Skip to main content

Secure Document Sharing & Retention Framework

This framework provides actionable guidance for managing document sharing, permissions, offboarding, and retention in Google Workspace and Microsoft 365 environments.

Part 1: Core Principles

Least Privilege Access

Give users the minimum permissions needed to do their work. Default to restrictive permissions and grant additional access only when justified.

Regular Permission Audits

Access requirements change as projects evolve and staff transitions occur. Quarterly reviews prevent permission creep and orphaned access.

Clear Ownership

Every shared resource needs a designated owner responsible for managing access and ensuring appropriate use.

Data Classification

Not all information requires the same protection. Classify data by sensitivity (Low, Medium, High) to apply appropriate controls.

Retention by Purpose

Keep data only as long as it serves organizational needs or legal requirements. Unnecessary data creates liability.

Part 2: Data Classification Framework

Public Information

Definition: Already published or intended for public consumption
Examples: Press releases, published reports, public event information
Sharing: Can be shared widely with "anyone with the link"
Storage: Standard organizational drives
Retention: Permanent archive appropriate

Internal Information

Definition: Not sensitive but intended only for organizational use
Examples: General staff communications, non-confidential meeting notes, internal newsletters
Sharing: Organization-only; no external sharing
Storage: Organizational shared drives
Retention: 3-7 years typical

Confidential Information

Definition: Sensitive information requiring protection
Examples: Strategic plans, donor information, financial records, personnel files, legal documents
Sharing: Named individuals only; explicit approval for external sharing
Storage: Restricted folders with audit logging
Retention: Varies by type; often 7+ years

Highly Sensitive Information

Definition: Information that could cause significant harm if disclosed
Examples: Legal strategy, whistleblowersensitive external communications, information about vulnerable individuals
Sharing: Extremely limited; requires executive approval for any sharing
Storage: Encrypted cloud storage (Tresorit) or encrypted local storage
Retention: Minimum necessary; destroy when no longer required

Part 3: Permission Management

Google Workspace Permission Levels

Viewer

  • Can view and download files
  • Cannot edit or share
  • Use for: External partners needing read-only access, staff viewing reference materials

Commenter

  • Can view and add comments
  • Cannot edit content directly
  • Use for: Review processes, feedback collection without editing rights

Editor

  • Can edit content and share with others
  • Cannot change ownership
  • Use for: Active collaborators on shared documents

Owner (Google-specific)

  • Full control including deletion and ownership transfer
  • Only role that can permanently delete from shared drives
  • Use for: Primary document steward

Microsoft 365 Permission Levels

Read

  • Can view and download
  • Cannot edit or share
  • Use for: Reference materials, read-only external access

Edit

  • Can modify content
  • May or may not be able to share (configurable)
  • Use for: Active collaborators

Full Control (SharePoint)

  • Complete administrative control
  • Can change permissions and settings
  • Use for: Site administrators only

Permission Best Practices

Default to "Specific People" Never use "anyone with the link" for anything beyond public information. Even for internal documents, explicitly name users or groups.

UseConsider Using Groups, Not Individual Accounts Create groups for recurring access needs:

  • Communications Team
  • Finance Staff
  • Board Members
  • Program Directors

This simplifies management when people join or leave roles.

Time-Limited Access for External Collaborators When granting access to external partners:

  • Set expiration dates where possible
  • Use "commenter" or "viewer" rather than "editor" unless editing is essential
  • Document why access was granted
  • Review after 90 days

Avoid Editor Rights to External Parties External collaborators should rarely need editing rights. Use comment access and have internal staff make approved changes.

