Storing and Sharing University-Owned Sensitive Information in Office 365

This document provides guidance to users who wish to store and/or share sensitive information in Office 365. Teams, Group OneDrive, and Individual OneDrive are all approved for storing University-owned sensitive information, except for PCI credit card data. The preferred option for storing and sharing data, both internally and externally, is Teams, followed by Group OneDrive. Individual OneDrive (registered to your Onyen account) may be used to store sensitive information and can be used to share sensitive information to other Onyen accounts, but not accounts outside of the University. It is permissible to share non-sensitive information to outside accounts.

Individuals who download University-owned sensitive information to non-University owned computers must comply with state and federal privacy and security laws and regulations as well as all University policies. A violation of any one of those laws, regulations, or policies could lead to legal penalties.

The following general information applies to all Office 365 applications:
Sensitive information refers to Tier 2 and Tier 3 data as defined by the UNC-Chapel Hill Information Classification Standard

  • Sensitive information should be de-identified whenever possible.
  • For long-term storage of sensitive information, files should be encrypted.
  • End-user devices, such as laptops, workstations, or tablets, that store sensitive information must comply with the UNC-Chapel Hill Information Security Controls Standard. Both university-owned and personally-owned devices are subject to this requirement.
  • Office 365 users should follow the UNC-Chapel Hill Affiliate Computing Best Practices.
  • Office 365 users agree to comply with any required institutional review board (IRB), data use agreements (DUAs), business associate agreement (BAAs), risk assessments, and terms and conditions specified in any contracts or regulations and other requirements.
  • Users who work with sensitive information should be early adopters of the Microsoft (MFA) 2-Step Verification. Consult with your technical support staff or contact help.unc.edu for assistance.
  • Teams, Group OneDrive, and SharePoint all require an owner to manage the users and permissions.
  • Group memberships or shares should remain active only as long as needed for business purposes and then should be removed.
  • For advanced security options, such as DLP and IRM, please contact the Information Security Office.
  • Synchronization: Group OneDrive and Teams are cloud-based but they can be synchronized to your local machine for those times when you aren’t connected to the Internet. Please use extreme caution using synchronization on non-University owned computers. University owned data should not be stored on computing devices that are not properly secured.

For a comprehensive list of storage options available at UNC-Chapel Hill, including Office 365, please see the Storage Offerings Grid.

 

Teams is approved for storing, discussing, and both internal and external sharing* of all classifications of University-owned data except Tier 3: Payment Card Industry (PCI) information related to merchant activity.

Teams is the preferred option for business uses that store, share and discuss sensitive information. However, if you only want to store or share SI, Group OneDrive may be a better option since the permissions can be applied at the file and folder level. Permission levels in Teams are owner, member or guest. This means that all members and guests can both see and share all documents.

*External sharing refers to users who do not have Onyens.

(last update 6/20/2018)

Group OneDrive is approved for storing and both internal and external sharing of all classifications of University-owned data except Tier 3: Payment Card Industry (PCI) information related to merchant activity. Group OneDrive is approved for external sharing.*

Group OneDrive is the recommended method for storing and sharing sensitive data (except for PCI/Payment Card Information related to merchant activity). Permissions levels in Group OneDrive are owner, member, and guest. Members and guests can be given access to individual documents and/or folders.

*External sharing refers to users who do not have Onyens.

(last update 6/20/2018)

The University Individual OneDrive is approved for storing and internal sharing of sensitive information except Tier 3: Payment Card Industry (PCI) information related to merchant activity. Individual OneDrive is not approved for external* sharing of sensitive information.  External sharing of non-sensitive information is approved. 

Every University student and employee who is eligible for an Onyen is automatically assigned an Individual OneDrive space through the university. The University Individual OneDrive is not the same as your personal OneDrive, if you have one. Storage in OneDrive is typically used when file-sharing or collaboration with groups is not needed. File sharing among UNC units and external sharing with non-UNC affiliated individuals or groups should be handled through Group OneDrive.

*External sharing refers to users who do not have Onyens.

(last update 6/20/2018)

SharePoint is approved for storing and internal and external sharing of sensitive information except Tier 3: Payment Card Industry (PCI) information related to merchant activity.

Permissions levels in SharePoint are owner, member, and guest. As with Group OneDrive, non-group members can be given access to documents and/or folders.

(last update 6/20/2018)

The web browser version of Skype for Business (chat) has been approved for use with PHI. The Skype for Business client is not approved for use with any sensitive information.

(last update 6/11/2018)

Prior to storing or sharing Tier 2 and/or Tier 3 data in Office 365, IT support staff should confirm that users have read and understand the published guidelines for the Office 365 application(s) they are using.

Additional security tools are available for IT support staff that may add to the basic security practices each user should be aware of and following.

Library: A location where one may create, store, update, and collaborate on files. Each type of library — document, picture, form, and wiki page — displays a list of files and key information about the files, such as who was the last person to modify the file.  Document libraries are recommended for the establishment of unique permissions/settings, including the application of Information Rights Management (see below).

Information Rights Management (IRM): IRM uses encryption, identity, and authorization policies to help secure files.  There are several configuration settings that control offline access to the file.  Currently, mature IRM functionality is limited to Office documents (Word, Excel, and PowerPoint), but other file types will be supported in the future.

Data Loss Prevention (DLP): DLP is a method to discover (find) and restrict sensitive information being written to SP/OD when that information matches specific criteria. DLP can help to avoid security breaches.  DLP is complex and will require customer research and testing for specific uses.  While DLP is intended to assist in keeping sensitive information out of a SP/OD instance, it may serve some uses in keeping certain unwanted data types from being written with others. Consider an example in which one might have a SP/OD instance intended for FERPA data but the user wants to block SSNs from being written to that site. In that example, DLP may be useful for blocking the SSNs.  DLP may only be set up by the Information Security Office. If you determine that a site you assist with or manage would benefit from DLP, please submit a Remedy ticket to the ISO. Make sure you identify the name of the group or site you want assistance with.

See the following links for additional guidance:

SharePoint Online administration

Permission levels in SharePoint

DLP

IRM

Miscellaneous:

Create document libraries or subsites as needed to establish unique permissions for different sets of documents.

Utilize any auditing/reporting features available to you within SP/OD to assist in monitoring site activity.  Set the audit log retention to at least 90 days. Retention for some types of information (e.g., certain types of ePHI) is much longer and needs to be assessed before information is stored.

Understand that any security controls will complement the overall strategy supporting the handling of institutional information within the Office 365 environment, but the general practice of “Only store as long as needed and only share as needed…” is recommended.

Document your planned decommissioning strategy for the information and/or site, or a turnover plan if information is stored in an Individual OneDrive account and the person leaves employment.  The plan should include a reminder to check in on the planned removal date.

(last update 6/11/2018)