Protect sensitive data in Microsoft at IU Secure Storage

This draft text is being revised as more information becomes available.

On this page:


Before you begin

At Indiana University, to store Restricted and some Critical institutional data, such as approved protected health information (PHI), in Microsoft at IU Secure Storage:

  1. Verify that your data are allowed in Microsoft Secure Storage; see Types of institutional data appropriate for Office 365 at IU and Google at IU.
  2. Understand and implement the security measures listed below.
Note:
The following procedures and practices are necessary with Microsoft Secure Storage, but many of them can be applied anytime you are collaborating in Microsoft Teams at IU.
Important:
This UITS system or service meets certain requirements established in the HIPAA Security Rule thereby enabling its use for work involving data that contain protected health information (PHI). However, using this system or service does not fulfill your legal responsibilities for protecting the privacy and security of data that contain PHI. You may use this system or service for work involving data that contain PHI only if you institute additional administrative, physical, and technical safeguards that complement those UITS already has in place.

Understand file ownership

Although Indiana University has secure platforms to store data, individual choices determine how secure a given piece of data is. Storage ownership and settings are key to the security of data in cloud storage services. When you log into file collaboration spaces for everyday work, you will interact with a variety of shared and private folders, each with its own level of security. At Indiana University, institutional data must be stored in non-individual storage spaces, such as Google at IU Shared Drives and Microsoft Teams at IU, rather than in individually owned storage spaces, such as Google at IU My Drive and Microsoft OneDrive at IU, to ensure that data will not move or be lost if an employee moves departments or leaves IU.

To maintain security, approved PHI and Restricted data stored via Microsoft services may only be stored in Microsoft Secure Storage, although you will interact with this data from within your own Office 365 account.

Configure folders to protect data

Visual indicators

Folder icons

There is no Microsoft folder icon that will indicate the sensitivity of the data it contains. A folder with Restricted data or approved PHI will appear with the same icon as other Microsoft Teams folders. Therefore, the Microsoft Teams manager needs to give visual cues to collaborators indicating the nature of the contents. IU has established folder naming conventions for folders in Microsoft Secure Storage to reinforce collaborators' awareness of the folders they are working in; descriptions and tags are additional options. You should also know the difference between the different folder icons in Microsoft Teams and Microsoft OneDrive at IU. None of these visual cues will protect files or folders by themselves, but they can help you prevent inappropriate access by making it clear which information you and your collaborators need to take care with and where sensitive data should be stored.

Folder naming conventions

The most visible indication of a folder's contents is its name. To clearly delineate folders containing sensitive data, you must use the appropriate naming conventions. These are similar to IU's recommended Windows naming conventions.

Note:
These conventions do not pertain to individual storage in Google at IU My Drive or in Microsoft OneDrive at IU.
  • For Microsoft Secure Storage and Google Secure Storage, names must start with the prefixes [Sec]. If collaborators external to IU are permitted, then the prefix must instead be [Sec-E]. Microsoft Teams and Google Shared Drives sites not meant for sensitive data must not use either of these prefixes.
  • The rest of the name should use the format Campus-Department-Name:

    • Campus: Can either be an individual campus, or IU for cross-campus activities.
    • Department: Four or fewer letters; normally should be set to a departmental code. Student organizations, multi-departmental committees, ad hoc groups, and others that aren't affiliated with a specific department may set this as they prefer.
    • Name: A brief description of the site itself (entered as the "Short Name" in the Institutional storage request form). It may be up to 24 characters long. Spaces and hyphens are permitted.
  • The name must be unique. These characters are not permitted:
    ~ " # % & * : < > ? / \ { | } . 
    
  • Example names:
    Secure storage sites for internal collaborators
    [Sec] IU-UIPO-UDMC
    Secure storage sites that allow external collaborators
    [Sec-E] IU-ORA-Research Standards
    Microsoft Teams or Google Shared Drives
    BL-SPEA-projectZ

Shared links are used primarily for distributing content; inviting others as collaborators is appropriate when others will be working with the content. However, for Microsoft Secure Storage, you may only use shared links only to share content with those who are already collaborators in the folder. For more, see Collaborate on files in Microsoft Teams.

Collaborator permission levels

To share data, add collaborators to the folders stored in Microsoft Teams. To protect sensitive data, always make an intentional choice about the permission level of each collaborator in each folder, giving each person the lowest level necessary to accomplish his or her tasks.

Never use single-file collaboration with Restricted and Critical data. Collaboration must occur on the folder level only, as this is the level where the naming convention will tell collaborators that they are working with sensitive data. If you feel that your use case absolutely necessitates using single-file collaboration, you must consult with HTS (for HIPAA data) or your departmental IT Pro.

Access roles and permissions

Available access roles and associated permissions are outlined below:

Task Manager Team owner Team member Guest 1
Create team Yes No No No
Leave team Yes Yes Yes Yes
Edit team name/description Yes Yes No No
Delete team Yes No No No
Add standard channel Yes Yes No No
Edit standard channel name/description
Yes Yes No No
Delete standard channel Yes Yes No No
Add private channel2 Yes Yes No No
Edit private channel name/description2
Yes No Not applicable No
Delete private channel2 Yes Yes No No
Add members Yes Yes No No
Request to add members Yes Not applicable Yes No
Add apps Yes Yes No No

Notes:

1 Guests are external (non-IU) users.

2 To learn more about permissions for private channels, see Private channels in Microsoft Teams.

Use Microsoft Secure Storage with sensitive data

Laptop and mobile device security

IU's Mobile Device Security Standard (IT-12.1) applies to all faculty, staff, affiliates, and student employees who use a mobile computing device to access, store, or manipulate institutional data, regardless of who owns the device. It outlines the requirements for any mobile device, including laptop computers, that will access or store university data. Full compliance with this policy is a requirement for using Microsoft Secure Storage with sensitive data.

This is document bgfb in the Knowledge Base.
Last modified on 2020-07-09 14:45:46.

Contact us

For help or to comment, email the UITS Support Center.