The 78 Google Workspace security checks Black Cat runs
Black Cat SSPM evaluates 78 security policies against your Google Workspace configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
access control
Disable less secure app access for Google Workspace admins and migrate to OAuth authentication
Disable less secure app access organization-wide in Google Workspace
Revoke Google Workspace user-authorized OAuth apps with restricted or sensitive scopes
Suspend or delete dormant Google Workspace accounts after verifying with HR
Remove Google Workspace accounts that have never been used after confirming with the manager
Block or limit Google Workspace OAuth apps that have been granted critical scopes
Revoke admin-authorized Google Workspace OAuth apps with restricted scopes that are not business-critical
Block or limit Google Workspace AI apps that have been granted data access scopes
Reduce Google Workspace Super Admin count to 2-4 by demoting unnecessary admins to specific roles
Assign a second trusted user the Super Admin role in Google Workspace for redundancy
Configure SSO with a third-party IdP in Google Workspace for centralized authentication
Restrict user-managed account recovery options in Google Workspace
Revoke application-specific passwords that bypass 2-Step Verification
Remove mailbox delegation from privileged admin accounts
Remove mailbox delegates from suspended user accounts
Disable less secure app access to enforce modern authentication
Enable a Google Workspace Marketplace app allowlist
Reduce the Google Workspace web session duration to at most 12 hours
configuration
Add the required DNS TXT or CNAME record to verify the Google Workspace domain
Generate and publish a DKIM TXT record in DNS to authenticate outbound Gmail messages
Enable spam message moderation for Google Workspace groups
Purchase or assign Google Workspace Gemini licenses to eligible users
Disable automatic email forwarding in Google Workspace Gmail compliance settings
Disable IMAP access in Google Workspace Gmail end user access settings
Disable POP access in Google Workspace Gmail end user access settings
Restrict Google Drive shared drive creation to admins only
Enable admin restrictions on the flagged Google Workspace shared drive
Restrict folder sharing in the flagged Google Workspace shared drive to members only
Require admin approval for Google Chat webhooks
Enable Gmail confidential mode to protect sensitive email content
Review Gmail send-as aliases using external addresses
Remove or verify unverified Gmail send-as aliases
Restrict who can record Google Meet meetings
Increase the Google Workspace minimum password length to at least 12 characters
Enable Gmail spoofing and authentication protection
data sharing
Disable external sharing for Google Drive at the organization level
Disable anyone-with-the-link sharing for Google Drive organization-wide
Restrict Google Drive sharing to within the organization only
Disable the option for users to publish Google Drive files to the web
Prevent external users from accessing organization shared drives in Google Drive
Remove public sharing from the flagged Google Drive file and contact the file owner
Remove public indexing from the flagged Google Drive file so it is not discoverable by search engines
Restrict the flagged Google Drive file from anyone-with-the-link access
Remove personal email address access from the flagged Google Drive file
Remove external edit access from the flagged Google Drive file
Remove external members from the flagged Google Drive shared drive
Transfer ownership of the flagged Google Drive file back to an internal organization user
Remove sharing with unapproved external domains from the flagged Google Drive file
Remove stale external sharing permissions from the flagged Google Drive file
Reduce permissions on the flagged Google Drive file to the minimum required
Remove external commenter access from the flagged Google Drive file
Restrict the flagged Google Drive file from being accessible to the entire organization
Change the flagged Google Drive file from organization-wide link sharing to restricted access
Review and reduce excessive external sharing by the flagged Google Drive user
Remove external user access from the flagged Google Workspace shared drive
Restrict the flagged Google Workspace shared drive so only members can access it
Enable download restrictions on the flagged Google Workspace shared drive for viewers and commenters
Remove external members from the flagged Google Workspace shared drive
Limit Google Calendar external sharing to free/busy information only
Disable external chat in Google Chat to prevent outside users from messaging members
Configure data loss prevention (DLP) rules in Google Workspace
Remove Gmail filter rules that forward mail to external addresses
Reduce Gmail forwarding destinations to limit data exfiltration risk
Investigate and remove suspicious Gmail mail forwarding
encryption
Enable S/MIME in Google Workspace Gmail and upload organization certificates
mfa
Enforce 2-Step Verification enrollment for all Google Workspace admin accounts
Set Google Workspace 2-Step Verification to Enforced for admin organizational units
Require 2-Step Verification enrollment for all Google Workspace delegated admin accounts
Enforce 2-Step Verification enrollment for all Google Workspace users
Set Google Workspace 2-Step Verification to Enforced for the root organizational unit
sharing
Restrict Google Workspace group membership to organization members only
Restrict Google Workspace group posting to organization members only
Change Google Workspace group join policy to Invite Only or Approval Required
Set Google Workspace group conversation visibility to Members Only
Restrict Google Workspace group membership visibility to Members Only or Managers Only
Restrict Google Workspace group contact-owner to group members only
Restrict Google Workspace group discoverability to organization members only
Disable mail delegation in Google Workspace Gmail end user access settings