Stale folders archived
Demonstrate that the organization systematically identifies, archives, or removes stale folders from active storage based on documented criteria and retention policies.
Description
What this control does
This control ensures that file system folders and directories containing inactive or unused data are identified based on defined retention criteria and systematically archived or removed from active storage. Organizations establish policies defining staleness thresholds (e.g., no file modifications in 180 days, no user access in 90 days) and implement automated or manual processes to relocate stale content to archival storage or delete it after appropriate approvals. This reduces the attack surface by limiting accessible data, improves system performance, and supports data minimization and retention compliance requirements.
Control objective
What auditing this proves
Demonstrate that the organization systematically identifies, archives, or removes stale folders from active storage based on documented criteria and retention policies.
Associated risks
Risks this control addresses
- Attackers exploit stale folders containing unpatched legacy applications or outdated libraries to establish persistence or gain initial access
- Excessive data retention increases exposure of sensitive information in the event of a breach, expanding breach notification and regulatory penalties
- Stale folders containing forgotten credentials, API keys, or configuration files provide attackers with authentication material or system intelligence
- Unmanaged legacy data complicates e-discovery and legal hold processes, increasing litigation costs and regulatory risk
- Storage sprawl from inactive folders degrades backup performance, increases recovery time objectives, and inflates infrastructure costs
- Orphaned or unmaintained folders escape access control reviews, allowing unauthorized users to retain access to data they no longer need
- Accumulation of obsolete data prevents effective data classification and encryption, leaving sensitive information inadequately protected
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's data retention policy, including definitions for 'stale' or 'inactive' folders (e.g., access thresholds, age criteria) and archival procedures
- Request configuration documentation for automated stale folder detection tools or scripts, including scanning frequency, scope, and staleness parameters
- Obtain a list of file shares, repositories, or storage systems in scope for stale folder management (e.g., network drives, SharePoint libraries, cloud storage buckets)
- Review audit logs or reports from the most recent stale folder scan, including identification date, folder paths, last access timestamps, and disposition decisions
- Select a judgmental sample of 15-20 folders from active storage and verify last access or modification dates against staleness thresholds to confirm detection accuracy
- Trace a sample of identified stale folders through the archival or deletion workflow, verifying approval records, archival timestamps, and removal from active storage
- Interview IT storage administrators to confirm the frequency of stale folder reviews, escalation procedures for business-owned data, and exceptions handling
- Verify that archived folders are stored in separate, access-controlled repositories with appropriate retention labels and are excluded from daily backup cycles
Where this control is tested