the responsibility of, Google LLC. The sections “Tests Performed
by EY” and “Results” are the responsibility of Ernst & Young LLP.
se
z@
For tests of controls requiring the use of Information Produced by the Entity (IPE) (e.g., controls
requiring system-generated populations for sample-based testing), EY performed a combination
ue
of the following procedures where possible based on the nature of the IPE to address the
sq
completeness, accuracy, and data integrity of the data or reports used: (1) inspected the source
of the IPE, (2) inspected the query, script, or parameters used to generate the IPE, (3) tied data
va
between the IPE and the source, and/or (4) inspected the IPE for anomalous gaps in sequence
.
or timing to determine the data was complete, accurate, and maintained its integrity. Furthermore,
ra
in addition to the above procedures, for tests of controls requiring management’s use of IPE in
au
the execution of the controls (e.g., periodic reviews of user access listings); we inspect
management’s procedures to assess the validity of the IPE source and the completeness,
accuracy, and integrity of the data or reports.
1. The organization has CC1.3, Inquired of the Program Manager and determined No deviations noted.
implemented a formal CC1.4 the organization has implemented a formal
reporting structure that is reporting structure that is made available to
made available to personnel.
o m
personnel.
.c
Inspected the organization's intranet and
o n No deviations noted.
i
determined organizational charts showing formal
ac
reporting structure were made accessible to
rm
employees and included drill-down functionality to
f o
identify employees within the organizational
in
structure, including employees in their functional
teams. rv
se
z@
Inspected a sample communication and No deviations noted.
determined top level management changes were
u e
communicated internally and externally.
s q
v a
Inspected the meeting minutes of a sample Board No deviations noted.
au
considered requirements such as integrity and
security when defining authorities, structures,
reporting lines, and responsibilities.
2. Company goals and CC1.3, Inquired of the Program Manager and determined No deviations noted.
responsibilities are CC1.5, company goals and responsibilities were
required to be developed CC2.2, developed and communicated by management
and communicated by CC3.1 every quarter and amended as needed. Results of
o m
management on a previous quarter goals were evaluated and
.c
periodic basis, and communicated to employees every quarter.
o n
amended as needed. i
Results are evaluated ac
Inspected a sample of quarterly goals and No deviations noted.
and communicated to
o rm
responsibilities and determined they were
employees.
f
developed and evaluated by management.
v in
e r
Inspected a sample of quarterly announcements No deviations noted.
s
and determined results of previous quarter goals
@
were communicated to employees.
z
3. The board of directors CC1.2, q ue
Inquired of the Program Manager and determined No deviations noted.
demonstrate CC1.5 a s
the board of directors demonstrated
independence from . v
independence from management and had
management and ra established an audit and compliance committee to
exercises oversight of
the development and
au exercise oversight of the development and
performance of internal control.
performance of internal
control. Inspected the Alphabet proxy statement and No deviations noted.
determined that the board of directors, including
the members of the audit and compliance
committee, demonstrated independence from
management.
5. The organization has CC1.1, Inquired of the Program Manager and determined No deviations noted.
established internal CC9.2, C1.1 the organization established internal privacy and
privacy and information information security policies available in the
security policies as well intranet as well as code of conduct.
o m
as a Code of Conduct.
.c
o n
Inspected applicable policies and guidelines and No deviations noted.
i
determined the privacy and information security
ac
as well as code of conduct were in place.
rm
6. The organization has CC1.1,
f o
Inquired of the Program Manager and determined No deviations noted.
established a disciplinary CC1.5 in
the organization established a disciplinary process
v
process to address non- r
to address non-compliance with company policies,
e
compliance with
s
code of conduct, or other personnel requirements.
company policies, the
code of conduct, or other z @
Inspected internal documentation and determined No deviations noted.
personnel requirements.
q ue
the organization established a disciplinary process
a s
for non-compliance with the company policies,
code of conduct, or other personnel requirements
. v
ra
which could result in dismissal, lawsuits and/or
au
criminal prosecution.
7. The organization has CC5.2 Inquired of the Program Manager and determined No deviations noted.
established an the organization had established offboarding
offboarding procedure for procedures for personnel, which governed the
personnel, which removal of access and return of assets.
o m
governs the removal of
.c
access and return of
o n
Inspected internal guidelines and determined the No deviations noted.
assets. i
organization had established offboarding
ac
procedures for personnel, which governed the
rm
removal of access and return of assets.
o
n f and determined
internal and external r v i
Inspected internal guidelines
employees were informed
No deviations noted.
s e
that obligations to comply with relevant laws,
@
regulations, and provisions regarding information
u ezchanges
security remain
responsibility
valid, even if the area of
or the employment
s q
relationship is terminated.
v a
8. Personnel of the CC1.1 a.Inquired of the Program Manager and determined No deviations noted.
organization are required
to acknowledge the Code a ur employees and extended workforce personnel
were required to acknowledge the Code of
of Conduct. Conduct as part of the terms and conditions of
employment.
9. New hires or internal CC1.3, Inquired of the Program Manager and determined No deviations noted.
transfers are required to CC1.4 that new hires and internal transfers were required
go through an official to go through an official recruiting process during
recruiting process during which their qualifications and experience were
o m
which they are screened
.c
screened to help ensure that they were competent
against detailed job to fulfill their responsibilities.
o n
descriptions and i
interviewed to assess ac
Inspected of internal documentation and No deviations noted.
competence.
o rm
determined the organization had detailed job
f
descriptions that listed qualifications, such as
in
requisite skills and experience, which candidates
v
r
need to have met in order to be hired.
e
s
z@
Inspected a sample of new hires and internal No deviations noted.
transfers and determined they went through a
u e
formal recruiting process and were screened
s q
against detailed job descriptions and interviewed
v a
to assess competence.
11. The organization CC9.2, C1.1 Inquired of the Program Manager and determined No deviations noted.
establishes the organization required its extended workforce
confidentiality personnel to sign confidentiality agreements that
agreements with m
defined responsibilities and expected behavior for
o
extended workforce the protection of information.
. c
personnel to define n
responsibilities and
c io
Inspected the Google confidentiality agreements No deviations noted.
expected behavior for the and determined they defined extended a workforce
protection of information.
r m
personnel responsibilities and expected behavior
f o
for the protection of information.
13. The organization CC3.1, Inquired of the Program Manager and determined No deviations noted.
conducts periodic CC3.2, the organization conducted periodic information
Information Security Risk CC3.3, security risk assessments to identify, evaluate,
Assessments to identify CC3.4, and mitigate risks to acceptable levels based on
o m
and evaluate risks. CC5.1, .c
risk criteria, including resolution time frames,
CC5.2, which were established, documented, and
o n
CC7.2, A1.3 approved by management.
a ci
Inspected the risk management m
o rframework
guidelines and No deviations noted.
determined a risk management
n fto manage riskwas
vi resolution time
developed and documented to an
acceptable level and r defined
frames for risks. e
s
z @
Inspected applicable documentation and No deviations noted.
u
determined ethe organization conducted periodic
s q security risk assessments to identify,
information
. va on and
evaluate, mitigate risks to acceptable levels
au
frames, which were established, documented and
approved by management.
14. The organization CC3.1, Inquired of the Program Manager and determined No deviations noted.
develops and maintains CC3.2, the organization developed and maintained a risk
a risk management CC3.3, management framework to manage risk to an
framework to manage acceptable level.
risk to an acceptable CC3.4, Inspected the risk management guidelines and No deviations noted.
level. CC5.1, determined a risk management framework was
CC5.2 developed and documented to manage risk to an
m
acceptable level, define resolution time frames for
o
c
risks, and to consider the potential for fraud.
.
n
c io
Inspected internal documentation and determined No deviations noted.
management signed off on the risk a management
framework.
r m
o
f risk assessment and
i n
Inspected the organization's No deviations noted.
e rvto identify
determined the organization evaluates qualitative
s
and quantitative factors residual risk in
z@
order to manage risk to an acceptable level.
Inspected e
udocumentation from the organization's No deviations noted.
annualqrisk assessment and determined the
a s
organization's operational objectives, potential
. v
r a impacts, and changes to the business model were
au
considered.
15. Risks are mitigated to CC3.1, Inquired of the Program Manager and determined No deviations noted.
acceptable levels based CC3.2, the organization conducted periodic information
on risk criteria, including CC3.3, security risk assessments to identify, evaluate,
resolution time frames, CC3.4 and mitigate risks to acceptable levels based on
o m
which are established,
.c
risk criteria, including resolution time frames,
documented and which were established, documented, and
o n
approved by
management.
approved by management.
a ci
Inspected the risk management m
o rframework
guidelines and No deviations noted.
determined a risk management
n fto manage riskwas
vi resolution time
developed and documented to an
acceptable level and r defined
frames for risks. e
s
z @
Inspected applicable documentation and No deviations noted.
u
determined ethe organization conducted periodic
s q security risk assessments to identify,
information
. va on and
evaluate, mitigate risks to acceptable levels
au
frames, which were established, documented and
approved by management.
16. Management CC4.1, Inquired of the Program Managers and Internal No deviations noted.
performs periodic CC4.2 Audit and determined the organization had an
assessments of internal established internal compliance function which
identity, authentication, evaluated management's compliance with
and source code security, identity, authentication, and source code
management controls. management controls.
organization’s approach Inspected documents related to internal audit and No deviations noted.
to managing information determined the organization had an internal audit
security. function and regularly engaged third parties to
conduct independent reviews of the effectiveness
o m
of the organization’s approach to managing
.c
information security.
o n
i
ac
Inspected a list of the organization's security No deviations noted.
rm
compliance certifications and determined the
o
f
organization regularly engaged third parties to
in
conduct independent reviews of the effectiveness
v
r
of the organization’s approach to managing
e
s
information security.
z @
Inspected the meeting invites related to the No deviations noted.
ue
organization's annual organizational risk
q
s
assessment and determined the organization's
a
. v
operational objectives, potential impacts, and
au
were considered across various areas related to
information security.
