Protect sensitive data in Google at IU Secure Storage
- Shared storage in Google is available only as an option for departments that wish to pay for continued storage in Google.
- Due to limits to IU's storage footprint in the Google platform, all individual Google My Drives now have a 5 GB quota.
On this page:
- Before you begin
- Understand folder ownership
- Configure folders to protect data (co-owners)
- Use Google at IU Secure Storage with sensitive data
Before you begin
At Indiana University, to store Restricted data and some Critical data, such as approved protected health information (PHI), in Google at IU Secure Storage ( Google Shared Drives approved for this use):
- Verify that your data are allowed in Google at IU Secure Storage; see Types of institutional data appropriate for Microsoft 365 at IU and Google at IU.
- Understand and implement the security measures listed below.
This UITS system or service meets certain requirements established in the HIPAA Security Rule thereby enabling its use for work involving data that contain protected health information (PHI). However, using this system or service does not fulfill your legal responsibilities for protecting the privacy and security of data that contain PHI. You may use this system or service for work involving data that contain PHI only if you institute additional administrative, physical, and technical safeguards that complement those UITS already has in place.
Understand folder ownership
Although Indiana University has secure platforms to store data, individual choices determine how secure a given piece of data is. Storage ownership and settings are key to the security of data in cloud storage services. When you log into file collaboration spaces for everyday work, you will interact with a variety of shared and private folders, each with its own level of security. At Indiana University, institutional data must be stored in a non-individual storage space, such as Microsoft Teams at IU, rather than in individually owned storage spaces, such as Google at IU My Drive and Microsoft OneDrive at IU, to ensure that data will not move or be lost if an employee moves departments or leaves IU.
To maintain security, approved PHI and Restricted data stored via Google services may only be stored in Google at IU Secure Storage, although you will interact with this data from within your own Google at IU account.
Configure folders to protect data
Visual indicators
There is no Google folder icon that will indicate the sensitivity of the data it contains. A folder with Restricted data or approved PHI will appear with the same icon as other Google Shared Drives folders. Therefore, the owner or co-owner needs to give visual cues to collaborators indicating the nature of the contents. IU has established folder naming conventions for folders in Google at IU Secure Storage to reinforce collaborators' awareness of the folders they are working in; descriptions and tags are additional options. You should also know the difference between the different folder icons in Google at IU My Drive. None of these visual cues will protect files or folders by themselves, but they can help you prevent inappropriate access by making it clear which information you and your collaborators need to take care with and where sensitive data should be stored.
Folder icons
Folder icons for Google Shared Drives will appear under the "Shared Drives" section in Google at IU My Drive. Icons in this section can be for either standard institutional Google Shared Drives or for Google at IU Secure Storage.
Folder naming conventions
The most visible indication of a folder's contents is its name. To clearly delineate folders containing sensitive data, you must use the appropriate naming conventions. These are similar to IU's recommended Windows naming conventions.
- For Microsoft Secure Storage and Google Secure Storage, names must start with the prefixes
[Sec]. If collaborators external to IU are permitted, then the prefix must instead be[Sec-E]. Microsoft Teams and Google Shared Drives sites not meant for sensitive data must not use either of these prefixes. - Campus: Can either be an individual campus, or
IUfor cross-campus activities. - Department: Four or fewer letters; normally should be set to a departmental code. Student organizations, multi-departmental committees, ad hoc groups, and others that aren't affiliated with a specific department may set this as they prefer.
- Name: A brief description of the site itself (entered as the "Short Name" in the institutional storage request form). It may be up to 24 characters long. Spaces and hyphens are permitted.
- The name must be unique. These characters are not permitted:
~ " # % & * : < > ? / \ { | } . - Example names:
Secure storage sites for internal collaborators
[Sec] IU-UIPO-UDMC Secure storage sites that allow external collaborators[Sec-E] IU-ORA-Research StandardsMicrosoft Teams or Google Shared DrivesBL-SPEA-projectZ
The rest of the name should use the format Campus-Department-Name:
Descriptions
Any file or folder in Google Storage can have a description. To view the description, right-click the file or folder, and then click . UITS recommends using the description field to indicate the purpose or nature of an item to collaborators. To add a description to a file or folder that has been uploaded to Google Storage:
- Right-click the folder, and click .
- Click the pencil icon beside "Add a description", type the description, and click out of the box to save it.
Shared links
Shared links are used primarily for distributing content; inviting others as collaborators is appropriate when others will be working with the content. However, for Google at IU Secure Storage, you may only use shared links only to share content with those who are already collaborators in the folder. For more, see About Google at IU My Drive.
Collaborator permission levels
To share data, add collaborators to the folders stored in Shared Drives. To protect sensitive data, always make an intentional choice about the permission level of each collaborator in each folder, giving each person the lowest level necessary to accomplish his or her tasks.
- Never use single-file collaboration with restricted and critical data. Collaboration must occur on the folder level only, as this is the level where the naming convention will tell collaborators that they are working with sensitive data. If you feel that your use case absolutely necessitates using single-file collaboration, you must consult with HTS (for HIPAA-regulated data) or your departmental local UITS support person.
Access roles and permissions
Available access roles and associated permissions are outlined in the chart below.
This information is drawn from Shared drives access levels.
| Task | Manager | Content manager 1 | Contributor 2 | Commenter | Viewer |
|---|---|---|---|---|---|
| View shared drives and files | ✔Yes | ✔Yes | ✔Yes | ✔Yes | ✔Yes |
Comment on files in shared drives |
✔Yes | ✔Yes | ✔Yes | ✔Yes | No |
Make, approve, and reject edits in files |
✔Yes | ✔Yes | ✔Yes | No | No |
Create and upload files and create folders in shared drives |
✔Yes | ✔Yes | ✔Yes | No | No |
Add people to specific files in shared drives |
✔Yes | ✔Yes | ✔Yes | No | No |
Move files and folders within a shared drive |
✔Yes | ✔Yes | No | No | No |
Move files from one shared drive to another shared drive |
✔Yes | No | No | No | No |
Move shared drive files into the trash |
✔Yes | ✔Yes | No | No | No |
Permanently delete files in the trash |
✔Yes | No | No | No | No |
Restore files from trash (up to 30 days) |
✔Yes | ✔Yes | ✔Yes | No | No |
Add or remove people to or from shared drives |
✔Yes | No | No | No | No |
| Modify shared drive settings | ✔Yes | No | No | No | No |
| Delete a shared drive | ✔Yes | No | No | No | No |
1 Default role for new members
2 Contributor access provides read-only access to files in Drive for desktop or files in the Chrome OS Files app. Assign the Content manager access level for users who need to edit files in Drive for desktop or on Chrome OS. See About Google Drive for desktop.
Use Google at IU Secure Storage with sensitive data
Everyone who interacts with sensitive data in Google at IU Secure Storage must help keep it secure. If you put sensitive data in Google at IU Secure Storage, you are responsible not only to abide by the following policies and guidelines, but also to make sure that anyone with whom you share the data is aware of them.
Laptop and mobile device security
IU's Mobile Device Security Standard (IT-12.1) applies to all faculty, staff, affiliates, and student employees who use a mobile computing device to access, store, or manipulate institutional data, regardless of who owns the device. It outlines the requirements for any mobile device, including laptop computers, that will access or store university data. Full compliance with this policy is a requirement for using Google at IU Secure Storage with sensitive data.
This is document bgfa in the Knowledge Base.
Last modified on 2024-04-15 16:13:24.