The strategy includes the following ten components:
- Google Corporate Security Policies: Google is committed to the security of all information stored on its computer systems. The foundation of this commitment is based on security policies covering areas such as physical, data, account, corporate services, network and computer systems, applications services, systems services, incident response, change management and data center security. These policies are consistently reviews for accuracy and effectiveness.
- Organizational Security: Google employs an Information Security Team which comprises of experts in information, application and network security. The team is responsible for a number company’s defense systems, developing security review process and building customized security infrastructure. The team also maintains a role in developments, documentation and implementation of Google’s security policies and standards. Also, working outside Google in public security, the team is responsible for working with software vendors, making open source projects and a lot more. Google also has several functions that comply with statutory and regulatory compliance worldwide.
- Asset Classification and Control: Google has extensive controls to protect the security of customer information for example, Google application run in a multi tenancy and distributed environment. The layers of Google Apps require requests coming from components are authentication. It also has policies for deleted data, media disposal, and personnel security.
- Physical and Environmental Security: Google’s data centers are geographically distributed and have a number of physical security measures like usage of cameras with video analytics to detect intruders along with other measures. Other policies and measures cover areas of environments controls, power, climate, temperature, dire detection and suppression.
- Operational security: this includes malware prevention by manual and automated scanners and use of multiple anti-virus engines for all the products. Google also takes high standard measures dedicated to monitoring, vulnerability management, incident management, network security and operating system security.
- Access control: multi measures covering areas of authentication controls (unique ID for each employee and more), authorization controls (access rights based on employee’s job) and accounting (logging administrative access to all Google production system and data.)
- System development and Maintenance: Google’s policy is to consider security properties and implications of applications, systems and services used by Google for the entire project lifecycle. Specific measures cover areas of security consulting and review security in the context of Google’s Software Lifecycle, implementation-level security testing and review.
- Disaster Recovery and Business Continuity: Google has a disaster recovery program at all data centers to minimize service interruptions due to hardware failure, natural dictators and other catastrophes.
- Regulatory Compliance: specific measures cover areas of legal information access process, privacy and have elements from SSAE 16 and FISMA Certification.
- Google Apps Security & Compliance Features: Google helps protect customer data by giving additional security options to customer’s domain admins. The features cover: 2 step verification, Single Sign-On (SSO), strong passwords, administrator based Single Sign-out, Secure Browser Connections, Policy-enforces Secure Mail Transfer and Archive search.
Each of the ten components of Google’s multi-layers security strategy is endorsed throughout the organization.