18. The organization has CC4.1, Inquired of the Program Managers and Internal No deviations noted.
an established Internal CC4.2, Audit and determined the organization had an
Audit function which CC5.3 established internal compliance function which
evaluates management's evaluated management's compliance with
compliance with security security, identity, authentication, and source code
controls. management controls.
“Information Protection Inspected the Third-Party Data Protection internal No deviations noted.
Addendum (IPA)” or site and determined the organization had a formal
“Partner Information due diligence process in place for engaging with
Protection Addendum third parties.
o m
(PIPA)” for providers and
.c
partners, respectively.
o n
Inspected the Information Protection Addendum No deviations noted.
i
(IPA) template and determined appropriate
ac
information security and data protection terms
rm
were documented within the IPA.
o
n f Protection
i
Inspected the Partner Information No deviations noted.
e rvsecurity
Addendum (PIPA) template and determined
s
appropriate information and data
z@
protection terms were documented within the
PIPA.
e
uof the Program Manager and determined
20. The organization
s q
CC9.2, C1.1, Inquired No deviations noted.
requires subprocessors theaorganization required subprocessors to meet
to meet security and
P6.1, P6.4,
v
P6.5, P6.6 a.security and privacy requirements for
r safeguarding user data and the requirements
au were enforced via the "Subprocessor Data
privacy requirements for
safeguarding user data.
Requirements are Protection Agreement (SDPA)" addendum to
enforced via the contractual agreements.
“Subprocessor Data
Protection Agreement Observed the latest addendum template and No deviations noted.
(SDPA)” addendum to determined it had defined the security and privacy
contractual agreements. obligations that subprocessors must meet to
satisfy the organization's obligation regarding
customer data.
o r to vendors are in
place.
n f
i
21. The Security CC9.2, C1.1 Inquired of the Program
e rvManager and determined No deviations noted.
Engineering Org takes a
s
the Security Engineering Org took a risk based
risk based approach to
reviewing the security
@
approach to reviewing the security practices of
vendors andzthe security posture of vendor
practices of vendors and e
products.uReviews may include automated and
the security posture of manual q
s of data being
assessment as determined by the
vendor products. a
v granted.
sensitivity processed or access
Reviews may include a .
being
r
au Inspected the relevant documentation and
automated and manual
assessment as No deviations noted.
determined by the determined the Security Engineering Org took a
sensitivity of data being risk based approach to reviewing the security
processed or access practices of vendors and the security posture of
being granted. vendor products. Reviews may include automated
and manual assessment as determined by the
sensitivity of data being processed or access
being granted.
fo
assessment of sub- subprocessor control environment.
processor control
n
i of a review for a sample
environment. Inspected documentation
r v No deviations noted.
24. The organization CC9.2, C1.1 Inquired of the Program Manager and determined No deviations noted.
establishes agreements, the organization had established agreements,
including nondisclosure including non-disclosure agreements, for
agreements, for preserving confidentiality of information and
o m
preserving confidentiality
.c
software exchanges with external parties, such as
of information and third-party vendors.
o n
software exchanges with i
external parties. ac
Inspected the latest non-disclosure agreement No deviations noted.
rm
template and determined the organization had
o
f
established agreements with external parties for
in
preserving confidentiality of information and
v
software exchanges.
e r
s
z@
Inspected agreements for a sample of external No deviations noted.
parties and determined the organization had
u e
signed non-disclosure agreements for preserving
s q
confidentiality of information and software
v a
exchanges with external parties.
regarding the return, return, transfer, and disposal of user data and
transfer, and disposal of made these policies available to customers.
user data and makes
these policies available Inspected the Cloud Data Processing Addendum No deviations noted.
to customers. and determined the organization had policies
regarding the return, transfer, and disposal of user
data and made these policies available to
customers.
. vause theServices
Platform and determined that Google did
au
purposes not specified in the data processing
amendments (e.g., advertising).
27. Customers are P6.1, P6.7 Inquired the Program Manager and determined No deviations noted.
notified of data requests that customers were notified of data requests from
from government government agencies in accordance with the
agencies in accordance procedure and time period agreed upon in the
o m
with the procedure and
.c
contract, unless such notification was otherwise
time period agreed upon prohibited.
o n
in the contract, unless i
such notification is ac
Inspected the Google Workspace Terms of No deviations noted.
otherwise prohibited.
o rm
Service and other publicly available
f
documentation and determined they outlined the
in
procedures the company followed to notify
v
r
customers when disclosure of customer data was
e
legally required.
s
z @
Inspected Google's internal website and No deviations noted.
ue
determined Google had established mechanisms
q
s
to ensure customers were notified in accordance
a
. v
with the terms of service when a disclosure of
28. Where the P6.1, P6.4 Inquired of the Program Manager and determined No deviations noted.
organization is a data that where the organization is a data processor,
processor, the the organization maintained and made available a
organization maintains list of subprocessors and updated that list, as
o m
and makes available a contractually required. c.
list of subprocessors and
Inspected GCP's public-facing website iando n No deviations noted.
updates that list, as
contractually required. a c
determined an updated list of all subprocessors
was publicly available.
r m
f o
Inspected a sample emailnnotification and
determined notice of r v i
subprocessor changes were
No deviations noted.
sent to customers. e
s
29. The organization CC2.3, C1.1 Inquired of the @
z Program Manager and determined No deviations noted.
provides mechanisms to e
u shouldprovided
the organization mechanisms to notify
notify customers in the q
s be discontinued or changed to be less
customers Google's confidentiality
event its confidentiality a
practices
v
practices are
a .restrictive.
r
au Inspected Google's Terms of Service and
discontinued, or changed
to be less restrictive. No deviations noted.
determined Google provided mechanisms to notify
customers should Google's confidentiality
practices be discontinued or changed to be less
restrictive.
z@blog postings.
available to authorized users via ongoing communications with customers
external users via or via its official
ongoing communications e
uGoogle's official blog postings and
with customers or via its q
s descriptions of Google's system and
Inspected No deviations noted.
official blog postings.
v a
determined
32. Changes to customer CC2.2, Inquired of the Program Manager and determined No deviations noted.
facing services that may CC2.3 confidentiality agreements (Google NDA,
affect confidentiality, Confidential Information and Invention
processing integrity and / Assignment Agreement (CIIAA), and the Code of
o m
or availability are
.c
Conduct) for employees and third parties are in
communicated to place and reviewed and updated as needed.
o n
relevant personnel and i
impacted customers. ac
Inspected the confidentiality agreements and No deviations noted.
rm
determined they are reviewed and updated as
o
needed.
f
v in
33. The organization's CC2.3 e r
Inquired of the Program Manager and determined No deviations noted.
commitments to security, s
Google publishes its commitments to security,
availability, processing z @
availability, processing integrity, and
integrity, and ue
confidentiality to external users via Terms of
q
confidentiality are
communicated to
s
Service (ToS).
a
v
.Inspected
external users via a Google Cloud Platform's Terms of
r Service and product websites and determined
No deviations noted.
au
publications such as the
Terms of Service (ToS). Google's commitments to security, availability and
confidentiality are published for external users.
34. The organization has CC5.2, Inquired of the Program Manager and determined No deviations noted.
an established policy CC5.3 Google had an established policy specifying the
specifying the security security requirements for new information
requirements for new systems, or enhancements to existing information
o m
information systems, or systems. c
.
enhancements to n
existing information Inspected internal policies and determined
c io No deviations noted.
systems. security requirements were specified a fortonew
r
information systems, or enhancementsm existing
information systems.
f o
i n
determined Googlee
rv documentation and
Inspected publicly available No deviations noted.
s outlined security requirements
@
for new information systems, or enhancements to
z systems related to its
existing information
services.ue
s q
35. The organization has CC8.1
vaorganization
Inquired
.
of the Program Manager and determined No deviations noted.
developed policies and
r a the had policies and procedures
au
procedures governing which govern the secure development lifecycle.
the secure development
lifecycle. Inspected internal documentation and determined No deviations noted.
the organization had policies and procedures
which govern the secure development lifecycle.
36. The organization has CC9.2 Inquired of the Program Manager and determined No deviations noted.
developed policies and the organization developed policies and
procedures that govern third party relationships.
procedures that govern Inspected internal documentation and determined No deviations noted.
third party relationships. policies and procedures were in place to govern
third party relationships.
o m
Inspected Google Cloud third party policy and
. c No deviations noted.
n
determined policies and procedures were in place
o
i
to govern third party relationships for Google
Cloud Products. ac
rm
37. The organization has CC5.3
f o
Inquired of the Program Manager and determined No deviations noted.
established policies and
in
the organization established policies and
v
procedures that govern r
procedures that govern access to information
e
access to information systems.
s
systems.
z @
Inspected the internal documentation and No deviations noted.
ue
determined Google established policies and
q
a s
procedures that govern access to information
systems.
a .v
r Inquired of the Program Manager and determined
au
38. The organization has CC2.2, No deviations noted.
policies addressing CC5.3 the organization had security policies addressing
confidentiality, integrity, confidentiality, integrity, and availability that were
and availability that have approved by management and published on the
been approved and intranet which is accessible to employees.
communicated.
