Is sensitive data shared via secure tools (e.g. Drive/SharePoint with proper permissions) rather than emailed around?
Demonstrate that the organization enforces and monitors the use of secure file-sharing platforms with permission controls for sensitive data instead of email transmission.
Description
What this control does
This control ensures that sensitive data is stored and shared using secure collaboration platforms with access controls (such as Google Drive, SharePoint, or Box) rather than distributed via email attachments or unencrypted messaging. Secure platforms enable centralized access management, audit logging, version control, and the ability to revoke access to documents after sharing. Email attachments create uncontrolled copies that persist in multiple inboxes, forwarding chains, and backup systems beyond the organization's ability to audit or retract access.
Control objective
What auditing this proves
Demonstrate that the organization enforces and monitors the use of secure file-sharing platforms with permission controls for sensitive data instead of email transmission.
Associated risks
Risks this control addresses
- Sensitive data persists indefinitely in email inboxes, sent folders, and backup archives without ability to revoke access after initial transmission
- Email recipients forward attachments to unauthorized parties outside organizational visibility or control
- Unencrypted email traverses multiple mail servers and may be intercepted in transit or stored on compromised third-party systems
- Organizations lose audit trail of who accessed sensitive documents and when after email distribution occurs
- Data classification and handling obligations become unenforceable once files are distributed as email attachments
- Email systems lack granular permissions, allowing any recipient full access to download and redistribute content
- Confidential information remains accessible to former employees or contractors who retain access to their email accounts post-termination
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's data handling and acceptable use policies to identify requirements for secure sharing of sensitive data classifications
- Interview IT administrators to identify approved secure file-sharing platforms and confirm whether email data loss prevention (DLP) rules are configured to block or warn on sensitive data attachments
- Review DLP system configurations and rule sets to verify detection patterns for sensitive data types and enforcement actions for email transmission
- Select a sample of 25-50 emails from the past 90 days containing keywords associated with sensitive data classifications (confidential, internal, PII, financial) from mail server logs or DLP alerts
- Examine sampled emails to identify instances where sensitive attachments were sent via email instead of secure sharing links, and classify by data type and sender department
- Review access logs from approved secure sharing platforms (Drive, SharePoint) for the same time period to verify active usage and proper permission settings on shared folders containing sensitive data
- Interview a sample of employees from different departments to assess awareness of secure sharing requirements and verify they can demonstrate proper use of approved platforms
- Test technical controls by attempting to email a test file labeled as sensitive through the organization's email system and confirm whether DLP blocks, quarantines, or alerts on the transmission