Ohio University

Using Microsoft Teams with Sensitive Data

Teams is approved for use with sensitive data; however, it is the responsibility of the Team Owner(s) to ensure that the principle of least privilege is followed when granting access.

Membership in Teams and Chats

  • Grant each individual only the access they need to complete their job duties and no more.
  • Owners of a Team or Chat that is intended to be utilized for the sharing of sensitive data are responsible for ensuring that membership is limited to individuals who have a justifiable business need to access that data.

File sharing outside of Teams or Chats

  • Owners and Members of a Team or Chat are not permitted to share files containing sensitive information outside of the Team or Chat unless there is a justifiable business reason.
  • Any Member who has a need to share a file outside the Team or Chat must make the Owner aware of the business case and potential recipient(s).
  • Document collaboration within Teams should be done within the cloud, not on local devices. Examples of acceptable cloud collaboration methods include:
    • Built-in document viewers in Teams
    • Browser-based versions of Office clients like Word, Excel, and PowerPoint
  • Do not download a file that contains sensitive data from Teams onto your device or onto removable media.

Multi-factor authentication required 

For units utilizing Teams to collaborate with sensitive information, Owners, Members and any individual that needs to access sensitive information within the given Team must enable multi-factor authentication for all University services.

Recordings and Screen Captures 

Screen capture or recording of meetings, chats, or screen sharing within units utilizing Teams for collaboration with sensitive data is not recommended.  
 
When considering recording meetings that discuss HIPAA, FERPA, ITAR or other regulated/sensitive data types it is recommended that the meeting owner consult with the Information Security Office to ensure appropriate data handling.