Control 1.14: Item-Level Permission Scanning
Control ID: 1.14 Pillar: Readiness & Assessment Regulatory Reference: GLBA §314.4(c), SEC Rule 17a-4, FFIEC IT Handbook (Access Controls), NIST SP 800-53 (AC-3, AC-6, AU-2) Last Verified: 2026-03-17 Governance Levels: Baseline / Recommended / Regulated
Objective
Extend SharePoint oversharing detection beyond site-level analysis to item-level permission scanning for individual files and folders. Native Data Access Governance (DAG) in SharePoint Advanced Management operates at the site collection level, but Microsoft 365 Copilot surfaces individual files regardless of their folder depth or discoverability. This control addresses the gap between site-level permission assessment and item-level data exposure by implementing automated scanning that identifies uniquely permissioned items — files and folders with permissions that differ from their parent container — which represent the highest risk for unintended Copilot data surface.
Why This Matters for FSI
- GLBA §314.4(c): Requires financial institutions to detect, prevent, and respond to unauthorized access to customer information. Site-level permission audits may miss individual files shared broadly within otherwise restricted sites.
- SEC Rule 17a-4: Records preservation requirements extend to knowing exactly which users can access which records. Item-level permission scanning supports the access accountability needed for books-and-records compliance.
- FFIEC IT Handbook (Access Controls): Expects least privilege at the most granular level practicable. Item-level scanning enables institutions to identify and remediate permission anomalies that site-level tools miss.
- NIST SP 800-53 AC-3/AC-6: Logical access enforcement and least privilege controls require visibility into actual access at the object level, not just the container level.
- NIST SP 800-53 AU-2: Audit requirements support maintaining verifiable records of who had access to what content, which item-level scanning directly enables.
- SOX 302/404: Financial documents with unique permissions may be accessible to unauthorized users via Copilot, creating risk of material information leakage.
Control Description
Understanding the Site-Level Gap
Native Data Access Governance operates at the site collection level, providing valuable but incomplete visibility into oversharing. Item-level permission scanning fills the gap by detecting files and folders whose permissions have been explicitly modified from the inherited parent permissions:
| Assessment Level | What It Sees | What It Misses |
|---|---|---|
| Site-level (DAG) | Sites shared with Everyone/EEEU, large groups, external users | Files with broken inheritance, individually shared files, files shared via direct links |
| Item-level (This Control) | Individual files/folders with unique permissions differing from their parent | N/A — fills the gap left by site-level assessment |
Key concept: Uniquely permissioned items — files or folders where permissions have been explicitly modified from the inherited parent permissions. These represent high-risk items because:
- They were intentionally shared differently (possibly more broadly) than the containing site
- They often contain sensitive content that warranted explicit sharing
- Site-level remediation (removing broad groups) does not fix them
- Copilot surfaces them just as readily as any other file the user can access
Item-Level Scanning Approach
A systematic approach to item-level permission scanning should follow these phases:
- Prerequisite — Site-Level Baseline: Run DSPM oversharing assessment (Control 1.2) and SAM Data Access Governance reports (Control 1.7) first. Item-level scanning is most effective after site-level oversharing has been remediated.
