Protect sensitive data in Microsoft at IU Secure Storage
On this page:
- Before you begin
- Understand file ownership
- Configure folders to protect data (co-owners)
- Use Microsoft Secure Storage with sensitive data
Before you begin
At Indiana University, to store Restricted and some Critical institutional data, such as approved protected health information (PHI), in Microsoft at IU Secure Storage:
- Verify that your data are allowed in Microsoft Secure Storage; see Types of institutional data appropriate for Microsoft 365 at IU and Google at IU.
- Understand and implement the security measures listed below.
This UITS system or service meets certain requirements established in the HIPAA Security Rule thereby enabling its use for work involving data that contain protected health information (PHI). However, using this system or service does not fulfill your legal responsibilities for protecting the privacy and security of data that contain PHI. You may use this system or service for work involving data that contain PHI only if you institute additional administrative, physical, and technical safeguards that complement those UITS already has in place.
Understand file ownership
Although Indiana University has secure platforms to store data, individual choices determine how secure a given piece of data is. Storage ownership and settings are key to the security of data in cloud storage services. When you log into file collaboration spaces for everyday work, you will interact with a variety of shared and private folders, each with its own level of security. At Indiana University, institutional data must be stored in a non-individual storage space, such as Microsoft Teams at IU, rather than in individually owned storage spaces, such as Google at IU My Drive and Microsoft OneDrive at IU, to ensure that data will not move or be lost if an employee moves departments or leaves IU.
To maintain security, approved PHI and Restricted data stored via Microsoft services may only be stored in Microsoft Secure Storage, although you will interact with this data from within your own Microsoft 365 account.
Configure folders to protect data
Visual indicators
Folder icons
There is no Microsoft folder icon that will indicate the sensitivity of the data it contains. A folder with Restricted data or approved PHI will appear with the same icon as other Microsoft Teams folders. Therefore, the Microsoft Teams manager needs to give visual cues to collaborators indicating the nature of the contents. IU has established folder naming conventions for folders in Microsoft Secure Storage to reinforce collaborators' awareness of the folders they are working in; descriptions and tags are additional options. You should also know the difference between the different folder icons in Microsoft Teams and Microsoft OneDrive at IU. None of these visual cues will protect files or folders by themselves, but they can help you prevent inappropriate access by making it clear which information you and your collaborators need to take care with and where sensitive data should be stored.
Folder naming conventions
The most visible indication of a folder's contents is its name. To clearly delineate folders containing sensitive data, you must use the appropriate naming conventions. These are similar to IU's recommended Windows naming conventions.
- For Microsoft Secure Storage and Google Secure Storage, names must start with the prefixes
[Sec]
. If collaborators external to IU are permitted, then the prefix must instead be[Sec-E]
. Microsoft Teams and Google Shared Drives sites not meant for sensitive data must not use either of these prefixes. - Campus: Can either be an individual campus, or
IU
for cross-campus activities. - Department: Four or fewer letters; normally should be set to a departmental code. Student organizations, multi-departmental committees, ad hoc groups, and others that aren't affiliated with a specific department may set this as they prefer.
- Name: A brief description of the site itself (entered as the "Short Name" in the institutional storage request form). It may be up to 24 characters long. Spaces and hyphens are permitted.
- The name must be unique. These characters are not permitted:
~ " # % & * : < > ? / \ { | } .
- Example names:
Secure storage sites for internal collaborators
[Sec] IU-UIPO-UDMC Secure storage sites that allow external collaborators[Sec-E] IU-ORA-Research StandardsMicrosoft Teams or Google Shared DrivesBL-SPEA-projectZ
The rest of the name should use the format Campus-Department-Name
:
Shared links
Shared links are used primarily for distributing content; inviting others as collaborators is appropriate when others will be working with the content. For more, see Collaborate on files in Microsoft Teams.
Collaborator permission levels
To share data, add collaborators to the folders stored in Microsoft Teams. To protect sensitive data, always make an intentional choice about the permission level of each collaborator in each folder, giving each person the lowest level necessary to accomplish his or her tasks.
Never use single-file collaboration with Restricted and Critical data. Collaboration must occur on the folder level only, as this is the level where the naming convention will tell collaborators that they are working with sensitive data. If you feel that your use case absolutely necessitates using single-file collaboration, you must consult with HTS (for HIPAA data) or your departmental IT Pro.
Access roles and permissions
Available access roles and associated permissions are outlined below:
Task | Team owner | Team member | Guest 1 |
---|---|---|---|
Create team | ✔Yes | No | No |
Leave team | ✔Yes | ✔Yes | ✔Yes |
Edit team name/description | ✔Yes | No | No |
Delete team | ✔Yes | No | No |
Add standard channel | ✔Yes | No | No |
Edit standard channel name/description |
✔Yes | No | No |
Delete standard channel | ✔Yes | No | No |
Add private channel2 | ✔Yes | No | No |
Edit private channel name/description2 |
✔Yes | Not applicable | No |
Delete private channel2 | ✔Yes | No | No |
Add members | ✔Yes | No | No |
Request to add members | ✔Yes | ✔Yes | No |
Add apps | ✔Yes | No | No |
1 Guests are external (non-IU) users.
2 To learn more about permissions for private channels, see Private channels in Microsoft Teams.
Use Microsoft Secure Storage with sensitive data
Laptop and mobile device security
IU's Mobile Device Security Standard (IT-12.1) applies to all faculty, staff, affiliates, and student employees who use a mobile computing device to access, store, or manipulate institutional data, regardless of who owns the device. It outlines the requirements for any mobile device, including laptop computers, that will access or store university data. Full compliance with this policy is a requirement for using Microsoft Secure Storage with sensitive data.
This is document bgfb in the Knowledge Base.
Last modified on 2023-07-07 13:39:40.