Inspected internal documentation and determined No deviations noted.
security policies addressing confidentiality,
integrity and availability had been approved by
management.
40. The organization has CC3.2, Inquired of the Program Manager and determined No deviations noted.
established policies and CC6.1 the organization established policies and
procedures that govern procedures that govern the acceptable use of
the acceptable use of information assets.
o m
information assets.
.c
o n
Inspected internal documentation and determined No deviations noted.
i
the organization established policies and
ac
procedures that govern the acceptable use of
information assets.
o rm
n f and determined
41. Google has a User
i
CC6.1, C1.1, Inquired of the Program Manager
v Retention and Deletion
No deviations noted.
Data Retention and C1.2, P4.2, Google had a User Data
e r
Deletion Policy. P4.3 Policy.
s
Inspected the @
z User Data Retention and Deletion No deviations noted.
Policy and e
u other related documentation, and
q
s and deletion of user data.
determined it established guidelines to govern the
a
retention
a .v
42. Physical protection
and guidelines are
CC6.4,
CC6.7 a
ur Inquired of the Data Center Security Manager and
determined physical protection and guidelines
No deviations noted.
43. The organization CC6.7 Inquired of the Program Manager and determined No deviations noted.
maintains policies that the organization established policies and
define the requirements procedures that govern the internal and external
for the use of use of cryptographic controls.
o m
cryptography.
.c
o n
Inspected the security policies and procedures No deviations noted.
i
and determined they covered governance of the
ac
internal and external use of cryptographic
controls.
o rm
f
Inspected a Google CloudnPlatform relevant
i No deviations noted.
e rv and external
documentation and determined they covered
s
governance of the internal use of
z@
cryptographic controls.
45. The organization has CC6.1, C1.1, Inquired of the Program Manager and determined No deviations noted.
established policies and P4.1 policies and guidelines were established to govern
guidelines to govern data data classification, labeling and security.
au
documented.
47. Google has CC2.1, Inquired of the Program Manager and determined No deviations noted.
established the policy CC2.2 Google has a policy exception process to ensure
exception process to a formal approval and risk evaluation are
ensure a formal approval performed.
and risk evaluation are
performed. Inspected applicable policies and determined the No deviations noted.
process to request and process policy exceptions
is documented.
s q
Inspected Google's security policies and No deviations noted.
v a
determined Google had implemented rules to
.
ra govern the installation of software by users.
Inspected the log of the tool used to monitor the No deviations noted.
replication of the standard production image and
determined the tool was running in accordance
with the schedule defined in the configuration.
n f
file and corrected the production back to
vi
the pre-defined OS configurations.
r
Observed a Software
se Engineer deleted a test file No deviations noted.
49. The organization CC6.7, P4.3 Inquired of the Program Manager and determined No deviations noted.
prohibits the use of PII and SPII on removable media leaving Google
removable media for the facilities was approved and encrypted.
storage of PII and SPII Inspected relevant policies and determined No deviations noted.
unless the data has been Google outlined and communicated the process
encrypted. for the secure handling and transportation of
customer data.
o m
.c
o n
Inspected the ticketing tool and determined No deviations noted.
i
requests to use removable media were approved
ac
under the condition that the removable media was
encrypted.
o rm
n f and determined
50. Security policies are
reviewed at least
CC4.1,
CC5.3 v i
Inquired of the Program Manager
security policies wererreviewed at least annually,
No deviations noted.
51. The organization has CC1.1, Inquired of the Program Manager and determined No deviations noted.
established a privacy and CC1.4, privacy and information security training program
information security CC2.2 was in place and relevant personnel were
training program and required to complete this training annually.
e rv personnel
information security training for Google personnel
s
and determined relevant completed the
53. Wireless connections CC6.1 Inquired of the Program Manager and determined No deviations noted.
to corporate resources wireless connections to corporate resources at the
organization's facilities were encrypted.
au
determined that access was denied.
56. Logical access to CC7.1 Inquired of the Program Manager and determined No deviations noted.
network devices is that access to network devices was restricted to
restricted to authorized authorized personnel and periodically reviewed.
z@
architecture were identified and protected.
60. The organization has CC6.1 Inquired of the Program Manager and determined No deviations noted.
established mechanisms the organization established mechanisms
governing the governing the configuration and security of
configuration and corporate-managed devices providing privileged
o m
security of corporate- access. c.
managed devices
o n
Inspected relevant documentation and idetermined No deviations noted.
providing privileged
access. c
arequirements
that policies are in place to govern the device
r
management, security, and baseline m
of corporate-managed mobileodevices providing
privileged access. i nf
e rv
s
Inspected relevant documentation and determined No deviations noted.
z@
that policies are in place to govern the use of
encryption for corporate-managed mobile devices
e
providinguprivileged access.
s q
. va arerelevant
Inspected documentation and determined No deviations noted.
au
identity management for corporate-managed
mobile devices.
62. Encryption is used to CC6.1, Inquired of the Program Manager and determined No deviations noted.
protect user CC6.6, encryption was used to protect user authentication
authentication and CC6.7 and administrator sessions transmitted over the
administrator sessions internet.
transmitted over the Inspected internal policies regarding encryption No deviations noted.
Internet. mechanisms at Google and determined Google
used encryption to protect user authentication and
administrator sessions transmitted over the
o m
internet. c .
n
c io and
Inspected externally available documentation No deviations noted.
determined Google communicated a to how user
authentication and administratorm
transmitted over the internet o
r sessions
n f were encrypted.
v i
Inspected encryption rmechanism configurations No deviations noted.
and determined user
s e authentication and
@
administrator sessions transmitted over the
internet werezencrypted.
u e
s q a user's and an administrator's
Observed No deviations noted.
. vadetermined
connection settings to Google's external websites
au
user authentication and administrator sessions
transmitted over the internet.
63. Encryption is used for CC6.7 Inquired of the Program Manager and determined No deviations noted.
traffic traversing fiber encryption was used for traffic traversing fiber
between the between the organization's production facilities.
au
configurations.
Inspected the log of the tool used to monitor the No deviations noted.
replication of the standard production image and
determined the tool was running in accordance
with the schedule defined in the configuration.
o m
.c
o n
Observed a Software Engineer insert a test file in No deviations noted.
i
the directory of a haphazardly selected production
ac
machine and determined the tool detected the test
rm
file and corrected the production machine back to
f o
the pre-defined OS configurations.
in
rv
Observed a Software Engineer modify a test file in No deviations noted.
se
the directory of a haphazardly selected production
z @
machine and determined the tool detected the test
file and corrected the production machine back to
ue
the pre-defined OS configurations.
q
s
a a Software Engineer deleted a test file
Observed No deviations noted.
. vthe
r a in directory of a haphazardly selected
au
production machine and determined the tool
detected the deleted test file and corrected the
production machine back to the pre-defined OS
configurations.
65. Changes to network CC8.1 Inquired of the Program Manager and determined No deviations noted.
configurations are changes to network configurations were reviewed,
reviewed and approved approved, and tested prior to deployment.
prior to deployment.
o m
Inspected a sample of manual network
.c No deviations noted.
configuration changes and determined it was
o n
i
reviewed by a separate technical resource to
validate quality and accuracy. ac
rm
f o
Inspected a sample of manual network No deviations noted.
in
configuration changes and determined it was
v
r
tested prior to deployment.
e
s
Inspected a sample automated change and No deviations noted.
z@
determined it was made by an automated tool
e
u
based on the pre-configured ruleset.
q
a s
Inspected a sample change made to the No deviations noted.
v
r a. automated tool and determined it was reviewed by
au
a separate technical resource to validate quality
and accuracy and tested prior to deployment.
66. A standard image is CC8.1 Inquired of the Program Manager and determined No deviations noted.
utilized for the installation the organization established guidelines for
and maintenance of each governing the installation of software on
production server. organization-owned assets. Further determined
o m
.c
that a standard production image was utilized for
the installation and maintenance of each
o n
i
production server. Deployment of software in
ac
production was restricted to authorized personnel
rm
and mechanisms were utilized to identify and
f o
correct deviations from pre-defined OS
configurations. in
rv
se
Inspected Google's security policies and No deviations noted.
@
determined Google had implemented rules to
z
ue
govern the installation of software by users.
s q
Inspected the monitoring tool configurations and No deviations noted.
v a
determined the tools were configured to monitor
.
ra production machines and detect deviations from
au
pre-defined OS configurations and correct them.
Inspected the log of the tool used to monitor the No deviations noted.
replication of the standard production image and
determined the tool was running in accordance
with the schedule defined in the configuration.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 100
Google Confidental Information
n f
file and corrected the production back to
vi
the pre-defined OS configurations.
r
Observed a Software
se Engineer deleted a test file No deviations noted.
67. Only users with a CC6.6, Inquired of the Program Manager and determined No deviations noted.
valid user certificate, CC6.7 only users with a valid certificate, corresponding
corresponding private private key and appropriate authorization (per
key and appropriate host) could access production machines via SSH.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 101
Google Confidental Information
authorization (per host) Inspected the configuration enforcing authorized No deviations noted.
can access production key authentication and determined it was set up to
machines via SSH. restrict access to production machines from
unauthorized users without a valid digital
o m
certificate. c.
n
Inspected the configuration that enforced
c iothe No deviations noted.
a were
authentication of users prior to granting a private
r m
key and determined digital certificates only
f o
generated after a user was authenticated using
two-factor authentication.in
au
using an invalid SSH certificate and determined
access was denied.
