title: "Third-party vendor assessment report: Google Drive" author: "Adam Richie-Halford, ROAR Information Security Officer" lang: "en" date: "2024-10-12" ...
Vendor: Google Drive
Assessor: Adam Richie-Halford, ROAR Information Security Officer
Google Drive is a widely used cloud-based storage and file-sharing service, known for its strong security practices. This assessment evaluates Google Drive's compliance with recognized industry standards and certifications. It verifies that Google Drive is a suitable third-party vendor for storing and sharing ROAR-related data.
-
SOC 2 Type II: Google Drive is covered under Google's overall SOC 2 Type II certification, which demonstrates adherence to strict security controls in security, availability, processing integrity, confidentiality, and privacy. This certification confirms that Google Drive’s internal controls are effectively designed and operated to protect user data from unauthorized access and breaches.
-
ISO 27001: Google Drive complies with the ISO 27001 standard, an internationally recognized framework for managing information security. This certification ensures that Google Drive has implemented an Information Security Management System (ISMS) that addresses risk management and data protection systematically.
Google's SOC 2 Type II and ISO 27001 certifications are accessible through the GCP Compliance Reports Manager. The certifications have been verified as current.
-
Data Encryption: Google Drive employs AES-256 encryption for data at rest and TLS encryption for data in transit. This ensures that stored data remains protected against unauthorized access.
-
Access Management: Google Drive supports role-based access control (RBAC) and multi-factor authentication (MFA) for enterprise accounts, which helps restrict data access to authorized users.
-
Incident Response: Google Drive follows Google's structured incident response plan, which includes real-time monitoring, alerts, and procedures for identifying, investigating, and responding to security incidents. Its incident response capabilities have been confirmed through regular SOC 2 audits.
Google Drive meets the necessary security requirements for handling sensitive data. Its compliance with SOC 2 Type II and ISO 27001, combined with strong security practices, validates its suitability for storing and sharing ROAR information.