📘 Objective:

Ensure files and folders in Google Drive (Enterprise) are protected against unauthorized access or sharing, especially with non-employees or external users.

---

✅ PART 1: ADMIN CHECKLIST – CONFIGURATION IN GOOGLE WORKSPACE ADMIN CONSOLE

🔐 1. Restrict Sharing Outside the Organization

Path:
Admin Console → Apps → Google Workspace → Drive and Docs → Sharing settings

Steps:

• ⬜ Disallow sharing outside the organization:
  • Set: “Only users in your organization” can access files.
• ⬜ Disable sharing to personal Gmail accounts (optional).
• ⬜ Allow whitelisting specific trusted domains (e.g., partners).
• ⬜ Prevent external users from becoming editors or owners.
• ⬜ Disable “Anyone with the link” sharing.

---

🔍 2. Enable Data Loss Prevention (DLP)

Path:
Admin Console → Security → Data Protection → DLP Rules

Steps:

• ⬜ Create custom rules to detect:
  • Personal Identifiable Information (PII)
  • Credit Card Numbers
  • Financial or Health Data
  • Source Code / Confidential Project Keywords
• ⬜ Actions:
  • Block sharing
  • Warn users before sharing
  • Send alerts to admins

---

🔒 3. Enforce Context-Aware Access (Device/Location-Based Restrictions)

Path:
Admin Console → Security → Context-Aware Access

Steps:

• ⬜ Create Access Levels:
  • Only allow access from company-managed devices
  • Block access from unknown IPs or locations
• ⬜ Apply access levels to Google Drive service.

---

🏷️ 4. Use Drive Labels & Classification Policies

Path:
Admin Console → Apps → Google Workspace → Drive Labels

Steps:

• ⬜ Define labels such as:
  • Public, Internal, Confidential, Restricted
• ⬜ Create rules based on labels:
  • “Confidential” files cannot be shared externally.
  • “Internal” files require viewer access only.

---

👮 5. Enforce Access Expiration and Disable Download

Path:
Google Drive File Settings (Per File)

Steps:

• ⬜ Allow users to set expiration dates on shared files.
• ⬜ Disable download, copy, and print for viewers.

---

📊 6. Monitor with Security Investigation Tool

Path:
Admin Console → Security → Investigation Tool

Steps:

• ⬜ Investigate:
  • Who is sharing files externally
  • Files that are publicly accessible
• ⬜ Take action:
  • Revoke sharing
  • Send warnings
  • Notify managers

---

📝 7. Educate Users with a Data Sharing Policy

Steps:

• ⬜ Draft a clear policy on:
  • What is considered sensitive data
  • Who can share files externally (if at all)
  • How to label documents
• ⬜ Train employees quarterly.

---

✅ PART 2: USER-LEVEL BEST PRACTICES (TO BE COMMUNICATED TO STAFF)

Practice	Description
🔗 Avoid “Anyone with the link”	Always share only with specific users/emails
🏷️ Use Labels	Mark files as Confidential/Internal etc.
🔐 Verify Access	Regularly review “Shared with” on important docs
🕒 Set Expiration Dates	Use for temporary access or contracts
📩 Use Access Request	Allow “Request Access” rather than pre-share
💬 Report Suspicious Sharing	If unsure, notify IT or Admin
📢 Learn to use Google Drive audit panel	To track changes and access

---

✅ PART 3: QUICK REFERENCE VISUAL CHECKLIST

[✔] Disable external sharing
[✔] Set up DLP rules for sensitive data
[✔] Enable Context-Aware Access
[✔] Use document classification with Drive Labels
[✔] Monitor with Investigation Tool
[✔] Educate employees quarterly
[✔] Audit and revoke dangerous shares regularly

---

✅ BONUS: Security Automation Ideas

• 🛠️ Google Apps Script to scan shared files daily and notify Admin.
• 🔁 Scheduled audits of shared files using third-party tools like SpinOne, BetterCloud, or SysCloud.
• ⚙️ SIEM integration (e.g., Splunk, Chronicle) for real-time alerts on data exfiltration.

---