68. The organization has CC6.1 Inquired of the Program Manager and determined No deviations noted.
an established key Google had an established key management
management process in process in place to support the organization’s
place to support the internal and external use of cryptographic
organization’s use of techniques.
cryptographic
techniques. Inspected internal documentation and determined No deviations noted.
key management procedures were in place.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 102
Google Confidental Information
nf
internal and external use of cryptographic
techniques. i
Inspected the code e
rv
s configuration for certificate No deviations noted.
@
revocations and determined certificate revocations
used proper z
u e authorizations
of certificate
and changes to the list
revocations were restricted.
s q
. va and
Inspected a sample of certificate revocation No deviations noted.
au
revoked timely.
69. The organization CC6.2, Inquired of the Program Manager and determined No deviations noted.
maintains formal user CC6.3 the organization maintained formal user
registration and de- registration and de-registration procedures for
registration procedures granting and revoking access.
for granting and revoking
access. Inspected relevant documentation and determined No deviations noted.
the organization had formal procedures for
granting and revoking user access to the
corporate network.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 103
Google Confidental Information
z@
determined access was granted.
Observed e
uan attempt to modify user access to a No deviations noted.
group q
a s access was not granted.
without the appropriate approval and
determined
v
r a.
au
Inspected a sample system generated log for No deviations noted.
access to production machines, support tools, and
network devices and determined access
approvals and modifications to the access lists
were recorded.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 104
Google Confidental Information
au
stored in an encrypted manner.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 105
Google Confidental Information
s e
Google's technical support personnel.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 106
Google Confidental Information
72. Personnel access to CC6.1, Inquired of the Program Manager and determined No deviations noted.
sensitive systems and CC6.6 access to sensitive systems and applications
applications requires requires two-factor authentication in the form of
two-factor authentication m
user ID, password, security key, and/or certificate.
o
in the form of a distinct
.c
user ID and password
o n
Inspected the applicable policy and determined No deviations noted.
with a security key or i
access to sensitive systems and applications
certificate. ac
required two-factor authentication in the form of
rm
user ID, password, security key and/or certificate.
o
Inspected relevant policy n
f
i documentation and No deviations noted.
determined Google has rvan established policy that
specifies the use ofeemergency credentials.
s
Inspected the @
z code that enforced the No deviations noted.
e
uand determined
authentication of users prior to the granting of a
q
s for access to production
certificate certificates that were
a
required machines were
v generated after a user is authenticated
a .
only to
r
au
single sign-on using two-factor authentication.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 107
Google Confidental Information
au
least privilege, and
limiting access to only Inspected relevant policies and guidelines, and No deviations noted.
authorized users. determined the organization separated duties of
individuals by granting users access based on job
responsibilities and least privilege, and limiting
access to only authorized users.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 108
Google Confidental Information
au
network devices and determined access
approvals and modifications to the access lists
were recorded.
74. Access to production CC5.2, Inquired of the Program Manager and determined No deviations noted.
machines, support tools, CC6.2, that access to production machines, support tools,
and network devices is CC6.3, and network devices is managed via access
managed via access CC6.6 control lists. Modification to access control lists
control lists. Modification are recorded and approved by administrators.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 109
Google Confidental Information
to access control lists are Inspected relevant documentation and determined No deviations noted.
recorded and approved the organization has formal procedures for
by administrators. managing user access to production machines,
support tools, and network devices via access
o m
control lists. c.
o n
Inspected the configurations within the isource No deviations noted.
code management system and determined c
a werethat
m
rfrom a group
the relevant access control list systems
o
nfreceiving access to
configured to enforce approval
i
administrator prior to a user
v tools, and network
production machines,rsupport
devices.
s e
@
Observed anzattempt to grant user access to a No deviations noted.
u
group with ethe appropriate approval from the
groups qadministrator and determined access was
va
granted.
.
r a
au
Observed an attempt to grant user access to a No deviations noted.
group without the appropriate approval from the
group administrator and determined access was
not granted.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 110
Google Confidental Information
75. Access to corporate CC6.1, Inquired of the Program Manager and determined No deviations noted.
network, production CC6.2 access to the corporate network, which further
machines, network provides access to production machines, network
devices, and support devices, and support tools, required a unique ID
o m
tools requires a unique and verified credentials. c.
ID, password, and/or n
machine certificate. Inspected the configuration for access to
c io No deviations noted.
corporate network, network devices,
machines, and support tools andm
aproduction
o r were required.
determined a
f
unique ID and verified credentials
n
i
e rtovanother
Observed a user attempt to create a user with a No deviations noted.
s
username belonging user and
@
determined that a duplicate username could not
be assigned.z
e
ua user attempt to create, delete, and
q
s an account with the same username and
Observed No deviations noted.
a
recreate
v
r a.determined the accounts were assigned unique
au
IDs.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 111
Google Confidental Information
76. Access to production CC5.2, Inquired of the Program Manager and determined No deviations noted.
machines, support tools, CC6.2, access to production machines, support tools,
network devices and CC6.3 network devices and corporate assets was
corporate assets is automatically removed in a timely basis upon
o m
automatically removed in submission of a termination request by Human
.c
a timely basis upon Resources or a manager.
o n
submission of a i
termination request by ac
Inspected internal documentation and determined No deviations noted.
Human Resources or a
o rm
requirements for terminating users with access to
manager.
f
production machines, support tools, network
in
devices and corporate assets were documented.
v
e r
s
Inspected the configuration of the automated tools No deviations noted.
z @
used to revoke access to production machines,
support tools, network devices, and corporate
ue
assets and determined it was configured to
q
s
remove access upon submission of a termination
a
a .vrequest by Human Resources or a manager.
77. Access to internal CC6.6 Inquired of the Program Manager and determined No deviations noted.
support tools is restricted access to internal support tools was restricted to
to authorized personnel authorized personnel through the use of approved
credentials.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 112
Google Confidental Information
through the use of Observed a user attempt to access an internal No deviations noted.
approved credentials. support tool with approved credentials and
determined access was granted.
o m
c No deviations noted.
Observed a user attempt to access an internal
.
n
support tool without approved credentials and
o
determined access was not granted.
a ci
78. External system CC6.1 Inquired of the Program Manager
o rmandand
determined No deviations noted.
users are identified
f Accounts
external system users were identified
n
and authenticated via the
Google Accounts authentication systemrv
i
authenticated via the Google
before access was granted.
authentication system
s e
Inspected the configuration supporting the login No deviations noted.
before access is granted.
functionality z @
and determined users were identified
u e via the Google Accounts
and authenticated
s q system before access was granted.
authentication
79. Where "on demand CC6.2, Inquired of the Program Manager and determined No deviations noted.
request" mechanisms are CC6.3 that "on demand request" mechanisms were
implemented to restrict implemented to restrict human access to
human access to production resources, and access on demand
production resources, requests were reviewed and approved by a
access requests are second individual prior to being granted and the
reviewed and approved events were logged.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 113
Google Confidental Information
by a second individual Inspected the documentation and determined that No deviations noted.
prior to being granted access on demand requests were reviewed and
and the event is logged. approved by a second individual prior to being
granted and the events were logged.
o m
.c
Inspected the access on demand configuration
o n No deviations noted.
i
supporting the functionality and determined
ac
changes to the approver group were identified and
rm
recorded and access can only be granted for a
limited number of hours.
f o
in
rv
Observed a user attempt to gain access to an on- No deviations noted.
se
demand group and determined after the request
z @
received appropriate approval from a second
individual, temporary access was granted.
q ue
a s
Observed a user attempt to gain access to an on-
demand group and determined access was
No deviations noted.
. v
ra
denied as the appropriate approval from a second
au
individual, with valid credentials, was not
obtained.
80. Critical access CC6.2, Inquired of the Program Manager and determined No deviations noted.
groups are reviewed on a CC6.3 critical access groups were reviewed on a periodic
periodic basis and basis and inappropriate access was removed.
inappropriate access is
removed. Inspected the code configuration that No deviations noted.
automatically generates a ticket for the review of
in scope critical access groups.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 114
Google Confidental Information
au
remotely through the use certificates to be installed on the connecting
of encrypted device.
communication systems.
Inspected relevant documentation and determined No deviations noted.
guidelines and policies were implemented to
protect information accessed and govern the use
of system encryption for communication.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 115
Google Confidental Information
z@
access was successful.
Observed e
ua user attempt to gain access to the No deviations noted.
q
s authentication and did not have valid
environment with a device that did not use valid
a
two-factor
v
r a.Google issued digital certificates installed on the
au
connecting device and determined access was
denied.
82. Remote access to CC6.1, Inquired of the Program Manager and determined No deviations noted.
corporate machines CC6.6 remote access to corporate machines required a
requires a digital digital certificate issued by the organization
certificate issued by the installed on the connecting device, and two-factor
organization installed on authentication in the form of user ID, password,
the connecting device, security key, and/or certificate.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 116
Google Confidental Information
z @
access to corporate machines and determined
two-factor authentication was required.
q ue
a s
Observed a user attempt to gain remote access to
a corporate machine with a device that had a
No deviations noted.
