1. Initially, the marketing team should be set with read-only or edit only access, with IT owning the rights to publish to dev/live access.

support.google.com/tagmanager/answer/2695756/?hl=en&topic=2574304&ctx=topic

  1. Two-stage authentication can be enabled on Google Account with access to GTM.
  2. Ensure the tickbox for 2-step login verification is checked for all accounts with write access to live:

image120

  1. The Google Accounts can be set to prompt to reset the password every 30days.
  2. Google Webmaster Tools has an email alert me if it detects malware on a website crawl.
  3. To disabled customHTML to enhance security (but restrict features) enable these setting using hardcoded in the page header (or via custom HTML with 2stage auth).

Note1: Blacklist trump Whitelists (e.g. whitelisting [cts] for Clicktale will be ignored if [nonGoogleScripts] which includes Clicktale, is in the blacklist).

Note2: Bizarrely, DoubleClick is not classed as [google] script by GTM, it has no class.

Note3: Blacklisting [customScripts] implicitly blacklists [customImages] and [nonGoogleIframes], as customScripts can be used create customImages and nonGoogleIframes such as Mediaplex iframe.

Note4: [html] class is the legacy name for [customScripts] class.

<script>

window.dataLayer = window.dataLayer || [];

dataLayer.push({

“gtm.whitelist”:[

“google”,//allow GA classic, universal, Adwords & dataLayer

“fls”, // allow DoubleClick Floodlight Sales

“flc”, // allow DoubleClick Floodlight Counter

“ms”, // allow Marin Software allowed

“cts”,// allow ClickTale Standard

“img” // allow Custom Image

],

“gtm.blacklist”:[

“customScripts”, // disallow customHTML, JSmacro and implicitly disallow nonGoogleIframes and nonGooglePixels

//”nonGoogleIframes”, // disallow Mediaplex iFrames

“k” // disallow 1st party cookie access

]

});

// Help page: developers.google.com/tag-manager/devguide#security

</script>

Note5: GTM does not (yet) support script dependencies for deploying gtm.blacklist/whitelist as a primary script, thus adding this inline in the page header is the only way to 100% safeguard.

  1. The GA community is very active with regards to reporting malware and GTM blocking issue, these normally get picked up very quickly.

 

image121See this post on more GTM security tips here or the gtmonopoly game see here
or an overview of why IT should embrace GTM is here.

0117 3361103