Data Types | Additional Requirements |
Will/Does this server contain information about minors (under 13)?
|
Yes, and COPPA |
Data Types | Additional Requirements |
Will/Does this server contain any medical records?
https://www.hipaajournal.com/hipaa-compliance-checklist/#hipaacompliancechecklist2023 |
Yes, and COPPA |
Generic | |
Minumum password rules (at least one capital letter, minimum password length, and preferably a symbol, expiration time) | □ Yes |
Enable auto update for apps and internet browsers | □ Yes |
Turning ogg mass data download | □ Yes |
Control access to Google core services | □ Yes |
Disabeld activity controls | □ Yes |
Administrator Account | |
Require MFA verification for admin accounts | □ Yes |
Use security keys for 2-step Verification (google authenticator) | □ Yes |
Admins should add recovery information to their account (recovery phone number or email) | □ Yes |
Super Admin Account | |
Create additional super admin account | □ Yes |
The admin needs to verify DNS ownership of the domain. You should keep account information and DNS credentials in a secure place in case they are needed for super admin account reset. Note this must be stared in a secure location with a minimum distance away from the original source. | □ Yes |
Training for super admin accounts: □ Don't use a super admin account for a daily activities □ Don't stay signed into a super admin account □ Use non-super admin accounts for daily admin tasks |
□ Yes |
Enroll a spare security key | □ Yes |
Save backup spare security key ahead of time. Note this must be stored in a secure location with a minimum distance away from the original source. | □ Yes |
Regular Accounts | |
Require 2-Step Verification for users | □ Yes |
Password reuse prevention | □ Yes |
Set up admin email alerts | □ Yes |
If the alerts aren't going to be read, make sure to send them to a person who will read them through a new account and auto forwarding or a service | □ Yes |
Add user login challanges (verification codes) | □ Yes |
Gmail Specific | |
Authenticate email with SPF, DKIM, and DMARC | □ Yes |
Set up inbound email gateways to work with SPF | □ Yes |
Enforce TLS with your partner domains | □ Yes |
Require sender authentication for all approved senders | □ Yes |
Configure MX records for correct mail flow | □ Yes |
Disable IMAP/POP access | □ Yes |
Disable automatic forwarding | □ Yes |
Don't bypass spam filters for internal senders | □ Yes |
Enable enhanced pre-delivery message scanning | □ Yes |
Enable external recipient warnings | □ Yes |
Enable additional attachment protection | □ Yes |
Enable additional link and external content protection | □ Yes |
Enable additional spoofing protection | □ Yes |
Scan and block emails with sensitive data | □ Yes |
If using Gmail, Calendar, Drive, Docs please continue below | |
Turn on enhanced pre-delivery message scanning | □ Yes |
Turn on additional malicious file and link screening for Gmail | □ Yes |
Make sure email recipients don't mark your email as spam (can be done by setting up the Sender Policy Framework) | □ Yes |
Restrict calendar sharing with people outside your company | □ Yes |
Limit who can see newly created files | □ Yes |
Warm users when they share a file with people outside your company | □ Yes |
Vault (DLP/Data Retention) | |
Treat accounts with Vault privileges as sensitive | □ Yes |
Mandatory Monitoring | |
Review the Admin audit log | □ Yes |
Review your security settings and investigate activity | □ Yes |
Review the Admin audit log | □ Yes |
Compliance Mandates | |
Create an Incident response plan in case of a breach. https://www.hhs.gov/sites/default/files/cyber-attack-checklist-06-2017.pdf |
□ Yes |
Case Specific | |
Verify it's you challenge for drive/file sensitive data | □ Yes |
Create security keys for logins on super admins and don't use these accounts so often | □ Yes |
Restric sharing outside of more secure apps | □ Yes |
Enable HIPAA | □ Yes |
(Must be TLS 1.3 for transit and encrypted at rest) | □ Yes |
All data must be under some sort of access management that is audited regularly | □ Yes |
Google workspace compliance | |
Go to https://admin.google.com/ac/companyprofile/legal and accept the cloud data processing addendum and the HIPAA Business associate amendment | □ Yes |
Understanding requirements | |
By law we cannot keep information for longer than reasonably necessary. Do we have any plans in place to ensure this? | □ Yes |
COPPA also requires us to securely dispose of the data once we no longer need it. Do we have a plan in place to ensure this? | □ Yes |
By law COPPA requires us to ask for parental permissin (and collect consent) before we collect data, and we cannot enforce a rule to require the collection of this data. Do we have a plan in palce to ensure this? | □ Yes |
By law COPPA requires us to disclose the information we are collecting about their children. Do we have this enabled? | □ Yes |
By law we must have our privacy policy linked to the page where we collect this data. Do we have this? | □ Yes |
By law id the parents do not provide consent within a reasonable time, we must delete this data. What is your specific plan for this case? | □ Yes |
Understanding requirements | To give voluntary notice to a parent about their child's participation on a site or service that doesn't collect personal information |
By law we must tell parents you collected their online contact information to let them know about their child's activities on a site or service that doesn't collect personal information. What is your specific plan for this case? | □ Yes |
By law we must tell them their online contact information won't be used for any other purpose. What is your specific plan for this case? | □ Yes |
By law we must tell them they may refuse their child's participation and require that you delete their contact information; and Hyperlink to your privacy policy. What is your specific plan for this case? | □ Yes |
By law if we collect information to respond directly to a child's specific one-time request (for example, if the child wants to enter a contest). Do we have a system where we can't use the information to contact the child again and you must delete it after you respond to the request? | □ Yes |
Understanding requirements | To respond directly more that once to a child's specific request (for example, if the child wants to receive a newsletter) |
You must tell parents you collected their online contact information to let them know their child has asked to multiple online communications | □ Yes |
You must tell parents you collected their child's online contact information to provide the multiple communications they asked for | □ Yes |
You must tell parents the online contact information won't be used for any other purpose and won't be disclosed or combined with other information | □ Yes |
You must tell parents that if they don't opt out, you may use the child's online contact information for that purpose | □ Yes |
You must hyperlink the privacy policy | □ Yes |
If the collection is needed to provide support for internal operations of your site or service. This includes:
|
□ I acknowledge that I can't use the information to contact a specific person, including through behavioral advertising, to amass a profile on a specific person, or for any other purpose. |
I understand that this information may be out of date as this is meant to be a living document and as such, I need to go through the website below to ensure all data is up to date and accurate. | □ Yes |