. v
ra
Google issued digital certificate installed and two-
au
factor authentication and determined remote
access to the corporate environment was
successful.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 117
Google Confidental Information
83. Critical power and A1.2 Inquired of the Operations Manager and No deviations noted.
telecommunications determined critical power and telecommunications
equipment in data equipment in data centers were physically
centers is physically protected from disruption and damage.
o m
protected from disruption
.c
and damage. Observed a sample of data centers and
o n No deviations noted.
i
determined that power and telecommunications
ac
equipment in data centers were physically
rm
protected from disruption and damage.
o
n fcenters and
Observed a sample of data
i No deviations noted.
rv and humidity of data
determined that temperature
e
s
halls were within the configured thresholds.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 118
Google Confidental Information
au
guidelines around the security of storage devices
during delivery and movement throughout the
data center.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 119
Google Confidental Information
. v
ra
policies in place regarding the sanitization of
au
storage media prior to disposal, release out of
organizational control, or release for reuse.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 120
Google Confidental Information
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 121
Google Confidental Information
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 122
Google Confidental Information
89. PII on removable CC6.7, P4.3 Inquired of the Program Manager and determined No deviations noted.
media leaving the PII and SPII on removable media leaving Google
organization's facilities is facilities was approved and encrypted.
approved and encrypted.
o m
Inspected relevant policies and determined
.c No deviations noted.
Google outlined and communicated the process
o n
i
for the secure handling and transportation of
customer data. ac
rm
f o
Inspected the ticketing tool and determined No deviations noted.
in
requests to use removable media were approved
v
r
under the condition that the removable media was
e
encrypted.
s
90. Visitors to data CC6.4 z @
Inquired of the Data Center Security Manager and No deviations noted.
center facilities must gain ue
determined visitors were required to gain approval
q
approval from authorized
personnel, have their a s
from authorized personnel, have their identity
verified and remain with an escort during the
. v
ra
identity verified at the duration of their visit.
au
perimeter, and remain
with an escort for the Inspected the physical security policies and No deviations noted.
duration of their visit. determined Google required visitors to gain
approval from authorized personnel, have their
identity verified at the perimeter and remain with
an escort during the duration of their visit.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 123
Google Confidental Information
Observed a z
@
sample of data centers and No deviations noted.
determined u ethat access to sensitive data center
q
s and required
facilities required approval from authorized
a
v badge readers, biometric
personnel, two-factor authentication
a .
using identification
r
au
mechanisms or physical locks.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 124
Google Confidental Information
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 125
Google Confidental Information
z@
regular maintenance organizational requirements.
processes (including ad-
hoc repairs) in Inspected e
ugenerators,
a sample of maintenance records for No deviations noted.
accordance with s q
the UPS, fire suppression systems,
fireaextinguishers, emergency lighting systems,
organizational
v
requirements.
r a.and HVAC systems, and determined Google
au
performed and recorded routine preventative and
regular maintenance in accordance with
organizational requirements over critical data
center equipment.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 126
Google Confidental Information
95. The organization CC6.7 Inquired of the Operations Manager and No deviations noted.
authorizes, monitors, and determined information systems and equipment
controls all information were safeguarded against unauthorized entry and
systems and data center removal from data centers and data center server
o m
equipment entering and
.c
floors, network rooms, and security systems are
exiting data centers and n
physically isolated from public spaces and/or
o
maintains records of
those items.
delivery areas.
a ci
Inspected internal documentation mand determined
rpolicies No deviations noted.
o
f of storageanddevices
that the organization maintains
n
vi throughout the
guidelines around the security
r
during delivery and movement
data center.
se
Observed a z
@
sample of data centers and No deviations noted.
determined e
uinformation
that Google had safeguards in place
q
sunauthorized entrysystems
to protect and equipment
v a
from and removal from data
r a.centers.
au Observed a sample of data centers and No deviations noted.
determined that dedicated receiving and shipping
areas were isolated from the main data center
floor, network rooms and security systems.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 127
Google Confidental Information
96. Access lists to high- CC6.4 Inquired of the Program Manager and determined No deviations noted.
security areas in data user access to high-security areas in data centers
centers are reviewed on was reviewed on a quarterly basis and
a periodic basis and inappropriate access was removed in a timely
o m
inappropriate access is manner. c
.
removed in a timely n
manner.
c io
Inspected the internal policies and determined No deviations noted.
user access to high-security areas ina data centers
should be reviewed on a quarterly
r m basis.
o
f data center
i n
Inspected a sample of quarterly No deviations noted.
high-security areas e
rv
access reviews and determined user access to
s in data centers was reviewed
@
and inappropriate access was removed in a timely
manner.
u ez
97. Security measures CC6.4
s q of the Program Manager and determined
Inquired No deviations noted.
utilized in data centers
va measures
security
.
utilized in data centers were
are assessed annually
r a assessed periodically and the results were
au
and the results are reviewed by executive management.
reviewed by executive
management. Inspected a sample of the reviews performed and No deviations noted.
determined security measures utilized in all data
centers were assessed periodically and the
results were reviewed by executive management.
98. Data centers are CC6.4 Inquired of the Data Center Facilities Manager No deviations noted.
continuously staffed and and determined that physical security measures
monitored by security were in place as described and are reviewed
personnel through the through the annual data center security review.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 128
Google Confidental Information
use of real-time video Inspected a sample data center security review No deviations noted.
surveillance and/or alerts performed for the production facilities and
generated by security determined that management reviewed the
systems. physical security measures at the facilities.
o m
.c
Observed a sample of data centers and
o n No deviations noted.
i
determined that visitors obtained approvals from
ac
authorized personnel prior to their visits, had their
rm
identities verified before entering the data center
f o
floors, and remained with an escort during the
duration of their visits.i n
rv
se
Observed a sample of data centers and No deviations noted.
z @
determined that data centers were continuously
staffed and monitored by security personnel
ue
through the use of real-time video surveillance
q
s
and/or alerts generated by security systems.
a
v
.Observed
a a sample of data centers and
r determined that data centers were secured
No deviations noted.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 129
Google Confidental Information
99. Visitors to corporate CC6.4 Inquired of the Security Officer and determined No deviations noted.
offices must be that visitors to corporate offices were required to
authenticated upon authenticate upon arrival and remain with an
arrival and remain with escort for the duration of their visit.
o m
an escort for the duration
.c
of their visit.
o n
Inspected internal documentation and determined No deviations noted.
i
the organization maintained policies for visitor
access to corporate offices. ac
rm
f o
Performed inspections for a sample of offices and No deviations noted.
in
determined that the reception area was isolated
v
from the office space.
e r
s
Observed an on-site sign in of a visitor to Google No deviations noted.
z@
offices and determined visitors to corporate offices
e
u
were required to authenticate upon arrival and
q
s
remain with an escort for the duration of their visit.
a
v
100. The organization CC6.1,
r a.Inquired of the Program Manager and determined No deviations noted.
uses a version control
system, to manage
CC8.1
a u the organization used a version control system to
manage source code, documentation, release
source code, labeling, and that access to the system had to be
documentation, release approved.
labeling, and other
functions. Access to the Inspected a sample code release configuration to No deviations noted.
system must be determine that when created, the code release
approved. generated a name based on a set of predefined
logic.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 130
Google Confidental Information
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 131
Google Confidental Information
. va andto determined
testing the system required
au
resource before migration to production.
103. Git-on-Borg code CC8.1 Inquired of the Program Manager and determined No deviations noted.
changes are monitored the organization monitored changes for approvals
for approvals on a on a periodic basis.
periodic basis.
Inspected control monitoring configurations and No deviations noted.
determined that changes included in weekly
change reviews are completely and accurately
extracted from change management systems.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 132
Google Confidental Information
104. The descriptions of CC2.2 Inquired of the Program Manager and determined
o m No deviations noted.
the organization's c
that descriptions of the organization's systems,
.
systems (including their n
including their scope and boundaries, were made
o
scope and boundaries)
are made available to
available to internal teams.
a ci
internal teams. m and
Inspected the internal product website
rorganization's No deviations noted.
f
determined a description of theo
system and its boundariesnwere available to the
organization's internalrv
i
product teams.
e
s Manager and determined
105. Design C1.1 Inquired of the Program No deviations noted.
documentation is z @
design documentation and privacy reviews, where
required to be completed applicable,e
uorwere required to be completed prior to
and be reviewed before a q
s facing services were communicated to
a product feature launch. Any changes to
feature launch which a
customer
v
introduces new
r a.relevant personnel and impacted customers.
au
collection, processing, or
sharing of user data. Inspected documentation and determined the No deviations noted.
organization had defined procedures and
requirements for a product or feature launch.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 133
Google Confidental Information
z @
Inspected relevant documentation and determined No deviations noted.
ue
there was a framework to classify vulnerabilities
q
s
based on the priority level.
a
v
.Inspected
a relevant configurations and determined
r vulnerabilities were tracked in an internal ticketing
No deviations noted.
au system.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 134
Google Confidental Information
107. There are CC7.2 Inquired of the Program Manager and the Security No deviations noted.
mechanisms in place to Reliability Engineer and determined there were
protect the Production mechanisms in place to protect the production
environment against a m
environment against a variety of denial of service
o
variety of denial of attacks. c
.
service attacks. n
c io that
Inspected the documentation for mechanisms No deviations noted.
are used to protect against denial ofaservice
attacks and determined they were
o rmin place to
f
protect the production environment.
n
Inspected playbooks r used
i
v by the incident No deviations noted.
management teamseand determined mechanisms
s
@
were in place to classify, escalate and triage
ez attacks.
denial of service
u
s q the DOS server configuration and
Inspected No deviations noted.
. vaproduction
determined configurations were in place to protect
au
denial of service attacks.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 135
Google Confidental Information
n f
i
e rv
Inspected relevant documentation and determined No deviations noted.
s
the organization has policies and guidelines in
@
place for penetration tests performed by qualified
ez or an external service provider.
internal personnel
u
s q relevant documentation and determined
Inspected No deviations noted.
