Sensitive folders auditing on
Demonstrate that auditing is consistently enabled on all identified sensitive folders across the environment, capturing sufficient detail to detect unauthorized access or modifications and support forensic investigations.
Description
What this control does
This control requires that file system auditing is enabled on folders containing sensitive data such as customer records, financial documents, intellectual property, regulated data (PII, PHI, payment card data), or confidential business information. Auditing captures access events including read, write, modify, delete, and permission changes, generating logs that are collected centrally for analysis. The control ensures that unauthorized or suspicious access to sensitive data can be detected, investigated, and correlated with user activity for accountability and incident response.
Control objective
What auditing this proves
Demonstrate that auditing is consistently enabled on all identified sensitive folders across the environment, capturing sufficient detail to detect unauthorized access or modifications and support forensic investigations.
Associated risks
Risks this control addresses
- Unauthorized access to sensitive data goes undetected, allowing data exfiltration without triggering alerts or generating evidence
- Insider threats can access, modify, or delete sensitive files without creating an audit trail for investigation
- Lateral movement by attackers who have compromised accounts remains invisible when they enumerate or access high-value data repositories
- Ransomware or destructive malware encrypts or deletes sensitive files without generating logs to trace the attack timeline or patient zero
- Compliance violations occur when access to regulated data (PII, PHI, PCI) cannot be demonstrated through audit logs during regulatory examinations
- Privilege abuse by administrators or privileged users who access sensitive folders outside their role cannot be detected or proven
- Incident response and forensic investigations are hindered by lack of actionable logs showing who accessed what data and when
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's data classification policy and inventory of folders designated as containing sensitive or regulated data across file servers, network-attached storage, and cloud storage platforms
- Select a representative sample of at least 10-15 sensitive folders spanning different data types (PII, financial, IP, PHI), storage platforms (Windows file shares, Linux directories, cloud storage buckets), and business units
- For each sampled folder on Windows systems, navigate to folder Properties > Security > Advanced > Auditing tab and review configured audit policies, or retrieve audit settings via PowerShell using Get-Acl with audit parameter
- For each sampled folder on Linux/Unix systems, verify auditd rules are configured for the directory paths using auditctl -l or by reviewing /etc/audit/rules.d/ configuration files forwatch rules on target paths
- Confirm that audit policies capture all critical events including successful and failed access attempts (read, write, modify, delete), permission changes, and ownership changes for both users and groups
- Review SIEM or centralized logging platform to verify that audit events from sampled folders are being collected, retained according to policy (typically 90-365 days for sensitive data), and are searchable with complete metadata including timestamp, username, action, and file path
- Perform a live test by accessing or modifying a file in at least two sampled sensitive folders using a test account, then verify that corresponding audit events appear in logs within the expected timeframe (typically under 15 minutes)
- Interview IT administrators to confirm processes exist for applying auditing configurations to newly created sensitive folders and for periodically reviewing audit settings to detect configuration drift or policy violations
Where this control is tested