Objective:

Ensure files and folders in Google Drive (Enterprise) are protected against unauthorized access or sharing, especially with non-employees or external users.

---

PART 1: ADMIN CHECKLIST – CONFIGURATION IN GOOGLE WORKSPACE ADMIN CONSOLE

1. Restrict Sharing Outside the Organization

Path:
Admin Console → Apps → Google Workspace → Drive and Docs → Sharing settings

Steps:

• Disallow sharing outside the organization:
  • Set: “Only users in your organization” can access files.
• Disable sharing to personal Gmail accounts (optional).
• Allow whitelisting specific trusted domains (e.g., partners).
• Prevent external users from becoming editors or owners.
• Disable “Anyone with the link” sharing.

---

2. Enable Data Loss Prevention (DLP)

Path:
Admin Console → Security → Data Protection → DLP Rules

Steps:

• Create custom rules to detect:
  • Personal Identifiable Information (PII)
  • Credit Card Numbers
  • Financial or Health Data
  • Source Code / Confidential Project Keywords
• Actions:
  • Block sharing
  • Warn users before sharing
  • Send alerts to admins

---

3. Enforce Context-Aware Access (Device/Location-Based Restrictions)

Path:
Admin Console → Security → Context-Aware Access

Steps:

• Create Access Levels:
  • Only allow access from company-managed devices
  • Block access from unknown IPs or locations
• Apply access levels to Google Drive service.

---

4. Use Drive Labels & Classification Policies

Path:
Admin Console → Apps → Google Workspace → Drive Labels

Steps:

• Define labels such as:
  • Public, Internal, Confidential, Restricted
• Create rules based on labels:
  • “Confidential” files cannot be shared externally.
  • “Internal” files require viewer access only.

---

5. Enforce Access Expiration and Disable Download

Path:
Google Drive File Settings (Per File)

Steps:

• Allow users to set expiration dates on shared files.
• Disable download, copy, and print for viewers.

---

6. Monitor with Security Investigation Tool

Path:
Admin Console → Security → Investigation Tool

Steps:

• Investigate:
  • Who is sharing files externally
  • Files that are publicly accessible
• Take action:
  • Revoke sharing
  • Send warnings
  • Notify managers

---

7. Educate Users with a Data Sharing Policy

Steps:

• Draft a clear policy on:
  • What is considered sensitive data
  • Who can share files externally (if at all)
  • How to label documents
• Train employees quarterly.

---

PART 2: USER-LEVEL BEST PRACTICES (TO BE COMMUNICATED TO STAFF)

Practice	Description
Avoid “Anyone with the link”	Always share only with specific users/emails
Use Labels	Mark files as Confidential/Internal etc.
Verify Access	Regularly review “Shared with” on important docs
Set Expiration Dates	Use for temporary access or contracts
Use Access Request	Allow “Request Access” rather than pre-share
Report Suspicious Sharing	If unsure, notify IT or Admin
Learn to use Google Drive audit panel	To track changes and access

---

PART 3: QUICK REFERENCE VISUAL CHECKLIST

[] Disable external sharing
[] Set up DLP rules for sensitive data
[] Enable Context-Aware Access
[] Use document classification with Drive Labels
[] Monitor with Investigation Tool
[] Educate employees quarterly
[] Audit and revoke dangerous shares regularly

---

BONUS: Security Automation Ideas

• Google Apps Script to scan shared files daily and notify Admin.
• Scheduled audits of shared files using third-party tools like SpinOne, BetterCloud, or SysCloud.
• SIEM integration (e.g., Splunk, Chronicle) for real-time alerts on data exfiltration.

---