. va
a penetration test, which included critical
au
past year and results were documented
comprehensively.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 136
Google Confidental Information
109. The organization CC2.2, Inquired of the Program Manager and determined No deviations noted.
has an established CC7.3 the organization had an established incident
incident response policy response policy that was reviewed on a periodic
that is reviewed on a basis and outlines management responsibilities
o m
periodic basis and
.c
and procedures to ensure a quick, effective, and
outlines management n
orderly response to information security incidents.
o
responsibilities and i
procedures to ensure a ac
Inspected the organization's incident response No deviations noted.
quick, effective, and
o rm
policy and determined policies and procedures
orderly response to
f
were in place which outline a quick, effective, and
information security
v in
orderly response to information security incidents.
incidents.
e r
In addition, classification, prioritization,
s
consolidation, and escalation of security incidents
@
per criticality were also identified and mechanisms
z
ue
were defined to measure and monitor the type
and scope of security incidents and interface with
s q
business continuity management.
v a
a .Inspected
r determineda incidents
sample of security incidents and No deviations noted.
au
were resolved timely and
incident management procedures were
performed.
110. The organization CC7.3, Inquired of the Program Manager and determined No deviations noted.
maintains a framework CC7.4, P6.3 the organization maintained a framework that
that defines how to defined how to organize a response to security
organize a response to and privacy incidents.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 137
Google Confidental Information
security and privacy Inspected the organization's internal incident No deviations noted.
incidents. response websites and determined incident
response teams and procedures were established
to handle security and privacy incidents.
o m
.c
o n
Inspected internal documentation and determined No deviations noted.
i
a process was in place for incident response
ac
teams to quantify, manage and monitor incidents.
rm
111. Information security CC7.5
f o
Inquired of the Program Manager and determined No deviations noted.
incidents are
in
information security incidents were documented
v
documented per the r
per the organization's Incident Response Policy.
e
organization's Incident
s
Information from these events could be used to
Response Policy.
Information from these z @
prevent future incidents and as examples for
information security training.
events are used to
q ue
prevent future incidents
a s
Inspected the organization's Incident Response
Policy and determined it documented the process
No deviations noted.
and can be used as
. v
ra
examples for information for reporting, responding to, and monitoring
au
security training. information security incidents.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 138
Google Confidental Information
112. The organization CC3.2 Inquired of the Program Manager and determined No deviations noted.
has established a that the organization established a dedicated
dedicated security team security team to engage in security and privacy of
engaging in security and customer data and manage security 24 x 7
o m
privacy of customer data worldwide.
.c
and managing security n
24 x 7 worldwide.
c io and
Inspected relevant policies and guidelines No deviations noted.
ain securityaand
determined that the organization established
r
dedicated security team to engagem
privacy of customer data. o
n f
i
e rv team engaged
Inspected internal documentation and determined No deviations noted.
s
that a dedicated security in security
z@
and privacy of customer data managed security
24 x 7 worldwide.
e
uthe on-call calendar configuration and
q
s that the on-call calendar was
Inspected No deviations noted.
a
determined
v
r a.maintained according to a defined set of rules.
au Inspected the on-call calendar configuration and No deviations noted.
determined that on-call rotation schedules were
automated and any change in the schedule was
subject to the management’s approval process.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 139
Google Confidental Information
113. The organization CC7.3, Inquired of the Program Manager and determined No deviations noted.
maintains policies and CC7.4, P6.3, the organization maintained policies and
procedures regarding the P6.6 procedures regarding the notification of data
notification of data breaches in accordance with applicable laws.
o m
breaches, in accordance
.c
with applicable laws.
o n
Inspected relevant documentation and determined No deviations noted.
i
procedures existed for users to prepare for,
ac
report, and investigate security and privacy
incidents.
o rm
Inspected the Cloud Datan
f
i Processing Addendum No deviations noted.
rv and procedures existed
and determined policies
to notify customers e
s of an incident in a timely
@
manner and in accordance with applicable laws or
ez
contractual agreements.
u
s q a sample of data incidents and
Inspected No deviations noted.
. va in customers
determined were notified of data
au
applicable laws or contractual agreements.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 140
Google Confidental Information
114. The organization CC7.2, Inquired of the Program Manager and determined No deviations noted.
has a dedicated team CC7.3, the organization established a dedicated team
responsible for managing CC7.4, responsible for managing security and privacy
security and privacy CC7.5, A1.3, incidents involving security, availability,
o m
incidents. P6.3 processing integrity and confidentiality, and
.c
provided internal personnel (employees and
o n
i
extended workforce) with instructions and
ac
mechanisms for reporting potential security and
rm
privacy concerns or incidents to the responsible
team(s).
f o
in
rv
Inspected the organization's internal incident No deviations noted.
se
response websites and determined incident
@
response teams and procedures were established
z
ue
to handle security and privacy incidents.
s q
Inspected relevant documentation and determined No deviations noted.
v a
a process was in place for incident response
.
ra teams to quantify, manage and monitor incidents.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 141
Google Confidental Information
115. The organization CC6.8, Inquired of the program manager and determined No deviations noted.
provides monitoring tools CC7.1, the organization provided monitoring tools to
to relevant personnel to CC7.3, A1.1 facilitate the detection and reporting of operational
facilitate the detection issues and the monitoring tools sent automated
o m
and reporting of alerts to operational personnel based on
. c
operational issues. n
predetermined criteria and are escalated per
o
policy.
a ci
Inspected relevant documentation
o rmandand determined No deviations noted.
n f personnel.
there were tools in place to detect report
vi
operational issues to operational
r
Inspected a sampleeof alerts and determined
s No deviations noted.
@
monitoring tools were in place to detect, report,
escalate andzresolve operational issues.
u e
116. The organization CC7.3,
s q of the Program Manager and determined
Inquired No deviations noted.
provides internal CC7.4, P6.3 theaorganization established a dedicated team
v
.responsible
personnel (employees
r a for managing security and privacy
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 142
Google Confidental Information
z@
investigation and resolution.
Inspected e
ua the
sample of incident tickets and No deviations noted.
q
smonitored incidents.
determined incident response team quantified
and
v a
r a.
au
117. The organization CC2.3 Inquired of the Program Manager and determined No deviations noted.
provides external users that the organization provides external users with
with mechanisms to mechanisms to report security issues, incidents,
report security issues, and concerns.
incidents, and concerns.
Inspected the organization’s websites and No deviations noted.
determined mechanisms were available for
external users to report security issues, incidents,
and concerns.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 143
Google Confidental Information
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 144
Google Confidental Information
119. Monitoring tools CC6.8, Inquired of the program manager and determined No deviations noted.
send automated alerts to CC7.2, that the organization provides monitoring tools to
operational personnel CC7.3, relevant personnel to facilitate the detection and
based on predetermined CC7.4, reporting of operational issues and the monitoring
o m
criteria. Incidents are CC7.5, tools send automated alerts to operational
. c
escalated per policy. CC8.1, A1.1 n
personnel based on predetermined criteria and
o
are escalated per policy.
a ci
Inspected relevant documentation
rmand determined
that there were tools in placeoto detect and report
No deviations noted.
i nf incidents to an
operational issues and security
rv
incident response team.
e
s
@
Inspected a sample of alerts and determined No deviations noted.
escalateu ezresolve
monitoring tools
and
were in place to detect, report,
operational issues.
q
s of the Security Engineering Manager and
120. Audit logs are CC7.2, a
Inquired
v No deviations noted.
continuously monitored CC7.3,
r a.determined audit logs are continuously monitored
au
for events related to CC7.4, C1.1 for events related to security, availability,
security, availability, processing integrity and confidentiality threats and
processing integrity, and alerts are generated for further investigation.
confidentiality threats.
Alerts are generated for Observed Google's internal documentation and No deviations noted.
further investigation. determined there are guidelines used by the
Security Surveillance Team to classify, prioritize,
perform cause analysis, and triage the security
incidents.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 145
Google Confidental Information
met or exceeded. e
rv
generated when the pre-defined threshold was
s
Observed the @
z dashboard of monitoring tools and No deviations noted.
determined e
u processing
that alerts related to security,
q
smonitored.
availability, integrity and confidentiality
were
v a
r a.
au
121. The organization CC6.1, C1.1, Inquired of the Program Manager and determined No deviations noted.
has procedures in place C1.2, P4.2, procedures were in place to dispose of
to dispose of confidential P4.3 confidential information according to Google User
information according to Data Retention and Deletion policy.
the data retention and
deletion policy. Inspected the organization's internal policies and No deviations noted.
determined guidelines were established to govern
the retention and deletion of user data.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 146
Google Confidental Information
nf information
determined an automated deletion
i
was implemented and confidential
was disposed of as per
e rvthe guidelines.
s
@
Inspected a sample product and determined data
deletion toolszverified that backup data was
No deviations noted.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 147
Google Confidental Information
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 148
Google Confidental Information
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 149
Google Confidental Information
127. Procedures related CC7.1, Inquired of the Program Manager and determined No deviations noted.
to the management of CC7.2, the organization made available procedures
information processing CC7.3, related to the management of information
resources are made CC7.4, processing resources. Procedures include
available by the CC7.5 guidance on requesting, monitoring and
organization. Procedures maintaining resources, and guidance around
include guidance on evaluating capacity demand.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 150
Google Confidental Information
z@
determined alerts were appropriately set.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 151
Google Confidental Information
129. The organization CC9.1, A1.2, Inquired of the Program Manager and determined No deviations noted.
conducts disaster A1.3 that the organization conducted disaster resiliency
resiliency testing (DiRT) testing (DiRT) which covered reliability,
which covers reliability, survivability, and recovery on an ongoing basis
o m
survivability, and (and at least annually).
