Accelerate Google Cloud vendor due diligence by leveraging third party risk management providers
Head of Enterprise Trust, Google Cloud
As organizations accelerate adoption of cloud services to deliver innovative solutions and experiences for their customers, risk and compliance teams are adjusting their due diligence programs to better understand and manage the risks associated with outsourcing of business critical workloads. At the core of these efforts is protecting sensitive data and applications in accordance with internal policies and best practices, while maintaining compliance with complex global regulatory requirements, frameworks, and guidelines. Cloud auditability, control monitoring, and continuous cloud risk assessment are prerequisites to building trust and regulator confidence in cloud services that underpin core business processes and apps. As a result, organizations are increasingly dedicating resources to perform comprehensive assessments of relevant cloud policies, processes, and technical implementations, and these resources are always looking for ways to increase breadth and depth of their provider risk assessments while optimizing the costs to the organization.
Here at Google Cloud we are committed to being the industry’s most trusted cloud and our Google Cybersecurity Action Team works closely with customers to help them meet their due diligence, risk management, and regulatory compliance needs. One way we help our customers scale and accelerate their cloud assessments is by collaborating with third party risk management (TPRM) providers. These organizations provide independent due diligence services and platforms to help automate vendor risk management based on the data they collect and provide. We enable the TPRM assessors to examine the controls present in our infrastructure and operations. Based on their observations and assessments, TPRM providers develop independent and unbiased audit reports that can be shared directly with customers.
Some of the benefits of TPRM solutions for Google Cloud customers include:
Comprehensive and regular assessments: TPRM providers perform periodic, multi-tier, multidimensional assessments of Google Cloud’s platform and services on a regular schedule. As part of these assessments, TPRM providers inspect hundreds of security, privacy, business continuity, and operational resiliency controls aligned with industry standards and regulations such as NIST SP 800-53, NIST CSF, ISO 27001, PCI-DSS, HIPAA, CMMC, SOC2, CSA STAR, etc. The information provided in these in-depth assessments help support Google Cloud customers’ own assessment processes that underpin their efforts to meet complex regulatory compliance requirements when managing data and applications in the cloud.
Efficient use of audit resources: TPRM providers facilitate an exchange of risk assessments between Google Cloud and our customers, customizing the reports to the customer's compliance landscape. This helps streamline the vendor risk assessment process and decrease the regular effort required by both the customer as well as Google. By leveraging the broad scope and extensive fieldwork of these TPRM assessments, Google Cloud customers can accelerate their vendor due diligence and overall risk management processes.
Access to independent cloud audit expertise: TPRM solutions provide customers with audit assessments and reports that are fully independent of Google Cloud. Additionally, customers have the opportunity to discuss their cloud controls, risk posture, and audit practice with a third party, experienced in auditing public cloud providers.
Many Google Cloud customers already leverage the TPRM relationships we’ve established. Today, we work with industry leading TPRM providers such as CyberGRX, TruSight, and KY3P to deliver high-quality risk assessments for our customers globally. We are committed to continue to find effective, efficient solutions that can help customers meet customer risk management and regulatory compliance requirements. To learn more about Google Cloud Trust & Compliance, visit our Compliance resource center.