External sharing scoped to known domains
Demonstrate that external sharing policies are configured to permit collaboration only with explicitly whitelisted domains, and that sharing attempts to non-whitelisted domains are blocked or logged for review.
Description
What this control does
This control restricts external file and folder sharing in collaboration platforms (e.g., Microsoft 365, Google Workspace, Box) to pre-approved domains only, preventing users from sharing sensitive data with arbitrary external email addresses. Organizations maintain an allowlist of trusted partner and vendor domains, enforced at the tenant or administrative policy level. This reduces the attack surface for accidental data exposure and limits adversary-controlled domains from receiving organizational assets.
Control objective
What auditing this proves
Demonstrate that external sharing policies are configured to permit collaboration only with explicitly whitelisted domains, and that sharing attempts to non-whitelisted domains are blocked or logged for review.
Associated risks
Risks this control addresses
- Employees inadvertently share sensitive files with personal email accounts or unvetted third parties, leading to data leakage
- Attackers use phishing or social engineering to trick users into sharing credentials, intellectual property, or financial data to attacker-controlled domains
- Compromised user accounts exfiltrate data by sharing documents with external addresses not subject to organizational monitoring
- Shadow IT collaboration leads to untracked data repositories outside approved business relationships
- Regulatory violations occur when protected data (PII, PHI, PCI) is shared with entities lacking appropriate data protection agreements
- Malicious insiders share proprietary information with competitors or unauthorized third parties without detection
Testing procedure
How an auditor verifies this control
- Obtain the current external sharing policy configuration from the collaboration platform (Microsoft 365 SharePoint Admin Center, Google Workspace Drive settings, or equivalent).
- Export the list of allowed external domains from the tenant-level sharing policy and verify it matches the organization's documented approved partner/vendor list.
- Review administrative audit logs for the past 90 days to identify any policy changes related to external sharing settings, noting who made changes and when.
- Select a sample of 15–20 external sharing events from platform audit logs and verify each recipient domain is on the approved allowlist.
- Perform a live test by attempting to share a non-sensitive test document with an email address from a domain not on the allowlist, confirming the action is blocked or triggers an alert.
- Interview IT administrators to confirm the process for adding or removing domains from the allowlist, including change approval and documentation requirements.
- Review incident or helpdesk tickets related to blocked external sharing attempts to assess whether legitimate business needs are being improperly denied and escalation procedures exist.
- Validate that the policy applies uniformly across all organizational units, sites, or workspaces, with no exceptions granted outside of documented risk acceptance processes.
Where this control is tested