. c
recovery on an ongoing n
basis (and at least
c io
Inspected a sample of the functional disaster No deviations noted.
annually). resiliency testing documentation and abasis
determined
m
r plans, failover
that it was conducted on a periodic and
o
nf and other
testing included communication
i
scenarios, operational transition,
emergency responses.
e rv
s
that product z
@
Inspected testing documentation and determined No deviations noted.
u
postmortems e teams developed testing plans and
which documented the results and
s
lessons qlearned from disaster resiliency testing.
130. Google has va of the Program Manager and determined
CC9.1, A1.2, a.Inquired No deviations noted.
r that Google had implemented business continuity
au measures to maintain the availability of Google's
implemented business A1.3
continuity measures to
maintain the availability production infrastructure and services.
of Google's production
infrastructure and Inspected internal documentation and determined No deviations noted.
services. Google defined the risks and recovery objectives,
as input, to establish the BCP.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 152
Google Confidental Information
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 153
Google Confidental Information
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 154
Google Confidental Information
133. Google has P8.1 Inquired of the Program Manager and determined No deviations noted.
established feedback Google had an established feedback processes
processes that give that gave external users the ability to voice
external users the ability privacy concerns, which are monitored.
o m
to voice privacy
.c
concerns, which are
o n
Inspected Google's publicly available Help and No deviations noted.
monitored. i
Support page and determined external users had
ac
the option to voice privacy concerns to Google.
rm
f o
Observed Google's internal website and No deviations noted.
in
determined Google had established guidelines
v
r
that customer support employees used to provide
e
s
feedback to external users.
z @
Inspected a sample of inquiries, complaints, and No deviations noted.
ue
disputes, and determined the cases were
q
a s
addressed and resolutions were monitored
through to resolution.
a .v
r Inquired of the Program Manager and determined
au
134. The organization P6.2 No deviations noted.
records government the organization reviewed government agency
agency requests to requests for customer data to determine if
disclose customer data. disclosure is required; subsequent disclosure was
The organization’s then limited only to that which was necessary to
records of government fulfill the request. The organization recorded and
agency requests for tracked transfers and disclosures of user data to
customer data include third parties.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 155
Google Confidental Information
information regarding Inspected the Google Cloud Platform Terms of No deviations noted.
when the request was Service and determined the organization reviewed
submitted, the identity of government agency requests for customer data to
the requester, customer determine if disclosure was required; subsequent
o m
data that was requested,
. c
disclosure was then limited only to that which was
any data that had been necessary to fulfill the request.
o n
disclosed, and when i
disclosure had occurred. ac
Inspected a sample of disclosure requests in the No deviations noted.
rm
legal request management tool and determined
o
f
the organization recorded and tracked transfers
in
and disclosure of data to third parties, and the
v
r
disclosures were limited to only that which was
e
s
necessary to fulfill the request.
136. Where the P1.1, P2.1, Inquired of the Program Manager and determined No deviations noted.
organization is a data P3.1, P3.2, the organization limited the scope of processing to
processor, the what was specified in contracts with the controller.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 156
Google Confidental Information
organization limits scope P4.1, P4.2, Inspected externally published documentation and No deviations noted.
of processing to what is P7.1 determined the organization provided notice to
specified in contracts data subjects about its privacy practices with
with the controller. consent obtained for the use of personal
o m
.c
information and the organization limited the scope
n
of processing to what was specified in contracts
o
with controller.
a ci
Inspected internal documentation
o rmand determined No deviations noted.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 157
Google Confidental Information
138. The organization P6.1, P6.4 Inquired of the Program Manager and determined No deviations noted.
reviews government the organization reviewed government agency
agency requests for requests for customer data to determine if
customer data to disclosure is required; subsequent disclosure was
o m
determine if disclosure is
.c
then limited only to that which was necessary to
required; subsequent n
fulfill the request. The organization recorded and
o
disclosure is then limited i
tracked transfers and disclosures of user data to
only to that which is third parties. ac
necessary to fulfill the
rm
request.
f o
Inspected the Google Cloud Platform Terms of No deviations noted.
in
Service and determined the organization reviewed
v
r
government agency requests for customer data to
e
s
determine if disclosure was required; subsequent
@
disclosure was then limited only to that which was
z
ue
necessary to fulfill the request.
s q
Inspected a sample of disclosure requests in the No deviations noted.
v a
legal request management tool and determined
.
ra the organization recorded and tracked transfers
au
and disclosure of data to third parties, and the
disclosures were limited to only that which was
necessary to fulfill the request.
139. The organization C1.1, P3.1 Inquired of the Program Manager and determined No deviations noted.
performs privacy reviews design documentation and privacy reviews, where
prior to product launch. applicable, were required to be completed prior to
a product or feature launch. Any changes to
customer facing services were communicated to
relevant personnel and impacted customers.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 158
Google Confidental Information
nf
system changes and determined
v i
personnel and impacted customers were notified.
141. The organization P6.3, P6.5 Inquired of the Program Manager and determined No deviations noted.
has an incident response the organization had an incident response
program for responding program in place for responding to privacy
to privacy incidents. incidents. Privacy incidents were monitored and
Privacy incidents are tracked in accordance with internal policy.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 159
Google Confidental Information
monitored and tracked in Inspected internal documentation and determined No deviations noted.
accordance with internal the organization had an incident response
policy. program in place for responding to privacy
incidents.
o m
. c
o n
Inspected a sample incident and determined that No deviations noted.
i
the organization had tools and dashboards
ac
available and used them to monitor and track
rm
incidents in accordance with internal policy.
o
n f and determined
142. Internal Audit P8.1
i
Inquired of the Program Manager No deviations noted.
performs a periodic rv awere
Internal Audit performed
e
periodic assessment of
assessment of privacy
s
privacy controls. Results shared as
controls. Results are
shared as necessary and
@
necessary and were considered for ongoing
improvementzof the privacy program.
are considered for e
uinternal documentation and determined
ongoing improvement of q
s Audit was responsible for performing a
Inspected No deviations noted.
the privacy program.
v a
Internal
143. Integrity checks are CC7.1 Inquired of the Program Manager and determined No deviations noted.
in place at the file system integrity checks were in place at the file system
level to ensure data integrity.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 160
Google Confidental Information
level to ensure data Inspected Google's security policies and No deviations noted.
integrity. determined integrity checks are in place at the file
system level to ensure data integrity.
o m
c No deviations noted.
Inspected the monitoring tool configurations and
.
n
determined the tools were configured to monitor
o
i
production machines and detect deviations to
ac
ensure data integrity at the file system level.
rm
f o
Inspected the log of the tool used to monitor the No deviations noted.
in
replication of the standard production image and
v
r
determined the tool was running in accordance
e
s
with the schedule defined in the configuration.
z @
Observed a Software Engineer insert a sample file No deviations noted.
ue
in the directory of a haphazardly selected
q
a s
production machine and determined the tool
detected and corrected the sample file, confirming
. v
ra
that integrity checks are in place at the file system
au
level.
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 161
Google Confidental Information
z @
action items identified from the results of internal
audit control testing were assigned an owner and
ue
tracked to ensure remediation.
q
a s
. v
ra
au
Google LLC | Description of Criteria, Controls, Tests and Results of Tests 162
Google Confidental Information
m
co
CC1.3 - COSO Principle 3
n.
CC1.3 1, 2, 9 Management establishes, with board oversight, structures,
io
reporting lines, and appropriate authorities and responsibilities
ac
in the pursuit of objectives.
rm
CC1.4 - COSO Principle 4
fo
in
CC2.1 39, 47, 102, The entity obtains or generates and uses relevant, quality
.
ra
CC2.2 2, 31, 32, 38, The entity internally communicates information, including
39, 47, 51, objectives and responsibilities for internal control, necessary to
104, 109 support the functioning of internal control.
CC2.3 29, 30, 31, 32, The entity communicates with external parties regarding
33, 117 matters affecting the functioning of internal control.
CC3.1 2, 13, 14, 15, The entity specifies objectives with sufficient clarity to enable
140 the identification and assessment of risks relating to
objectives.
CC3.2 13, 14, 15, 40, The entity identifies risks to the achievement of its objectives
106, 112, 140 across the entity and analyzes risks as a basis for determining
how the risks should be managed.
m
CC3.3 - COSO Principle 8
co
CC3.3 13, 14, 15, The entity considers the potential for fraud in assessing risks
n.
106, 140 to the achievement of objectives.
io
ac
CC3.4 - COSO Principle 9
rm
CC3.4 13, 14, 15, The entity identifies and assesses changes that could
fo
140 significantly impact the system of internal control.
in
rv
CC4.1 16, 18, 50, The entity selects, develops, and performs ongoing and/or
z@
CC5.1 13, 14, 17, 73, The entity selects and develops control activities that
140 contribute to the mitigation of risks to the achievement of
objectives to acceptable levels.
CC5.2 7, 13, 14, 17, The entity also selects and develops general control activities
34, 74, 76, 94, over technology to support the achievement of objectives.
140
CC5.3 18, 34, 37, 38, The entity deploys control activities through policies that
46, 50 establish what is expected and in procedures that put policies
into action.
