SOC 2 Google Workspace Checklist: Admin Controls and MFA

Google Workspace in SOC 2 Scope

Google Workspace (formerly G Suite) is in scope for your SOC 2 audit if it is used to store, process, or transmit customer data or is used to access systems that do. For most SaaS companies, this means Gmail (customer communications), Google Drive (shared documents, contracts, data exports), and Google Meet (recorded meetings containing customer information). Google holds its own SOC 2 Type II report, available from the Google Cloud Compliance Reports Manager, covering the Workspace infrastructure.

Your responsibility is the configuration of the Google Workspace Admin Console: 2-Step Verification policies, OAuth app access, Data Loss Prevention rules, session duration, and mobile device management. Auditors will ask for evidence that you have enforced these controls across all users. The Google Admin Console provides audit logs, reports, and exportable evidence for most of these controls.

2-Step Verification Enforcement (CC6.1)

Navigate to Admin Console → Security → Authentication → 2-step verification. Click "Allow users to turn on 2-Step Verification" and set "Enforcement" to "On". Select "Enforcement date" (give users a 2-week grace period before enforcement begins). Under "Allowed second factors", disable "Phone (voice or text message)" for admin accounts — SMS 2FA is susceptible to SIM swap and is not sufficient for privileged accounts. Leave "Security key" and "Authenticator app" enabled.

For admin accounts specifically, set up an organizational unit (OU) named "Admins" and configure a stricter policy: require security keys only (Admin Console → Security → Authentication → 2-step verification → [Admin OU] → Require security key). Google Titan keys or YubiKeys are both FIDO2 compliant. This satisfies the phishing-resistant MFA requirement for privileged accounts under CC6.1.

Under Admin Console → Security → Less secure app access, set "Disable access to less secure apps for all users". This prevents legacy protocols (IMAP, POP3, SMTP with basic auth) that cannot enforce 2-Step Verification. Disable "Google account sign-in" for the password challenge only (set to require 2SV) and enforce "Session length" to 8 hours under Session management.

Session and Access Controls (CC6.6)

Navigate to Admin Console → Security → Google Session Control. Set the session length to 8 hours. This forces re-authentication every 8 hours, limiting the window of exposure from a stolen session cookie. For Google Cloud console access, set this to 1 hour given the privileged nature of cloud console access.

Enable Context-Aware Access if you are on Google Workspace Enterprise Standard or Plus. Navigate to Admin Console → Security → Context-Aware Access → Assign access levels. Create an access level requiring "Device compliance" (managed device with encryption, screen lock, and up-to-date OS). Apply this access level to Gmail, Drive, and Admin Console. Users accessing from personal unmanaged devices will be denied or prompted to enroll the device in MDM. This satisfies CC6.6 and CC6.7 boundary protection criteria.

Under Admin Console → Directory → Mobile and endpoints → Set up advanced mobile management, enable Advanced Mobile Management. Require a screen lock, encryption, and block jailbroken/rooted devices. Configure remote wipe capability for corporate data. This ensures that lost or stolen devices do not create a data breach and satisfies physical access and device management controls.

Data Loss Prevention (C1.1)

Google Workspace DLP is available under Admin Console → Rules → DLP (Gmail) and Admin Console → Drive and Docs → Drive settings → DLP. Create DLP rules for common sensitive data patterns: credit card numbers, Social Security Numbers, Aadhaar numbers (for Indian companies), and custom patterns for your proprietary data (customer IDs, API keys). Set the action to "Block" for external sharing of files matching sensitive patterns.

For Gmail, create DLP rules that quarantine outbound emails containing attachments with sensitive data patterns. Configure "Content compliance" rules under Admin Console → Apps → Google Workspace → Gmail → Content compliance to inspect email body and attachments. Route quarantined messages to a security review queue rather than hard-blocking — this avoids business disruption while maintaining control.

In Drive, audit external sharing settings. Navigate to Admin Console → Apps → Google Workspace → Drive and Docs → Sharing settings. Set "Sharing outside of [your domain]" to "Allowed but warn users when sharing outside domain". Disable "Allow users to publish files on the web" and "Allow users to enable link sharing". These settings reduce the risk of inadvertent customer data exposure, satisfying C1.1 and C1.2 criteria.

Third-Party App Access Controls

Navigate to Admin Console → Security → API controls → App access control. Set "Trust internal, domain-owned apps" and "Unconfigured third-party apps" to "Don't allow users to access any third-party apps". Then create an allowlist of approved applications. This prevents employees from connecting unauthorized OAuth apps to their Google accounts and exfiltrating data.

Review the existing OAuth app grants under Admin Console → Security → API controls → Connected apps. Look for apps with broad scopes (mail.google.com, drive, contacts) from unknown developers. Revoke access for any unapproved applications. Configure an approval workflow for new app requests — employees submit a request, security reviews the OAuth scopes, and approved apps are added to the allowlist. Document this process as an appendix to your vendor management policy.

Admin Account Security

Limit super admin accounts to no more than 3 users. Super admins have full control over the Workspace tenant and are a high-value target. Create admin roles with the principle of least privilege: User Management Admin for IT helpdesk, Storage Admin for data management, and so on. Assign these roles instead of super admin for day-to-day tasks. Navigate to Admin Console → Admin roles to create and assign custom roles.

Enable admin alerts for suspicious activity. Under Admin Console → Reports → Alerts, ensure the following alerts are active: "Account suspended due to suspicious activity", "Suspicious login", "Government-backed attack warning", "Super admin password reset", and "New super admin added". Route these alerts to your security team Slack channel for immediate response. This provides automated CC7.2 and CC7.3 threat detection evidence.

Audit Log Collection and Evidence

Google Workspace provides several audit logs accessible under Admin Console → Reports → Audit and investigation: Admin audit (administrative changes), Login audit (authentication events), Drive audit (file access and sharing), Gmail audit (email events), and Token audit (OAuth grants). Each log can be exported to CSV or queried via the Reports API (`GET /admin/reports/v1/activity/users/{userKey}/applications/{applicationName}`).

Set up a BigQuery export for continuous audit log archiving. Navigate to Admin Console → Reports → Audit and investigation → [log type] → Export → Export to BigQuery. This sends all events to a BigQuery dataset in real time, enabling SQL queries across your entire audit period. Export the relevant event types to CSV monthly and store in your compliance platform as evidence. Retain for at least 13 months.

Key events to export for SOC 2: `login_success`, `login_failure`, `logout`, `2sv_disable` (2-Step Verification disabled), `password_change`, `admin_login`, `grant_admin_privilege`, and `change_acl_editors` (file permission changes). These events map to CC6.1 (authentication), CC6.2 (access provisioning), and CC6.3 (access removal) criteria.