Approved Methods of Storing and Sharing Data and Files

Issue/Question

We need a secure method to store and share data or files.  We may also need to collaborate with other entities and would like a location to do that securely.   What methods and services does USD support for this?   

Environment

• Microsoft Teams
• Microsoft Sharepoint
• Microsoft Onedrive
• Google Workspace
• FERPA
• PII
• HIPAA
• GLBA
• GDPR
• Data Loss Prevention
• Data Stewards

Cause

Objective: To protect sensitive and restricted data from unauthorized access, sharing, or loss, this policy defines the approved methods for data storage and sharing within the organization, in alignment with the USD Security Program, USD and SDBOR policy.

Scope: This policy applies to all employees, contractors, and third parties handling data within the organization. It covers the classification and sharing of sensitive, restricted, public, and internal data.  Additionally, it addresses how stale data is handled and shared. 

Resolution

Approved Methods for Data Storage and Sharing:

1. Restricted Data:

   • Approved Storage and Sharing Platforms:
     • Microsoft Teams
     • Microsoft SharePoint
     • Microsoft Onedrive
     • On-Premise File Shares
   • Prohibited Platforms:
     • Google Workspace
     • All other platforms without a documented exception
   • Justification: Sensitive and restricted data must be shared only through Microsoft Teams, Microsoft SharePoint, Microsoft Onedrive, and On-Premise file shares as these platforms provide enhanced security, access control, encryption, and audit capabilities. Sensitive or restricted data may only be shared externally with appropriate approval, inventory, and auditing.  The USD implementation of Google Workspace is not suitable for restricted data due to limited compliance with security requirements for highly sensitive information.

2. Public and Internal Data:

   • Approved Storage and Sharing Platforms:
     • Microsoft Teams
     • Microsoft SharePoint
     • Microsoft Onedrive
     • On-Premise File Shares
     • Google Workspace
   • Justification: Public and internal data, which is less sensitive, can be shared through Microsoft Teams, Microsoft SharePoint, Microsoft Onedrive, On-Premise File Shares, and Google Workspace.

Retention:  Data that has not been accessed in a year is considered stale and should no longer be shared externally.  Data that has not been accessed in two years should no longer be shared internally.  This will limit USD exposure in the event of individual or multiple internal or external account compromises.

Exceptions: ​​​​​​ Other use-case specific 3rd party platforms store and share restricted data.  These platforms are evaluated, approved, inventoried, and audited during the USD Technology Risk Assessment and the continuous monitoring process the USD Security Team performs.

Enforcement: Failure to comply with this policy will result in disciplinary actions, up to and including termination of employment.  Data sharing must be audited, and violations of the policy must be reported.

This policy helps ensure secure communication reducing the risk of data breaches and aligns with critical security controls for protecting the organization’s most sensitive data.

Please contact the Service Desk if you need further assistance.