Regular Permission Audits Quarterly, review:

  • Who has access to confidential folders
  • External shares across the organization
  • Shared drives with "anyone with the link" settings
  • Users with ownership rights

Part 4: Sharing Workflows

Internal Sharing (Google Workspace)

For Individual Documents:

  1. Open sharing settings
  2. Select "Restricted" (not "Anyone with the link")
  3. Add specific people or groups
  4. Choose appropriate permission level
  5. Uncheck "Notify people" if you'll inform them separately
  6. Document the share in your records if sharing confidential information

For Shared Drives:

  1. Use Shared Drives (not "My Drive") for team collaboration
  2. Assign team members to the Shared Drive with appropriate roles
  3. Set default permissions at the drive level
  4. Individual files inherit drive permissions unless specifically overridden

For Folders:

  1. Share the folder, not individual files when possible
  2. Use consistent permission structure
  3. Name folders clearly to indicate sensitivity level
  4. Include a README file explaining the folder's purpose and access requirements

Internal Sharing (Microsoft 365)

For SharePoint Sites:

  1. Use SharePoint sites for department/project collaboration
  2. Assign users to appropriate SharePoint groups (Members, Visitors, Owners)
  3. Site-level permissions cascade to libraries and files
  4. Use sensitivity labels to enforce encryption on confidential content

For OneDrive:

  1. Use OneDrive for personal working files, not organizational documents
  2. Move files to SharePoint when they need team access
  3. Avoid long-term storage of organizational content in personal OneDrive

For Teams:

  1. Each Team has an underlying SharePoint site
  2. Files shared in Teams channels are stored in SharePoint
  3. Team owners manage member access
  4. External guest access requires explicit enablement

External Sharing

Risk Assessment First Before sharing anything externally:

  • What information does this contain?
  • What's the business justification?
  • What's the minimum access level needed?
  • How long should access last?
  • DoWho wewould havebenefit afrom non-disclosuregaining agreementaccess ifto appropriate?this information?

Google Workspace External Sharing:

  1. Prefer "Commenter" or "Viewer" access
  2. Require email verification (under Sharing settings)
  3. Set expiration dates where platform allows
  4. Use link passwords for sensitive materials
  5. Monitor access through activity logs
  6. Revoke access when collaboration ends

Microsoft 365 External Sharing:

  1. Use sensitivity labels to control what can be shared externally
  2. Require expiration for guest access
  3. Enable "reauthentication" requirements
  4. Use "Anyone" links only for truly public information
  5. Set organizational policies blocking external sharing of confidential content

Alternative: Secure Sharing Platforms For highly sensitive materials, consider:

  • Tresorit Send for encrypted file transfer
  • Tresorit to host and share documents
  • Password-protected, time-limited links
  • Watermarked documents for leak detection
  • Client portals with MFA requirements

Part 5: Offboarding Procedures

30 Days Before Departure (If Possible)

Document Ownership Transfer

  • Identify all documents owned by departing staff
  • Determine new owners for each document/folder
  • Transfer ownership to permanent employees, not other departing staff
  • DocumentCreate a spreadsheet to document the transfers

Knowledge Transfer

  • Create list of key files and their locations
  • Document any unique sharing arrangements
  • Identify external parties with whom staff member shared documents

Google Workspace Pre-Departure:

1. Run ownership audit: Use Admin Console → Reports → Drive → File ownership
2. Transfer ownership: Admin Console → Apps → Google Workspace → Drive → Transfer ownership
3. Document external shares: Check user's "Shared with me" and outgoing shares
4. Notify replacement of important shared resources

Microsoft 365 Pre-Departure:

1. List OneDrive files: PowerShell command or manual review
2. Identify SharePoint site ownerships
3. Document Teams where user is sole owner
4. Plan ownership transfers for critical content

Day of Departure

Immediate Actions:

Google Workspace:

  1. Transfer ownership of critical documents immediately
  2. Remove from all organizational groups
  3. Convert account to suspended (not deleted yet)
  4. Change account recovery options
  5. Review and revoke external shares made by user
  6. Set email forwarding to appropriate staff member (if approved)
  7. Document the account status

Microsoft 365:

  1. Transfer ownership of critical SharePoint content
  2. Remove from all Microsoft 365 groups and Teams
  3. Revoke active sessions
  4. Block user sign-in (don't delete yet)
  5. Set email forwarding (if approved)
  6. Convert mailbox to shared mailbox if retention needed
  7. Document account status