- Scope Selection: Identify high-risk site collections for item-level scanning based on:
- DSPM risk scores (HIGH and CRITICAL sites first)
- Sites containing sensitive information types (NPI, PII, financial data)
- Sites in regulated business units (wealth management, trading, compliance)
- Scanning Execution: Deploy automated scanning (reference FSI-CopilotGov-Solutions Solution 16) to enumerate uniquely permissioned items within scoped sites, recording:
- Item path and type (file/folder)
- Current permissions vs. inherited permissions
- Users and groups with access
- Sensitivity labels applied (if any)
- Last modified date
- Risk Scoring: Score each uniquely permissioned item based on:
- Access breadth (how many users can access)
- Content sensitivity (based on sensitivity labels or sensitive information types detected)
- Permission delta (how much broader than parent)
- Staleness (items not modified in 12+ months with broad access)
- Remediation with Approval Gate: HIGH and CRITICAL items require remediation:
- Generate remediation recommendations (restore inheritance, restrict access, apply labels)
- Route through approval workflow (site owner + compliance review for CRITICAL)
- Execute remediation after approval
- Re-scan to verify
Scanning Cadence
| Governance Level | Full Scan Cadence | HIGH-Risk Site Cadence |
|---|---|---|
| Baseline | Quarterly | Monthly |
| Recommended | Monthly | Bi-weekly |
| Regulated | Monthly | Weekly |
Remediation Playbook
| Element | Detail |
|---|---|
| Trigger | Item-level scan identifies uniquely permissioned items scoring above risk threshold |
| Owner | Site collection administrator (execution), Compliance team (oversight) |
| RACI | R: Site Admin, A: CISO/Compliance Lead, C: Business Unit Owner, I: Internal Audit |
| Approval Gate | CRITICAL items: CISO + Compliance Lead dual approval. HIGH items: Compliance Lead approval. MEDIUM: Site Admin can remediate with documentation. |
| Escalation | Unremediated CRITICAL items escalate to CISO after 48 hours; HIGH items after 5 business days |
Reference: FSI-CopilotGov-Solutions Solution 16 provides automated scanning scripts for item-level permission enumeration and risk scoring.
Copilot Surface Coverage
| Copilot Surface | Item-Level Risk | Notes |
|---|---|---|
| Microsoft 365 Copilot Chat | Critical | Cross-workload search surfaces all uniquely permissioned items the user can access |
| SharePoint Copilot | Critical | Directly queries SharePoint content at the item level |
| Teams Copilot | High | Files shared in channels may have unique permissions |
| Word / Excel / PowerPoint | High | "Draft from" and "Reference" features pull individual files |
| Copilot Pages | High | AI-generated pages may incorporate uniquely permissioned content |
| Outlook Copilot | Medium | May reference individually shared files linked in emails |
| OneDrive Copilot | Medium | Shared OneDrive files with unique permissions |
| Loop Copilot | Medium | Loop components can reference individual SharePoint files |
Governance Levels
| Level | Requirement | Rationale |
|---|---|---|
| Baseline | Run site-level DAG reports (Control 1.7). Identify top 10 sites by DSPM risk score for item-level scanning. Complete initial item-level scan on identified sites. Remediate CRITICAL uniquely permissioned items. Establish quarterly full-scan cadence. | Addresses the highest-risk item-level oversharing on the most exposed sites, filling the gap left by site-level-only assessment. |
| Recommended | All Baseline requirements plus: expand item-level scanning to all sites with DSPM risk scores above threshold. Implement monthly full-scan cadence with bi-weekly HIGH-risk site scans. Configure automated risk scoring for uniquely permissioned items. Implement approval workflow for remediation of HIGH and CRITICAL items. Document all remediation actions with audit trail. | Systematic item-level governance across all high-risk sites with approval workflows and audit documentation. |
| Regulated | All Recommended requirements plus: item-level scanning covers all SharePoint sites in Copilot scope. Weekly scanning of HIGH-risk sites. Dual approval gate for CRITICAL item remediation (CISO + Compliance Lead). Integration with compliance reporting. Quarterly independent review of item-level scan results. Maintain 7-year retention of scan results per SEC 17a-4. Include in regulatory examination evidence package. | Comprehensive item-level permission governance that supports compliance with GLBA, SEC, and FFIEC access control expectations at the most granular level. |
Setup & Configuration
Step 1: Establish Site-Level Baseline
Run DSPM oversharing assessment (Control 1.2) and SAM Data Access Governance reports (Control 1.7). Item-level scanning is most effective after site-level remediation has been completed, as resolving site-level oversharing reduces the volume of uniquely permissioned items that require individual attention.
