1. Objective

This SOP governs how you manage your executive's cloud storage environment — the permissions, sharing settings, access controls, and structural integrity of the digital infrastructure that holds their business's files. Getting files organized is only half the job. Ensuring those files are accessible to the right people (and not accessible to the wrong ones) is the other half. Mismanaged cloud permissions are a common and underappreciated source of both security and operational risk.

Where this SOP starts: Week 1 setup and any time a new user, client, or vendor needs file access.
Where this SOP ends: When the access change is confirmed, documented, and the sharing audit is updated.

Success looks like: Your executive's files are accessible to exactly the people who need them — and not accessible to anyone who doesn't. No files are accidentally public. Permissions are reviewed regularly. Your executive doesn't have to remember who has access to what — because you track it.

2. Your Role & Boundaries

2a. What you handle independently

• Setting up the cloud storage structure and applying the naming convention
• Creating links for files your executive needs to share (with the correct permission level)
• Monitoring for accidental public or overly permissive sharing settings
• Maintaining the access log

2b. What requires executive approval before acting

• Granting access to any folder or file to a new person
• Changing access levels for an existing user
• Revoking access from a user (especially a client or vendor who had active access)
• Making any file or folder publicly accessible (accessible via link without login)

2c. What you never do

• You never grant access to a file or folder without your executive's authorization
• You never use "Anyone with the link" sharing for sensitive files — always use specific person access
• You never share an entire top-level folder when a specific subfolder or file would suffice
• You never leave sharing settings unreviewed for more than 90 days

3. Permission Level Standards

Use the minimum permission level needed. If someone only needs to view a document, give them view access — not edit.

Sharing links vs. specific person access:
- Specific person access: Use for any document with client information, financial data, or confidential content. Only the named person can access.
- Anyone with the link: Use only for non-sensitive, intentionally public materials (marketing content, public resources). Never for client or financial documents.

4. Access Log

Maintain a simple access log — a running record of who has access to what.

Format (spreadsheet or Notion table):

Review the access log quarterly. Remove access for anyone who no longer needs it (project complete, client offboarded, vendor relationship ended).

5. Sharing Protocol — Step by Step

When your executive needs to share a file or folder:

Step 1: Identify what specifically needs to be shared. Share the most narrowly scoped file or folder that meets the need. If they only need to see one document, share the document — not the folder.

Step 2: Confirm the appropriate permission level. View, comment, or edit? Ask if unclear.

Step 3: Create the share.
- Use specific person access (enter their email address) for sensitive documents
- Set an expiration date if the access is temporary (most platforms support this)
- Add a message in the sharing notification if context is helpful: "Here's the draft proposal for your review. Feel free to add comments."

Step 4: Log the access. Add to the access log immediately.

Step 5: Confirm the recipient received access. For important documents, follow up briefly: "I've shared the [document name] to [email]. Please let me know if you have any trouble accessing it."

6. Quarterly Permission Audit

Every 90 days, audit all file sharing in the cloud storage system.

What to check:
1. Review the access log — is every person listed still in an active role/relationship?
2. Check for any files or folders with "Anyone with the link" permissions — should any of these be restricted?
3. Check for overly broad folder sharing — was a top-level folder shared when only a specific file was needed?
4. Remove access from any person whose project or engagement has concluded

How to audit in Google Drive:
- Navigate to Drive → Right-click the top-level folder → Share → See who has access
- For a broader view: Drive settings → Manage shared items

Report to your executive: Brief note on any access that was removed or changed, and any concerns flagged.

7. Offboarding Access Removal

When a client, vendor, or team member's engagement concludes:
1. Remove their access from all shared files and folders within 48 hours of the engagement end
2. Update the access log to reflect the removal
3. Confirm with your executive that the access removal is appropriate before executing
4. Archive any files that were exclusively in a shared folder they had access to

8. Escalation Protocol

Escalate when:
- You discover a sensitive file has been shared publicly or with an unintended person
- A client or vendor requests access to a file or folder that contains information beyond what their engagement covers
- You're asked to share something that appears to contain another client's information

Escalation format:

Urgent — access concern:

[File/folder name] appears to have been [shared publicly / accessible to unintended party].

I've [paused sharing / not yet granted access]. Please confirm how you'd like me to proceed.

9. Tools & Access

10. Changelog