30 Days After Departure

Account Cleanup:

Google Workspace:

  1. Complete all ownership transfers
  2. Download archive of user's Drive content
  3. Delete account OR transfer to archived account
  4. Maintain access logs per retention policy
  5. Revoke any remaining external shares
  6. Remove from any vendor systems using Google SSO

Microsoft 365:

  1. Ensure all necessary content preserved
  2. Convert mailbox to shared mailbox or archive
  3. Remove licenses to save costs
  4. Delete account after 30-90 days depending on retention needs
  5. Maintain audit logs per retention policy

Special Cases

Executive Departures: Require extended review period. Often legal or board oversight of data transfers.

Sudden Departures: Follow immediate action procedures. Prioritize security over complete documentation.

Consultant/Contractor Departures: Should have limited access from start. Remove all access same day.

Part 6: Email Retention Policies

Why Email Retention Matters

Email creates significant organizational risk:

Retention Principles

Balance competing needs:

  • Legal/compliance requirements (retain)
  • Security and privacy (minimize)
  • Operational utility (retain what's useful)
  • Cost management (delete unnecessary data)

Policy should be:

  • Documented in writing
  • Applied consistently
  • Reviewed annually
  • Enforced through technical controls where possible

Sample Retention Schedules

Standard Business Email

  • Retention: 3-7 years
  • Rationale: Covers most legal requirements while limiting unnecessary accumulation
  • Examples: Project correspondence, vendor communications, routine internal messages

Executive/Legal Correspondence

  • Retention: 7+ years or permanent
  • Rationale: May be needed for legal defense or historical reference
  • Examples: Board communications, contracts, legal advice, major decisions

Transactional/Ephemeral Email

  • Retention: 30-90 days
  • Rationale: Short-term utility, no long-term value
  • Examples: Meeting confirmations, routine scheduling, FYI forwards, "thanks" emails

HR/Personnel Records

  • Retention: 7 years after separation (varies by jurisdiction)
  • Rationale: Legal requirements around employment records
  • Examples: Performance reviews, disciplinary actions, accommodation requests

Financial Records

  • Retention: 7 years minimum (often longer)
  • Rationale: Tax and audit requirements
  • Examples: Invoices, receipts, financial approvals, donor communications

When litigation is anticipated or ongoing, implement legal hold:

  • Suspend automatic deletion for affected accounts
  • Preserve all potentially relevant communications
  • Document the hold and affected users
  • Release hold only after legal authorization

Implementation:

  • Google Vault for Google Workspace
  • Microsoft Purview for Microsoft 365
  • Alternative: Export and preserve externally

Implementation Approach

Google Workspace:

1. Use Google Vault for retention policies
2. Create rules based on: organizational unit, time period, search terms
3. Set retention rules BEFORE implementing deletion
4. Test with small group before organization-wide
5. Communicate policy to staff
6. Document exceptions and legal holds

Microsoft 365:

1. Use Microsoft Purview (formerly Compliance Center)
2. Create retention policies for Exchange Online
3. Apply to: entire organization, specific users, or based on labels
4. Retention policies override user deletions
5. Set deletion policies separately from retention
6. Monitor policy effectiveness through reports

Staff Communication

Before Implementation:

  • Explain the "why" behind retention policies
  • Give advance warning before deletion policies take effect
  • Provide guidance on what to preserve outside email
  • Train on proper record-keeping practices

Ongoing:

  • Remind staff of retention policies annually
  • Update policies as regulations change
  • Address questions about specific situations

Part 7: Document Retention Policies

Categories and Retention Periods

Organizational Governance

  • Articles of Incorporation/Bylaws: Permanent
  • Board meeting minutes: Permanent
  • Board resolutions: Permanent
  • Annual reports: Permanent
  • IRS determination letter: Permanent

