How Do I Structure Files For An Audit?
I received a question from a very astute IT Director on how to structure folders to achieve the following goals:
- Make it easy to audit folder structure come an ISO or SOC2 Audit
- Provide a way for teams to share external data while not sharing internal data
Here are some tenets that will help guide structure:
- The more complex a system, the harder it is to manage security and the more likely users will try to subvert a system
- Structure folders based on data sensitivity. This will provide an easy way to place controls on sensitive folders and high value alerts on those folders
- Making sure the security controls on sensitive folders are immutable or do not inherit other permissions will make auditing easier
My recommendation would be to structure folders beginning with team structure, how teams work, then based on data sensitivity. So if the team is working on data that is more sensitive, then a separate folder in their team folder would house that sensitive data. Extra controls can be placed on those folders, and teams would logically understand where to put sensitive data.
This should also reflect data ownership. Where data owners, can determine who or what systems should have access.
If multiple teams need to access data, the data would live with the data owner.