Folder owner assigned + reviewed annually
Demonstrate that all shared folders have documented, current owners and that ownership assignments undergo formal annual review to ensure accountability for access governance and data stewardship.
Description
What this control does
This control mandates that every shared folder within the organization's file storage systems (network shares, cloud storage, document repositories) must have a designated owner responsible for managing access permissions, content integrity, and lifecycle. Ownership assignments must be documented in an authoritative inventory or access control system. Annual reviews validate that owners remain appropriate (still employed, still relevant to the folder's purpose), folders are still necessary, and access permissions remain aligned with business needs.
Control objective
What auditing this proves
Demonstrate that all shared folders have documented, current owners and that ownership assignments undergo formal annual review to ensure accountability for access governance and data stewardship.
Associated risks
Risks this control addresses
- Orphaned folders with no accountable party allow unauthorized access to persist undetected when employees change roles or leave the organization
- Stale or overly permissive access controls accumulate over time without a responsible party to prune unnecessary permissions
- Data breaches or compliance violations go unreported because no owner exists to monitor folder contents or respond to security incidents
- Sensitive information remains accessible in forgotten or abandoned folders that should have been archived or deleted
- Privilege creep occurs when access requests are approved without a knowledgeable owner to validate business justification
- Regulatory audits fail when auditors cannot identify the accountable party for specific datasets or access controls
Testing procedure
How an auditor verifies this control
- Obtain the complete inventory of shared folders across all in-scope file storage systems, including network shares, SharePoint sites, Google Shared Drives, and cloud storage repositories.
- Extract the documented owner assignment for each folder from the access control management system, directory metadata, or governance database.
- Select a representative sample of 25-40 folders stratified by business unit, sensitivity classification, and folder age for detailed testing.
- For each sampled folder, verify the assigned owner is a current employee by cross-referencing against the HR system or identity provider.
- Review evidence of the most recent annual ownership review, including dates performed, reviewers involved, and disposition (owner confirmed, reassigned, or folder decommissioned).
- Interview three to five folder owners to confirm they understand their responsibilities and actively manage access permissions and content.
- Identify any folders created more than 12 months ago that lack documented ownership or have not undergone annual review.
- Test the organization's process for triggering ownership reassignment when an owner leaves the organization or changes roles by reviewing termination and transfer workflows.
Where this control is tested