How Do I Structure Files For An Audit?
I received a question from an astute IT Director on how to structure folders to achieve the following goals:
- Make it easy to audit folder structure for an ISO or SOC2 Audit
- Provide a way for teams to share external data while not sharing internal data
Here are some tenets that will help guide structure:
- The more complex a system, the harder it is to manage security, and the more likely users will try to subvert a system
- Structure folders based on data sensitivity. This will provide an easy way to place controls on sensitive folders and high-value alerts on those folders
- Make sure the security controls on sensitive folders are immutable, or do not inherit other permissions will make auditing easier
My recommendation would be to structure folders beginning with the team structure, how teams work, then based on data sensitivity. So if the team is working on sensitive data, then a separate subfolder in their folder would house that data. Extra controls can be placed on those folders, and teams would logically understand where to put sensitive data.
This should also reflect data ownership, where data owners can determine who or what systems should have access.
If multiple teams need to access data, the data will live with the data owner.