Financial Records

  • Audit reports: Permanent
  • Tax returns and supporting documentation: 7 years
  • General ledgers: 7 years
  • Bank statements: 7 years
  • Invoices/receipts: 7 years
  • Grant agreements and reports: 7 years after grant ends
  • Payroll records: 7 years after separation
  • Contracts: 7 years after expiration
  • Leases: 7 years after expiration
  • Legal correspondence: 7 years or permanent for major matters
  • Litigation files: Permanent
  • Insurance policies: Permanent

Human Resources

  • Personnel files: 7 years after separation
  • I-9 forms: 3 years after hire or 1 year after separation (whichever is later)
  • Benefits records: 7 years after separation
  • Payroll records: 7 years
  • Job applications (not hired): 1-2 years

Program/Operations

  • Program files: 7 years after program ends
  • Communications/correspondence: 3-7 years depending on content
  • Donor records: Permanent or 7 years after final gift
  • Vendor files: 7 years after relationship ends
  • Routine administrative: 2-3 years

Implementation Strategy

Phase 1: Inventory and Classification (Month 1-2)

  1. Survey existing document storage locations
  2. Identify major document categories
  3. Assign preliminary retention periods
  4. Consult legal counsel on jurisdiction-specific requirements

Phase 2: Policy Development (Month 2-3)

  1. Draft written retention policy
  2. Review with leadership and legal counsel
  3. Board approval of policy
  4. Create retention schedule matrix

Phase 3: Technical Implementation (Month 3-4)

  1. Organize existing files into retention categories
  2. Configure retention policies in Google Workspace/Microsoft 365
  3. Label documents with retention categories
  4. Set up automated deletion where appropriate

Phase 4: Training and Rollout (Month 4-5)

  1. Train staff on retention policy
  2. Provide job aids for common scenarios
  3. Begin enforcement
  4. Monitor compliance

Phase 5: Ongoing Management

  1. Quarterly spot checks
  2. Annual policy review
  3. Update as regulations change
  4. Archive or destroy per schedule

Part 8: Practical Tools and Processes

Permission Audit Checklist

Quarterly Review:

[ ] Export list of all external shares organization-wide
[ ] Review users with "Owner" role on Shared Drives/SharePoint sites
[ ] Check for "Anyone with the link" shares
[ ] Verify all external collaborators still require access
[ ] Remove access for departed staff (double-check)
[ ] Review access to confidential folders
[ ] Update group memberships
[ ] Document findings and actions taken

New Employee Onboarding

Access Provisioning:

[ ] Add to appropriate Google Groups/Microsoft 365 Groups
[ ] Grant access to relevant Shared Drives/SharePoint sites
[ ] Provide editor access to their project folders
[ ] Document access grants in HR system
[ ] Train on document classification
[ ] Review security policies including sharing rules

Project Collaboration Setup

Starting a New Project:

[ ] Create dedicated Shared Drive (Google) or SharePoint site (Microsoft)
[ ] Set up folder structure (Active, Archive, Reference)
[ ] Add team members with appropriate permissions
[ ] Configure default sharing settings (restrict external sharing)
[ ] Create README documenting folder purpose and policies
[ ] Set calendar reminder for quarterly permission review

Incident Response for Unauthorized Sharing

If You Discover Inappropriate Sharing:

1. Document what was shared, with whom, and when
2. Immediately revoke access if clearly unauthorized
3. Notify information security team or executive director
4. Determine if sensitive data was exposed
5. Check access logs to see if data was accessed
6. Consider legal notification requirements
7. Review how sharing occurred and prevent recurrence
8. Document incident and response

Part 9: Technical Implementation

Google Workspace Configuration

Admin Console Settings:

Sharing settings > Sharing options:
- [  ] Allow users in [org] to receive files from users outside of [org]
  (Enable selectively, not organization-wide)
  
- [  ] When sharing outside of [org] is allowed, users in [org] can make files 
  visible to anyone with the link
  (Disable for confidential organizational units)

