Security Risk Assessment (SRA)

The Security Risk Assessment (SRA) module helps organizations assess their Google Workspace configuration against HIPAA best practices. It is designed to automate the detection of misconfigurations and identify compliance risks.

---

What Does SRA Do?

• Uses the Google Admin SDK and Google Workspace Policy API.
• Fetches configuration data (e.g., 2FA, user access, device policies).
• Benchmarks settings against a compliance best practices baseline.
• Calculates a compliance score with actionable remediation tips.

---

How It Works (Workflow)

1. Authentication

   • The Org Admin connects their Google Workspace account.
   • OAuth consent is required to access the necessary APIs.

2. Data Fetch

   • RiskFlow retrieves security configuration data using the Admin SDK and Policy API.
   • This happens automatically, with periodic re-runs if scheduled.

3. Analysis & Scoring

   • The data is analyzed against RiskFlow’s HIPAA-compliance rule engine.
   • Each rule contributes positively or negatively to an overall score.

4. Result Display

   • A detailed report is shown:
     • Overall compliance score
     • Rule breakdown (pass/fail)
     • Suggested actions for failed items

---

Who Can Access SRA?

Role	Access Level
Org Admin	Full access
Security Analyst	Full access
Compliance Analyst	No access (unless scoped)
Org Auditor	Read-only
Employee	No access

---

SRA Page Capabilities

• View compliance score and trends over time.
• Filter rules by category (e.g., account security, device config).
• Download full SRA reports for audit purposes.
• View suggestions and guidance for fixing failed rules.
• Re-run the assessment manually if needed.

---

Troubleshooting & Edge Cases

• OAuth Token Expired: The admin will need to reauthorize access.
• API Access Denied: Ensure the right scopes are granted during Google Workspace authorization.
• Score is Low: A low score doesn’t mean non-compliance, but indicates that best practices are not fully met.

---

Implementation Notes (for Operators)

• You do not need to manage the scoring logic manually.
• RiskFlow fetches and calculates the data automatically.
• Ensure that Google Workspace tokens are valid and refreshed as needed.
• If a team complains about inaccurate scores, check their OAuth connection and API scopes first.

---

📎 Related Pages

• Projects and Frameworks
• Policies and Procedures (PnP)
• Business Associate Agreements (BAA)