Service agreement for Microsoft and Google storage owners

On this page:

Overview

Important:

Microsoft Teams at IU and Google at IU Shared Drives are designed to provide you with better and more secure methods of fostering collaboration. As a Microsoft or Google storage owner (Microsoft Teams owner and/or Google Shared Drives manager), you must agree to follow these standards and accept responsibility to preserve the security and confidentiality of information that you store, post, access, or share before you are provided access to the environments.

UITS reserves the right to audit the Microsoft Teams or Google Shared Drives storage location for compliance and share the information with the team owners and shared drive managers for maintenance. Audits and log files may also be shared with service administrators and local UITS support people for service management, incident response, and site/drive compliance.

Usage responsibilities

Important:
Microsoft Teams and Google Shared Drives are approved for all Classification levels of institutional data as well as non-institutional data. Critical data that is not approved for these environments includes: Credit card and Payment Card Industry (PCI) data, export-controlled research, controlled unclassified information (CUI), and advancement donor gift agreements and wealth information.

If your storage location will be managing Critical or Restricted data, additional controls are applied to aid you in fulfilling your responsibilities as a Microsoft or Google storage owner. Microsoft at IU Secure Storage and Google at IU Secure Storage, or [Sec] and [Sec-E] locations, are approved for storing and sharing most types of data, including critical data and restricted data. Protected Health Information (PHI) is included in the approved data for these services.

For more, see Types of institutional data appropriate for Microsoft 365 at IU and Google at IU.

You agree to:

  • Abide by the responsibilities outlined in the Acceptable Use Agreement for access to technology and information resources at IU.
  • Understand the Classification levels of institutional data and maintain the appropriate safeguards to protect the information. See Rules and Policies of Data Management.
  • Understand that if new Microsoft Teams or Google Shared Drives are needed, they must be created via the Institutional storage request form.
  • Understand your responsibilities in assigning roles and permissions in Microsoft Teams (co-owner, member, guest) or Google Shared Drives (co-manager, content collaborator, contributor, commenter, viewer) to grant permissions appropriately.
  • Apply the principle of least privilege, ensuring the confidentiality of personally identifiable information (PII) and sensitive data stored.
  • Periodically review your security and sharing settings, ensuring that university information is shared only with intended audiences. This includes review of any audit reports provided to you to aid in your compliance responsibilities.
  • Ensure external (non-IU) collaborators are not provided access to a Microsoft Teams or a Google Shared Drives site that has not been requested and designated for external sharing.

    If your team in Microsoft Teams was initially requested without external sharing enabled, and you later need to enable it, see Enable external sharing in Microsoft Teams at IU.

  • If you choose to assign a co-owner, it is your responsibility to ensure they are informed of their usage responsibilities outlined here.
  • Report any breach or data exposure as soon as you are made aware to it-incident@iu.edu.
  • No Microsoft at IU or Google at IU storage location (for example, Microsoft Teams) that includes personal health information (PHI), student information (FERPA), or any other personally identifiable information (PII) should add a marketplace app (add-on or add-in) without first ensuring the product has been vetted through the Software and Services Selection Process (SSSP) to ensure the appropriate safeguards and contract language are in place. As the owner, it is your responsibility to comply with all applicable Information and IT policies and departmental policies and guidelines, including Disclosing Institutional Information to Third Parties (DM-02), which states that you must consult with a Data Steward before sharing institutional data with a third-party product or service.
  • Enforce naming conventions for Microsoft Teams and Google Shared Drives:
    • For Microsoft Secure Storage and Google Secure Storage, names must start with the prefixes [Sec]. If collaborators external to IU are permitted, then the prefix must instead be [Sec-E]. Microsoft Teams and Google Shared Drives sites not meant for sensitive data must not use either of these prefixes.

      • The rest of the name should use the format Campus-Department-Name:

      • Campus: Can either be an individual campus, or IU for cross-campus activities.
      • Department: Four or fewer letters; normally should be set to a departmental code. Student organizations, multi-departmental committees, ad hoc groups, and others that aren't affiliated with a specific department may set this as they prefer.
      • Name: A brief description of the site itself (entered as the "Short Name" in the institutional storage request form). It may be up to 24 characters long. Spaces and hyphens are permitted.
    • The name must be unique. These characters are not permitted: 
      ~ " # % & * : < > ? / \ { | } .
    • Example names:
      Secure storage sites for internal collaborators
      		 [Sec] IU-UIPO-UDMC
      Secure storage sites that allow external collaborators
      [Sec-E] IU-ORA-Research Standards
      Microsoft Teams or Google Shared Drives
      		 BL-SPEA-projectZ

Sanctions

Failure to comply with Indiana University information technology policies may result in sanctions relating to the individual's use of information technology resources (such as suspension or termination of access, or removal of online material); the individual's employment (up to and including immediate termination of employment in accordance with applicable university policy); the individual's studies within the university (such as student discipline in accordance with applicable university policy); civil or criminal liability; or any combination of these.

Assent

Although UITS applies technical controls to the Microsoft Storage and Google Storage environments, you are responsible for the data you access and share in this environment. As a Microsoft or Google storage owner, you have additional responsibilities to maintain access and permissions in accordance with the policies and regulations described above. By accepting these terms, you agree to follow these rules in your interactions with the service and accept the additional responsibilities as the storage owner. If you choose not to accept these standards of behavior, you could be denied access to the service.

On the service request form, you'll be asked to agree to the following statement by checking the box and typing your initials:

I understand as storage owner (Microsoft Teams owner and/or Google Shared Drives manager) of these services, I must agree to follow these usage standards as highlighted in Service agreement for Microsoft and Google storage owners.

Log requests

To request logs or activity reports from this system, contact the Support Center.

If the request for information involves someone other than the requester, or if the log information will be used in support or defense of an investigation, the request must be sent to the University Information Security Office (UISO) via it-incident@iu.edu. UISO staff will then determine the context of the request, as well as the authorization required; for more, see Privacy of Electronic Information and Information Technology Resources (IT-07).

Related documents

Manage institutional storage locations you've created at IU

This is document bgej in the Knowledge Base.
Last modified on 2024-04-15 15:25:29.