Helpful Links

Navigate OHIO

Connect With Us

Tech Help Desk
Alden Library 4th floor
30 Park Place
Athens, OH 45701
help.ohio.edu

Storing Sensitive Data within OneDrive Standard

Purpose

This standard describes the technical and administrative controls that must be implemented when storing sensitive data within Ohio University’s Microsoft OneDrive for Business (“OneDrive”) accounts.

Scope

This standard applies to all Ohio University operating units that wish to store sensitive information within the University's cloud-based storage solution as provided through OHIO's Microsoft licensing.

Standard

When an operating unit wishes to store sensitive data in Microsoft OneDrive they must do so within a Microsoft Group (“Group”) only. Sensitive data must not be stored within individual OneDrive accounts

Establishing a group within OneDrive

  • An operating unit can contact the Office of Information Technology (“OIT”) Service Desk and request to create a Group.
  • A Group will have at least two owners. Owners can edit, view, and share files, as well as manage Group membership.
  • An unlimited number of individuals can be added as members of a Group. Members have the ability to edit, view, and share files, but not manage group membership.

Technical Controls within a Group

  • A restricted document library will be created specifically for the purpose of storing sensitive data, and all sensitive data files shall be stored within this restricted document library.
  • Any restricted document libraries that contain sensitive data will have Sync disabled, meaning that files will not automatically save to the user's local device.
  • The email address associated with the Group will be hidden within the Global Address List (GAL) to prevent both Spam email and confusion within the email directory.
  • The “anyone” permission at the document library level must never be applied for Groups that are storing sensitive data.
  • Logging and Data Loss Prevention (DLP) controls will be enabled and set to alert administrators based on keywords and triggers.
  • It is not recommended that files containing sensitive information be shared outside of a Group, however if a file is shared outside of a Group, the file will default to view-only permission.

Administrative controls within a group

  • Groups will be created for the purpose of storing sensitive data and file collaboration.
    • Owners of a Group are responsible for ensuring that Group membership for storing sensitive data is limited to those individuals that have a business need to access the sensitive data.
    • Should a department or operating unit have the need for certain group members to access sensitive data, but other Group members do not have a need to access the sensitive data, separate Groups must be created to ensure application of the principle of least privilege.
  • Any restricted document libraries that contain sensitive data will have Sync disabled, and Owners will not be permitted to enable Sync.
  • Owners and Members of a Group are not permitted to share files containing sensitive information outside of the Group unless there is a justifiable business reason. Any member that has a need to share a file outside the Group must make the Owner aware of the business case and potential recipient(s).
    • Owners are responsible for periodically auditing their Group’s files to ensure that files containing sensitive data are not being shared outside the Group.
  • Public document libraries within a Group must never contain sensitive data.
  • Document editing should be done within the cloud, not on local devices. Of local document editing is necessary, such editing must be performed on workstations that are both encrypted and patched to the current standard.
  • Owners and Members of a Group are not permitted to have email forwarding set to an email that is outside of the “ohio.edu” domain.

Definitions

Cloud-based: term that refers to applications, services or resources made available to users on demand via the Internet from a third-party provider’s servers.

Groups: a feature within OneDrive for Business that allows you to choose a set of people that you wish to collaborate with and easily set up a collection of resources for those people to share.

Individual OneDrive accounts: terminology that refers to accounts tied to an individual's ohio.edu email address and thus access is limited to an individual user unless that user specifically provisions access to another user.

Sensitive data: term used to describe the classification of data at a medium or high level that must be protected against unauthorized disclosure. Additional information can be found via University Policy 93.001 Data Classification and by visiting the Information Security Website.

Sync: to copy the data from one computer to another computer. Within the context of this standard, syncing refers to copying the data from OneDrive to the users' local host computer.

Spam: unsolicited junk email sent indiscriminately in bulk.

References

Exceptions

All exceptions to this standard must be formally documented with the ISO prior to approval by the Information Security Governance Committee (ISGC). Standard exceptions will be reviewed and renewed on a periodic basis by the ISO.

Request an exception:

Complete: Exception request form.

Governance

This standard will be reviewed and approved by the university Information Security Governance Committee as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.

Reviewers

The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups:

  • Audit, Risk, & Compliance: Josh Gonzalez, Chief Privacy Officer 
  • Audit, Risk, & Compliance: Larry Wines, Director of Enterprise Risk Management & Insurance 
  • Faculty: Hans Kruse, Instructor; Emeritus (Scripps College) 
  • Faculty: Brian McCarthy, Professor; Senior Associate Dean (College of Arts & Sciences) 
  • Faculty: Shawn Ostermann, Associate Professor (College of Engineering) 
  • Faculty: Bruce Tong, Assistant Professor of Instruction (Scripps College) 
  • Finance: Julie Allison, Associate Vice President, Finance 
  • Human Resources: Michael Courtney, Senior Associate General Counsel/Director of Employee & Labor Relations 
  • Information Technology: Ed Carter (Chair), Chief Information Security Officer and Senior Director, Information Security & Digital Accessibility 
  • Regional Higher Education: Larry Tumblin, Director of Information Technology for Regional Higher Education 
  • Research: Kimberly Littlefield, Associate Vice President for Research Administration 

History

Draft versions of this policy were circulated for review and approved March 16, 2026.