- [✓] Recipients only (for external sharing)
  (Forces named recipients, prevents link sharing)

- [✓] Sharing outside of [org] requires access checker approval
  (Enables approval workflow for external shares)

Shared Drive Management:

1. Create organizational structure matching teams/departments
2. Set permissions at drive level, not individual files
3. Limit "Manager" role to 2-3 people per drive
4. Use "Content Manager" for most staff
5. Regularly audit drive membership

Google Vault Setup:

1. Enable Vault for your organization
2. Create retention rules by organizational unit
3. Set rules for: Email (3-7 years), Drive files (varies), Chat (1-3 years)
4. Create matter for legal holds when needed
5. Regularly export important archives

Microsoft 365 Configuration

SharePoint Admin Center Settings:

Policies > Sharing:
- [  ] Content can be shared with: Most permissive: Anyone
                                  Recommended: New and existing guests
                                  
- [✓] Guests must sign in using the same account to which sharing invitations are sent

- [✓] Guests must verify their identity through a verification code

- [✓] Allow only users in specific security groups to share externally
  (Set up approval group)

- Set expiration for "Anyone" links: 30 days
- Set expiration for guest access: 90 days

Sensitivity Labels (Microsoft Purview):

Create labels:
- Public
- Internal Only
- Confidential
- Highly Confidential

Configure actions:
- Encryption (for Confidential+)
- Content marking (headers/footers)
- External sharing restrictions
- Auto-labeling based on content

Retention Policies:

Microsoft Purview > Data lifecycle management:

1. Create retention policies for:
   - Exchange (email)
   - SharePoint sites
   - OneDrive accounts
   - Microsoft Teams

2. Set retention periods by:
   - Location (specific sites/users)
   - Content type
   - Sensitivity label

3. Configure deletion policies after retention periods expire

Part 10: Training and Culture

Building Security-Conscious Culture

Regular Training:

  • Annual comprehensive training for all staff
  • Onboarding training for new hires
  • Quarterly reminders via email/newsletter
  • Scenario-based learning (real examples)

Make It Easy:

  • Provide clear job aids and checklists
  • Create standard folder templates
  • Set secure defaults in platforms
  • Automate enforcement where possible

Leadership Modeling:

  • Executives follow same rules
  • Leadership discusses security in meetings
  • Celebrate good security practices
  • Address violations consistently

Common Scenarios Training

Scenario 1: Sharing with External Consultant

Wrong approach:
- Share entire folder with "Editor" rights
- Use "Anyone with the link"
- No expiration date

Right approach:
- Share specific files needed
- Use "Commenter" or "Viewer" access
- Set 90-day expiration
- Require email verification
- Document the share and business justification

Scenario 2: Board Meeting Materials

Wrong approach:
- Email attachments to board members
- Use personal email addresses
- No expiration on access

Right approach:
- Create dedicated Board folder in Shared Drive/SharePoint
- Add board members to secure folder
- Use organizational email addresses only
- Remove access when terms end
- Enable audit logging

Scenario 3: Collaborative Document with Partner Organization

Wrong approach:
- Give partner staff direct access to internal folders
- Share "My Drive" documents
- No documentation of what was shared

Right approach:
- Create project-specific Shared Drive/SharePoint site
- Add only necessary staff from partner
- Use "Editor" only if editing required, otherwise "Commenter"
- Set quarterly review reminder
- Document access grants

Part 11: Monitoring and Compliance

Audit Activities

Monthly:

  • Review new external shares across organization
  • Check for policy violations (e.g., "anyone with link" to confidential folders)
  • Monitor for unusual access patterns

Quarterly:

  • Comprehensive permission audit
  • Review and remove unnecessary access
  • Update groups as staff roles change
  • Test random samples for policy compliance

Annually:

  • Full retention policy review
  • Update retention schedules as regulations change
  • Comprehensive external sharing audit
  • Staff training refresh

Metrics to Track

Access Management:

  • Number of external shares
  • Average number of people with access to confidential folders
  • Time to revoke access after staff departure
  • Group membership accuracy

