When you share files externally (e.g. with clients), are links restricted (expire, password, specific people)?
Demonstrate that external file-sharing links are systematically restricted through expiration settings, password protection, or explicit recipient targeting to prevent unauthorized persistent access.
Description
What this control does
This control ensures that when files are shared externally via cloud storage or collaboration platforms, access links are configured with time-based expiration dates, password protection, or recipient-specific permissions rather than open public links. Organizations implement technical restrictions (e.g., SharePoint link policies, Google Drive sharing settings, Dropbox Business controls) to prevent indefinite or anonymous access to sensitive documents. This mitigates unauthorized access resulting from link interception, forwarding, or discovery through search indexing or link-sharing services.
Control objective
What auditing this proves
Demonstrate that external file-sharing links are systematically restricted through expiration settings, password protection, or explicit recipient targeting to prevent unauthorized persistent access.
Associated risks
Risks this control addresses
- Shared links forwarded to unintended recipients who gain indefinite access to confidential client deliverables or proprietary documents
- Links discovered through browser history, email compromise, or social engineering attacks enabling unauthorized data exfiltration months after original sharing
- Publicly accessible links indexed by search engines exposing sensitive financial reports, legal documents, or personally identifiable information
- Former clients, contractors, or partners retaining access through saved links after engagement termination or contract expiry
- Unauthorized modification or deletion of shared documents by anonymous recipients when links grant edit permissions
- Compliance violations under data protection regulations (GDPR, HIPAA, CCPA) when sensitive data remains accessible beyond legitimate business need
- Man-in-the-middle attacks capturing unprotected links during transmission enabling persistent unauthorized surveillance of shared content
Testing procedure
How an auditor verifies this control
- Obtain the organization's documented external file-sharing policy identifying approved platforms and mandatory link restriction requirements
- Export platform administrative settings from file-sharing services (SharePoint Online, Google Workspace, Dropbox Business, Box) showing default and enforced link configuration policies
- Select a stratified sample of 25-30 external file shares created within the past 90 days across different business units and file sensitivity classifications
- Review link properties for each sampled share to identify expiration dates, password requirements, and recipient restrictions (anyone-with-link vs. specific-people)
- Attempt to access five randomly selected expired links using an external test account to verify automatic revocation functionality
- Interview 3-5 employees who regularly share files externally to assess awareness of link restriction requirements and platform capabilities
- Review access logs for sampled shares to identify any unauthorized access attempts or anomalous viewing patterns from unexpected geographic locations or IP addresses
- Test platform enforcement by attempting to create an unrestricted external link through end-user accounts to verify whether administrative policies prevent non-compliant configurations