Step 2: Identify Scope for Item-Level Scanning
Review DSPM risk scores and identify sites for item-level analysis:
- All sites with DSPM risk score HIGH or CRITICAL
- Sites containing sensitive information types (NPI, PII, MNPI)
- Sites in regulated business units (wealth management, trading, compliance)
Step 3: Deploy Item-Level Scanning (Solution 16)
Reference FSI-CopilotGov-Solutions Solution 16 for automated scanning deployment. Prerequisites:
- SharePoint Online Management Shell access
- Microsoft Graph API permissions (
Sites.Read.All,Sites.ReadWrite.Allfor remediation) - Solution 02 (site inventory) must be deployed first as a prerequisite
Step 4: Configure Risk Thresholds
Define risk scoring thresholds for your organization:
| Threshold | Criteria |
|---|---|
| CRITICAL | Sensitivity = Highly Confidential + Access breadth > 100 users |
| HIGH | Sensitivity = Confidential + Access breadth > 50 users OR any file with "Everyone" unique permission |
| MEDIUM | Any uniquely permissioned item with access breadth > 25 users |
| LOW | Uniquely permissioned items with access breadth ≤ 25 users |
Organizations should verify these thresholds align with their internal risk appetite and adjust accordingly.
Step 5: Implement Approval Workflow
Configure remediation approval gates:
| Risk Level | Approval Required |
|---|---|
| CRITICAL | Dual approval (CISO + Compliance Lead) |
| HIGH | Compliance Lead approval |
| MEDIUM | Site Admin remediation with documentation |
| LOW | Documented and tracked, remediated at discretion |
Step 6: Schedule Recurring Scans
Configure scan cadence per governance level:
- Baseline: Quarterly full scan, monthly HIGH-risk site scans
- Recommended: Monthly full scan, bi-weekly HIGH-risk site scans
- Regulated: Monthly full scan, weekly HIGH-risk site scans
Step 7: Configure Reporting and Evidence Retention
Set up reporting dashboards and configure evidence retention. For regulated institutions, retain scan results, remediation actions, and approval records for a minimum of 7 years per SEC 17a-4 requirements. Organizations should verify their specific retention obligations.
Financial Sector Considerations
- NPI at the File Level: Under GLBA, a single loan document or credit report shared with a broad audience at the item level creates immediate regulatory exposure. Item-level scanning identifies these precise exposure points that site-level tools miss.
- Trading Desk Documents: Investment banks should prioritize item-level scanning on sites used by trading desks. Individual trade confirmations, position reports, or research notes with unique permissions may bridge information barriers.
- M&A Data Room Leakage: Deal documents often have unique permissions granted during the deal process. Post-deal, these permissions may not be cleaned up, leaving sensitive MNPI accessible via Copilot.
- Audit Working Papers: Internal and external audit working papers may have unique sharing to audit committee members. Item-level scanning helps verify these remain properly restricted.
- Evidence Retention: SEC 17a-4 requires 7-year retention of records. Item-level scan results, remediation actions, and approval records should be retained per this requirement for regulated entities.
- Examination Readiness: Maintaining item-level scan reports in the regulatory examination file demonstrates granular access control governance that supports favorable examination outcomes.
Verification Criteria
- Site-level DAG baseline has been established (Control 1.7) before item-level scanning commences
- DSPM oversharing assessment has been run (Control 1.2) and remediated before item-level scoping
- Item-level scanning has been deployed and executed on all in-scope sites per governance level
- Risk scoring thresholds have been configured and documented
- All CRITICAL uniquely permissioned items have been remediated or have documented exception approvals
- All HIGH uniquely permissioned items have remediation plans with defined timelines
- Approval workflow is operational with documented approvals for CRITICAL and HIGH item remediations
- Recurring scan schedule is configured per governance level (quarterly / monthly / weekly)
- Scan results and remediation records are retained per organization retention policy (7 years for regulated entities per SEC 17a-4)
- Item-level scan reports are included in regulatory examination evidence package (Regulated level)
Additional Resources
- Microsoft Learn: DSPM for AI Overview
- Microsoft Learn: Data Access Governance reports
- Microsoft Learn: SharePoint permissions management
- GLBA Safeguards Rule §314.4(c)
- SEC Rule 17a-4: Records to be Preserved
- NIST SP 800-53: AC-3 Access Enforcement
- Related Controls: 1.2 SharePoint Oversharing Detection (DSPM for AI), 1.6 Permission Model Audit, 1.7 SharePoint Advanced Management, 1.15 SharePoint Permissions Drift Detection
- Playbooks: Portal Walkthrough, PowerShell Setup, Verification & Testing, Troubleshooting
FSI Copilot Governance Framework v1.2.1 - March 2026