← All controls

46 Reading-room enclave (SCIF port, incl. data-copy minimization)

An enclave OU and shared drive in which approved readers can view crown-jewel documents and do nothing else with them: no external sharing, no non-member access, and no download, copy or print for viewers and commenters — the data-copy minimization half of the control. Enclave content carries a Restricted label so a DLP rule can block and alert on any attempt to share, download or attach it, and Drive access for the enclave OU is bound to a Context-Aware Access level requiring a managed device on the reading-room network.

Caveats

Setup steps

  1. open ↗ Apps › Google Workspace › Drive and Docs › Sharing settings
    Sharing outside the organisation
    OFF
    Allow users to receive files from outside
    OFF

    Manage external sharing for your organization ↗

  2. open ↗ Apps › Google Workspace › Drive and Docs › Manage shared drives

    Allow people who aren't shared drive members to be added to files = OFF; Allow viewers and commenters to download, print, and copy files = OFF; Allow users outside your organization to access files in shared drives = OFF

    Manage shared drives as an admin ↗

  3. open ↗ Security › Access and data control › Label manager

    Create a label (e.g. 'Sensitivity') with a 'Restricted (enclave)' option in Label manager and apply it

    Create classification labels for your organization ↗ Get started as a classification labels admin ↗

  4. open ↗
    Admin console screen — Security > Access and data control > Data protection (block egress from the enclave)

    https://admin.google.com/ac/dp · captured 2026-07-15

    Security › Access and data control › Data protection
    Condition
    Label = Restricted
    Action
    Block
    Alert
    High severity

    Create DLP for Drive rules and custom content detectors ↗ About DLP ↗

  5. open ↗ Security › Access and data control › Context-Aware Access
    App
    Drive
    Access level
    reading-room
    Mode
    Active (not Monitor)

    Assign Context-Aware Access levels to apps ↗ Protect your business with Context-Aware Access ↗

Ongoing maintenance

How to verify

  1. As an authorised test user inside the enclave, attempt to download, print, and copy from a protected document — every path must be refused; then attempt access from outside the enclave context — it must be denied entirely.

v0.0.3Preventedition Ent Std+ policy #28 · #15, #26 ↗