CC6.1
CC6.1 40, 41, 45, 52, The entity implements logical access security software,
53, 55, 57, 59, infrastructure, and architectures over protected information
60, 62, 68, 70, assets to protect them from security events to meet the entity's
71, 72, 75, 78, objectives.
m
81, 82, 100,
co
118, 121, 125
n.
io
CC6.2
ac
CC6.2 55, 69, 74, 75, Prior to issuing system credentials and granting system
rm
76, 79, 80, 88, access, the entity registers and authorizes new internal and
118 external users whose access is administered by the entity. For
fo
longer authorized.
se
CC6.3
z@
CC6.3 69, 74, 76, 79, The entity authorizes, modifies, or removes access to data,
ue
CC6.4
au
CC6.4 42, 85, 87, 90, The entity restricts physical access to facilities and protected
91, 96, 97, 98, information assets (for example, data center facilities, backup
99 media storage, and other sensitive locations) to authorized
personnel to meet the entity’s objectives.
CC6.5
CC6.6
CC6.6 58, 62, 67, 72, The entity implements logical access security measures to
74, 77, 82 protect against threats from sources outside its system
boundaries.
CC6.7
CC6.7 42, 43, 44, 48, The entity restricts the transmission, movement, and removal
49, 62, 63, 67, of information to authorized internal and external users and
81, 89, 92, 95, processes, and protects it during transmission, movement, or
126 removal to meet the entity’s objectives.
m
co
CC6.8
n.
CC6.8 61, 64, 106, The entity implements controls to prevent or detect and act
io
115, 119 upon the introduction of unauthorized or malicious software to
ac
meet the entity’s objectives.
rm
CC7.1
fo
in
CC7.1 54, 56, 106, To meet its objectives, the entity uses detection and
rv
143
susceptibilities to newly discovered vulnerabilities.
z@
CC7.2
ue
CC7.2 13, 106, 107, The entity monitors system components and the operation of
sq
114, 119, 120, those components for anomalies that are indicative of
va
CC7.3
CC7.3 109, 110, 113, The entity evaluates security events to determine whether they
114, 115, 116, could or have resulted in a failure of the entity to meet its
119, 120, 127 objectives (security incidents) and, if so, takes actions to
prevent or address such failures.
CC7.4
CC7.4 110, 113, 114, The entity responds to identified security incidents by
116, 119, 120, executing a defined incident response program to understand,
124, 127 contain, remediate, and communicate security incidents, as
appropriate.
CC7.5
CC7.5 46, 111, 114, The entity identifies, develops, and implements activities to
119, 127 recover from identified security incidents.
CC8.1
CC8.1 35, 48, 65, 66, The entity authorizes, designs, develops or acquires,
100, 101, 102, configures, documents, tests, approves, and implements
103, 119 changes to infrastructure, data, software, and procedures to
m
meet its objectives.
co
n.
CC9.1
io
CC9.1 19, 129, 130, The entity identifies, selects, and develops risk mitigation
ac
131 activities for risks arising from potential business disruptions.
rm
CC9.2
fo
in
CC9.2 5, 11, 12, 20, The entity assesses and manages risks associated with
rv
A1.1
ue
A1.1 88, 115, 119, The entity maintains, monitors, and evaluates current
sq
A1.2
A1.2 83, 88, 93, The entity authorizes, designs, develops or acquires,
124, 129, 130, implements, operates, approves, maintains, and monitors
131 environmental protections, software, data backup processes,
and recovery infrastructure to meet its objectives.
A1.3
A1.3 13, 114, 124, The entity tests recovery plan procedures supporting system
129, 130, 131, recovery to meet its objectives.
140
C1.1
C1.1 5, 11, 12, 20, The entity identifies and maintains confidential information to
21, 29, 24, 41, meet the entity’s objectives related to confidentiality.
45, 105, 120,
121, 139
C1.2
C1.2 41, 84, 121 The entity disposes of confidential information to meet the
entity’s objectives related to confidentiality.
m
P1.1
co
n.
P1.1 25, 26, 136 The entity provides notice to data subjects about its privacy
practices to meet the entity’s objectives related to privacy. The
io
notice is updated and communicated to data subjects in a
ac
timely manner for changes to the entity’s privacy practices,
rm
including changes in the use of personal information, to meet
the entity’s objectives related to privacy.
fo
in
P2.1
rv
P2.1 25, 136 The entity communicates choices available regarding the
se
P3.1
P3.1 26, 136, 139 Personal information is collected consistent with the entity’s
objectives related to privacy.
P3.2
P4.1
P4.1 26, 45, 136 The entity limits the use of personal information to the
purposes identified in the entity’s objectives related to privacy.
P4.2
P4.2 25, 41, 121, The entity retains personal information consistent with the
136 entity’s objectives related to privacy.
m
P4.3
co
P4.3 25, 41, 49, 86, The entity securely disposes of personal information to meet
n.
89, 121 the entity’s objectives related to privacy.
io
ac
P5.1
rm
P5.1 122, 123, 135 The entity grants identified and authenticated data subjects the
fo
ability to access their stored personal information for review
in
P5.2
sq
P5.2 122, 123, 135 The entity corrects, amends, or appends personal information
va
P6.1
P6.1 20, 22, 27, 28, The entity discloses personal information to third parties with
138 the explicit consent of data subjects, and such consent is
obtained prior to disclosure to meet the entity’s objectives
related to privacy.
P6.2
P6.2 134 The entity creates and retains a complete, accurate, and
timely record of authorized disclosures of personal information
to meet the entity’s objectives related to privacy.
P6.3
P6.3 110, 113, 114, The entity creates and retains a complete, accurate, and
116, 141 timely record of detected or reported unauthorized disclosures
(including breaches) of personal information to meet the
entity’s objectives related to privacy.
m
co
P6.4
n.
P6.4 20, 22, 28, The entity obtains privacy commitments from vendors and
io
138 other third parties who have access to personal information to
ac
meet the entity’s objectives related to privacy. The entity
assesses those parties’ compliance on a periodic and as-
rm
needed basis and takes corrective action, if necessary.
fo
in
P6.5
rv
P6.5 20, 141 The entity obtains commitments from vendors and other third
se
P6.6
.
ra
au
P6.6 20, 113 The entity provides notification of breaches and incidents to
affected data subjects, regulators, and others to meet the
entity’s objectives related to privacy.
P6.7
P6.7 27, 135, 137 The entity provides data subjects with an accounting of the
personal information held and disclosure of the data subjects’
personal information, upon the data subjects’ request, to meet
the entity’s objectives related to privacy.
P7.1
P7.1 135, 136 The entity collects and maintains accurate, up-to-date,
complete, and relevant personal information to meet the
entity’s objectives related to privacy
P8.1
P8.1 132, 133, 142, The entity implements a process for receiving, addressing,
144 resolving, and communicating the resolution of inquiries,
complaints, and disputes from data subjects and others and
periodically monitors compliance to meet the entity’s
objectives related to privacy. Corrections and other necessary
actions related to identified deficiencies are made or taken in a
timely manner.
m
co
n.
io
ac
rm
fo
in
rv
se
z@
ue
sq
.va
ra
au
m
co
n.
io
ac
rm
fo
in
rv
se
z@
ue
sq
va
.
ra
au
172
Google Confidental Information
m
For more information on the Log4j 2 vulnerability and Google Cloud product service details,
co
please refer to the Google Cloud Log4j Security Advisory.
n.
Internal Google Traffic
io
ac
Connections between internal Google resources use proprietary services similar to Remote
Procedural Calls (RPC) that provide peer-to-peer authentication similar to Kerberos. All traffic is
rm
at least cryptographically authenticated between machines, while some connections, including to
fo
and from the Key Management Service, are encrypted using AES.
in
Key Management
rv
se
Google uses a proprietary service to manage the distribution, generation and rotation of
cryptographic keys. Files or data structures with user-generated content written by Cloud or App
z@
Engine services are encrypted with a key. This key is encrypted by the Key Management Service
ue
with a restricted access control list (ACL) of services allowed to request the Key Management
Service to decrypt it. The encrypted key is not stored alongside the encrypted data.
sq
The wrapping keys needed to decrypt user data are only known to the Key Management Service.
va
All access to/from the Key Management Service is controlled by ACLs. Access is restricted to a
.
ra
limited number of individuals and applications, and auditing is enabled to determine whether
access is appropriate.
au
Key Rotations
Google uses a proprietary system to periodically generate and rotate an encryption key used to
protect user data at rest on average at least every 90 days. New wrapped encryption keys are
generated for each new Google storage file (a Google file is defined in Encryption of Data Stored
at Google above). The system helps ensure that key rotations are managed appropriately, and
that customer data is not encrypted with a discarded key.
Disk Erase Process
Google has a policy stating that no loose drive may leave Google data centers unless it has been
erased (or destroyed), certified as erased by Google, and validated as such by Google via audit.
One or more types of disk erase mechanisms are used to delete data off disks before they are
decommissioned. Multiple checks are performed to help ensure that all drives are accounted for.
Non-erased loose drives are stored in a secure container until they are erased. The disk erase
process is well defined, and each facility is audited on a daily basis to monitor compliance with
the disk erase policy.
If a component fails to pass a performance test at any point during its lifecycle, it is removed from
inventory and retired. When a hard drive is retired, authorized individuals verify that the disk is
erased by writing zeros to the drive and performing a multiple-step verification process to help
ensure the drive contains no data. If the drive cannot be erased for any reason, it is stored
securely until it can be physically destroyed. Physical destruction of disks is a multistage process
beginning with a crusher that deforms the drive, followed by a shredder that breaks the drive into
small pieces, which are then recycled at a secure facility. Each data center adheres to a strict
disposal policy and any variances are immediately addressed.
m
co
n.
io
ac
rm
fo
in
rv
se
z@
ue
sq
.va
ra
au