Security Guidance
RSS feed
Table of contents

Policies for Google Apps administrators

Note: This document is Legacy IA Policy. It is under review and likely to be withdrawn or substantially revised soon. Before using this content for a project, contact the Security team.

These policies must be adhered to by all Google Administrators, including Super Administrators. All Administrator activity is recorded, auditable and notified to all other Administrators.

Why?

These policies ensure two things:

  1. That administrators have a clear understanding of what is considered acceptable, so that they do not inadvertently perform an administrative action which is later considered unacceptable.
  2. In the event that a security incident does occur in relation to Google Apps, that there is a clear policy which can be referred to, to support any action that is taken.

Actions requiring authorisation

The following actions require formal authorisation (e.g. an email confirming that the action can proceed) from at least 2 of the following 3:

  • The Chief Digital Officer.
  • The Chief Information Security Officer (CISO) for the Ministry of Justice (MoJ).
  • The MoJ Digital Information Assurance Lead.

Actions:

  1. Elevate any single user access to administrator from non-administrator.
  2. Access any other users’ emails or data (active or suspended).
  3. Changing any ‘global’ configuration within Google Apps which affects all users.
  4. Transfer any user’s data (active or suspended) to another user. This also requires a request from the business area Service Manager.

Things you must do

  1. Maintain the active list of all users (active and suspended) and maintain their access control to applications.
  2. If anyone who has a Google Apps account leaves the organisation for any reason.
  3. Suspend the account.
  4. Transfer user’s data to a user decided on by their line manager. This also requires a request from the business area Service Manager.
  5. On a minimum quarterly basis (rota’d with other Admins) conduct an audit to check:
    • Any escalation of privileges from non-administrator to administrator.
    • Any forwarding of email accounts.
    • Any taking ownership of User accounts.

Feedback

If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: itpolicycontent@digital.justice.gov.uk.