Compliance:

  • Percentage of documents properly classified
  • Time to implement legal holds
  • Retention policy exceptions granted
  • Policy violations identified and resolved

Efficiency:

  • Time to grant new access requests
  • User satisfaction with access procedures
  • Volume of access-related support tickets

Reporting Structure

To Leadership:

  • Quarterly summary of sharing metrics
  • Significant policy violations
  • External sharing trends
  • Offboarding compliance rates

To Staff:

  • Reminders of policies
  • Anonymized examples of violations
  • Updates to procedures
  • Recognition of good practices

Part 12: Special Considerations

Remote Work Challenges

Increased External Sharing: Remote staff may be more likely to share documents externally or use personal accounts. Provide clear guidance and easy-to-use secure alternatives.

Device Management: Ensure remote workers use organizational accounts on trusted devices. Consider:

  • Mobile device management (MDM)
  • Endpoint protection software
  • VPN requirements for sensitive access

Vendor Management

Third-Party Access: When vendors require access to documents:

  • Create vendor-specific folders/sites
  • Grant minimum necessary access
  • Set expiration dates
  • Require NDAs for confidential information
  • Audit vendor access regularly

SSO and Identity Management: Use Single Sign-On (SSO) where possible to:

  • Centralize access control
  • Enable quick revocation
  • Monitor vendor access
  • Simplify user experience

Bring Your Own Device (BYOD)

Risk Management: If allowing personal device access:

  • Require device encryption
  • Enforce app-based access (not web browsers for sensitive docs)
  • Enable remote wipe capability
  • Prohibit downloading confidential documents to personal devices
  • Regular security training

International Considerations

Data Sovereignty: Organizations with international operations must consider:

  • Where data is stored (geographic regions)
  • Compliance with GDPR, other data protection laws
  • Data transfer restrictions
  • Localization requirements

Google Workspace:

  • Choose data regions in Admin Console
  • Enable data region policies

Microsoft 365:

  • Configure Multi-Geo capabilities (requires licensing)
  • Set data residency preferences

Appendices

Appendix A: Sample Policies

Document Retention Policy Template

[ORGANIZATION NAME] Document Retention Policy

1. Purpose
This policy establishes standards for retaining organizational documents to meet legal
requirements while minimizing unnecessary data accumulation.

2. Scope
Applies to all employees, contractors, volunteers, and board members.

3. Responsibilities
- Staff: Follow retention schedules and classification guidance
- IT: Implement technical controls and manage archives
- Executive Director: Oversee policy compliance
- Board: Approve policy and major updates

4. Retention Schedule
[Insert your retention schedule matrix here]

5. Legal Holds
In the event of litigation or investigation, normal retention schedules are suspended for
affected materials. Legal holds override automatic deletion policies.

6. Secure Destruction
Documents exceeding retention periods shall be securely destroyed:
- Electronic: Permanent deletion with logging
- Paper: Shredding by certified vendor

7. Annual Review
This policy shall be reviewed annually and updated as needed.

Approved by Board of Directors: [DATE]
Next Review Date: [DATE]

External Sharing Policy Template

[ORGANIZATION NAME] External Document Sharing Policy

1. Purpose
Establish controls for sharing organizational documents with external parties.

2. Prohibited Actions
- Sharing confidential documents via "anyone with the link"
- Granting external parties "Owner" permissions
- Sharing to personal email accounts of external parties
- Sharing without business justification

3. Approval Requirements
- Internal/Public documents: Department head approval
- Confidential documents: Executive director approval
- Highly sensitive: Board/legal approval

4. Required Controls
- Use named recipient sharing only
- Set expiration dates (90 days maximum)
- Use minimum permission level needed
- Document sharing decision and duration
- Quarterly access review

5. External Party Requirements
- Organizational email address required (no personal emails)
- NDA for confidential information
- Security training for long-term collaborators
- Acceptance of organizational data handling policies

Appendix B: Common Questions

Q: Can I share my organization's documents through my personal Google/Microsoft account? A: No. Always use your organizational account. Personal accounts lack security controls and make offboarding difficult.

