Storing sensitive data within OneDrive standard

Purpose

This standard describes the technical and administrative controls that must be implemented when storing sensitive data within Ohio University’s OneDrive for Business (“OneDrive”) accounts.

Scope

This standard applies to all Ohio University operating units that wish to store sensitive information within a cloud-based solution.

Standard

When an operating unit wishes to store sensitive data in OneDrive they must do so within a Microsoft Group (“Group”) only. Sensitive data must not be stored within individual OneDrive accounts

Establishing a group within OneDrive

• An operating unit can contact the Office of Information Technology (“OIT”) Service Desk and request a Group be created.
• A Group will have at minimum two owners. Owners have the ability to edit, view, and share files, as well as manage membership.
• Other individuals can be added to the Group, with no limitations around quantity, as members. Members have the ability to edit, view, and share files, but not manage membership.

Technical Controls within a Group

• A document library will be created specifically for the purpose of storing sensitive data, all sensitive data files shall be stored within this document library.
• Any document libraries that contain sensitive data will have Sync disabled.
• The email address associated with the group will be hidden within the Global Address List (GAL) in an effort to prevent both Spam email and confusion within the email directory.
• The “anyone” permission at the document library level must never be applied for Groups that are storing sensitive data.
• Logging and Data Loss Prevention (DLP) controls will be enabled and set to alert administrators based on keywords and triggers.
• It is not recommended that files containing sensitive information be shared outside of a group, however in the event that a file is shared outside of a group, the file will default to view-only permission.

Administrative controls within a group

• Groups will be created for the purposes of storing sensitive data and for storing files for collaboration.
  • Owners of a Group are responsible for ensuring that Group membership for storing sensitive data is limited to those individuals that have a business need to access the sensitive data.
  • Should a department or operating unit have the need for certain group members to access sensitive data but other Group members do not have a need to access the sensitive data separate groups must be created to ensure the rule of least privilege.
• Any document libraries that contain sensitive data will have Sync disabled, and Owners will not be permitted to enable Sync.
• Owners and Members of a group are not permitted to share files containing sensitive information outside of the Group unless there is a justifiable business reason. Any member that has a need to share a file outside the Group must make the Owner aware of the business case and potential recipient(s).
  • Owners are responsible for periodically auditing their Group’s files to ensure that files containing sensitive data are not being shared outside the group.
• For Groups that store sensitive information, Owners, Members and any individual that would access the sensitive information within the given Group must enable multi-factor authentication for all university services.
• Public document libraries within a group must never contain sensitive data.
• Document editing should be done within the cloud, not on local devices. In the event that local document editing is necessary, such editing should be performed on workstations that are both encrypted and patched to the current standard.
• Owners and Members of a Group are not permitted to have email forwarding set to an email that is outside of “ohio.edu”.

Definitions

Cloud-based: term that refers to applications, services or resources made available to users on demand via the Internet from a third party provider’s servers.

Groups: a feature within OneDrive for business that allows you to choose a set of people that you wish to collaborate with and easily set up a collection of resources for those people to share.

Sensitive data: term used to describe the classification of data at a medium or high level that must be protected against unauthorized disclosure. Additional information can be found via University Policy 93.001 Data Classification and by visiting the Information Security Website.

Sync: to copy the data from one computer to another computer. Within the context of this standard, to sync refers to copying the data from one drive to the local host computer.

Spam: unsolicited junk email sent indiscriminately in bulk.

References

• Policy 91.005 Information Security
• Policy 91.006 Information Security Risk Management
• Policy 93.001 Data Classification
• NIST 800 Series Publications

Exceptions

All exceptions to this standard must be formally documented with the ISO prior to approval by the Information Security Governance Committee (ISGC). Standard exceptions will be reviewed and renewed on a periodic basis by the ISO.

Request an exception:

Complete: Exception request form.

Governance

This standard will be reviewed and approved by the university Information Security Governance Committee as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.

Reviewers

The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups:

• Information Technology -Ed Carter (Chair)
• Human Resources -Michael Courtney
• Faculty -Hans Kruse
• Finance and Administration -Chad Mitchell
• Associate Dean -Shawn Ostermann
• Regional Higher Education -Larry Tumblin
• Research and Sponsored Programs -Maureen Valentine
• Enterprise Risk Management and Insurance -Larry Wines

History

Draft versions of this policy were circulated for review and approved May 6, 2021.