Section 1: Authentication and 2-Step Verification

  CRITICAL 

□      ☐ 2-Step Verification (2SV) is ENFORCED for all users — not just available. Verify in Admin Console → Security → 2-Step Verification that enforcement is set to 'On.'

□      ☐ New users are required to enroll in 2SV within a defined grace period (7–14 days maximum).

□      ☐ Super Admin accounts use hardware security keys (FIDO2) or Google Passkeys — not SMS or TOTP.

□      ☐ Less secure app access is DISABLED for all users in Admin Console → Security → Less Secure Apps.

  HIGH PRIORITY 

□      ☐ Allowed 2SV methods are reviewed — is SMS-only 2SV permitted? Consider restricting to authenticator app or hardware key for sensitive roles.

□      ☐ Password policy is configured: minimum 8 characters, 'Enforce strong password' enabled, no reuse for 10+ cycles.

□      ☐ Single Sign-On (SSO) is configured for critical business applications where available.

□      ☐ Third-party identity provider integration is documented if used.

  STANDARD 

□      ☐ Login challenges are enabled for suspicious sign-ins.

□      ☐ Advanced Protection Program is enrolled for highest-risk users (executives, finance, IT admins).

□      ☐ Recovery options for admin accounts are reviewed — no personal Gmail recovery emails on admin accounts.

Section score: ___ / 11   Critical items completed: ___ / 4

Section 2: Google Drive and Sharing

  CRITICAL 

□      ☐ Sharing outside the organization is restricted to 'Anyone with the link' disabled OR requires sign-in. Verify in Admin Console → Apps → Google Workspace → Drive and Docs → Sharing Settings.

□      ☐ 'Anyone on the internet (no sign-in required)' sharing is DISABLED.

  HIGH PRIORITY 

□      ☐ Link expiration is enforced for external shares (30–90 days recommended).

□      ☐ External sharing is limited to allowlisted trusted domains (partner organizations, clients with ongoing access).

□      ☐ Warning is displayed when users share outside the organization.

□      ☐ Shared Drive creation is restricted to appropriate users — not all employees by default.

□      ☐ Drive audit reports are reviewed monthly for unexpected sharing activity.

  STANDARD 

□      ☐ Drive DLP (Data Loss Prevention) rules are configured for sensitive data patterns (SSN, financial data, health information). Requires Business Plus+.

□      ☐ Drive document expiration is used for time-limited external collaborations.

□      ☐ Target audience settings are configured if you use trust levels for sharing.

Section score: ___ / 9   Critical items completed: ___ / 2

Section 3: Gmail Security

  CRITICAL 

□      ☐ SPF record is configured for your domain: 'v=spf1 include:_spf.google.com ~all' or equivalent.

□      ☐ DKIM signing is enabled for your domain in Admin Console → Apps → Google Workspace → Gmail → Authenticate Email.

□      ☐ DMARC policy is set to enforcement mode (p=quarantine or p=reject) with appropriate reporting.

□      ☐ Enhanced pre-delivery message scanning is enabled in Spam, Phishing, and Malware settings.

  HIGH PRIORITY 

□      ☐ External recipient warnings are enabled — users are alerted when sending outside the organization.

□      ☐ Attachment safety settings are enabled: scan encrypted attachments, scan before delivery.

□      ☐ Link safety scanning is enabled for all users.

□      ☐ Spoofing and authentication checks are enabled in Anti-Phishing settings.

□      ☐ Anomalous attachment protection is enabled.

  STANDARD 

□      ☐ Email routing rules are reviewed — no unexpected forwarding rules to external addresses.

□      ☐ Email delegation is audited — who has access to whose mailbox?

□      ☐ Confidential Mode is available for users who need to send time-limited, no-forward emails.

Section score: ___ / 12   Critical items completed: ___ / 4

Section 4: Endpoint Management

  CRITICAL 

□      ☐ All organization-owned devices (Macs, Windows PCs, Chromebooks) are enrolled in Google Endpoint Management or a third-party MDM.

□      ☐ Company-owned devices are supervised via Apple Business Manager (Macs) or equivalent enrollment program.

□      ☐ Screen lock is enforced via MDM policy on all enrolled devices.

□      ☐ Full-disk encryption (FileVault for Mac, BitLocker for Windows) is enforced and key escrowed to MDM.

  HIGH PRIORITY 

□      ☐ Context-Aware Access is configured to block or challenge access from non-compliant or unmanaged devices (Business Plus+).

□      ☐ Mobile devices (phones and tablets) accessing Google Workspace are enrolled in endpoint management.

□      ☐ Remote wipe capability is tested — can you wipe a lost device remotely?

□      ☐ App management is configured for mobile devices — approved apps deployed, prohibited apps blocked.

  STANDARD 

□      ☐ Device compliance rules are defined and enforced via Context-Aware Access.

□      ☐ OS version requirements are enforced — devices below minimum OS version are flagged or blocked.

Section score: ___ / 10   Critical items completed: ___ / 4

Section 5: Admin and Audit

  CRITICAL 

□      ☐ Super Admin accounts are dedicated accounts not used for daily email — separate from personal accounts.

□      ☐ Admin role assignments are reviewed — principle of least privilege applied. Not everyone is Super Admin.

□      ☐ Admin audit log is enabled and reviewed monthly for unexpected admin actions.

  HIGH PRIORITY 

□      ☐ Alert policies are configured: new admin added, admin password changed, suspicious login, bulk data export.

□      ☐ Alerts go to a monitored inbox — not just the primary Super Admin who may be the target of an attack.

□      ☐ Google Vault is configured with retention rules appropriate to your industry (Business Plus+).

□      ☐ Vault holds can be placed on user data for legal or compliance purposes — tested before needed.

□      ☐ Investigation Tool is used to audit unusual activity (Business Plus+).

  STANDARD 

□      ☐ Third-party application access is reviewed — OAuth-connected apps are audited in Admin Console → Security → API Controls.

□      ☐ High-risk apps (apps requesting sensitive scopes) are reviewed and restricted as appropriate.

□      ☐ Marketplace Apps are restricted to IT-approved applications only.

Section score: ___ / 11   Critical items completed: ___ / 3

Score Summary

AEGITz performs Google Workspace security assessments and hardening for Phoenix businesses. Schedule an assessment at aegitz.com.