Q: What if external collaborators don't have organizational email addresses? A: For short-term access, their personal email may be acceptable with:

  • Viewer or Commenter access only
  • 30-day expiration
  • Manager approval
  • Alternative: Use secure sharing platform like Tresorit Send

Q: How do I handle confidential documents that multiple departments need? A: Create a cross-departmental Shared Drive/SharePoint site with carefully controlled access. Use groups to manage permissions, not individual accounts.

Q: Can board members access documents on personal devices? A: Yes, with restrictions:

  • Must use organizational app (Google Drive/OneDrive app)
  • Device must have passcode/biometric lock
  • No downloading confidential documents to device storage
  • Remote wipe capability enabled if possible

Q: What happens to documents when someone leaves? A: Ownership transfers to their replacement or department head. Access is revoked immediately upon departure. Account remains suspended for 30 days before deletion.

Q: How long should we keep emails? A: Depends on content. Business emails: 3-7 years. Legal/executive correspondence: 7+ years. Transactional emails: 30-90 days. See full retention schedule.

Q: What if someone accidentally shares something confidential externally? A: Immediately revoke access. Document the incident. Notify leadership. Assess if data was accessed. Implement controls to prevent recurrence.

Appendix C: Tool-Specific Guides

Google Workspace: Finding External Shares

Method 1: Admin Console (Admins only)

1. Admin Console → Reports → Audit → Drive
2. Filter: Event name = "Change document access scope" or "Share outside the domain"
3. Review results for policy violations
4. Export for documentation

Method 2: Google Drive UI (Individual users)

1. Drive → Shared with me
2. Look for external user icons
3. For your own shares: Drive → My Drive → Right-click → Share → See who has access

Method 3: Google Vault (Admins only)

1. Vault → Search
2. Create search: Shared with external users
3. Export results for review

Microsoft 365: Auditing External Access

Method 1: SharePoint Admin Center

1. SharePoint Admin Center → Reports → Sharing
2. View: External sharing by site
3. Export list of all external users
4. Review access dates and permissions

Method 2: Microsoft Purview

1. Microsoft Purview → Audit → Search
2. Activities: "Shared file, folder, or site"
3. Filter: External users
4. Export for review

Method 3: PowerShell (Advanced)

Connect to SharePoint Online and run:
Get-SPOExternalUser | Export-Csv external-users.csv

Appendix D: Incident Response Checklist

Unauthorized Document Access Discovered:

[ ] Immediately revoke access
[ ] Document: what was shared, with whom, when
[ ] Check access logs: was data actually accessed?
[ ] Notify: Information security team or executive director
[ ] Assess sensitivity: What information was exposed?
[ ] Legal review: Any notification obligations?
[ ] Determine cause: How did unauthorized sharing occur?
[ ] Implement controls: Prevent recurrence
[ ] Staff training: Address gaps if policy misunderstanding
[ ] Document: Full incident report for records
[ ] Follow-up: Verify controls effective after 30 days

Conclusion

Effective document sharing and retention requires balancing competing priorities: collaboration versus security, transparency versus confidentiality, convenience versus control.

Key Takeaways:

  • Default to restrictive sharing; expand only when justified
  • Use groups for permission management
  • Audit access quarterly
  • Implement clear retention policies
  • Make offboarding a checklist-driven process
  • Train staff regularly on secure practices
  • Monitor compliance and adjust policies as needed

Organizations that invest in thoughtful document governance protect their missions, their stakeholders, and their reputations while still enabling effective collaboration.

Resources:

  • K'lal Tech: https://klal.tech
  • Google Workspace Admin Help: https://support.google.com/a
  • Microsoft 365 Documentation: https://docs.microsoft.com/microsoft-365

Document Version: 1.0
Last Updated: December 2025
Next Review: June 2026

Back to top