Office 365 (OneDrive for Business) - Security Recommendations

Because OneDrive for Business is a cloud-based file storage and sharing utility, its use presents some potential risk to UWM and it's students, faculty, and staff:

  • Data stored in the cloud can be accessed by any workstation, laptop, tablet, or mobile device with access to the internet.
  • Students, faculty, and staff are likely to access data in a variety of ways, including potentially unsecured connections from off-campus locations.
  • It is not possible for UWM to govern how OneDrive for Business is being accessed by non-University computers or internet connections.
  • When files are shared with others from a device that is infected with viruses or malware, the data is likely to be compromised as well.

How to Use OneDrive for Business Securely

Secure the workstation or device you are using to access OneDrive for Business:

  • Install virus/malware detection software with the latest definitions
  • Run a firewall that blocks in-bound traffic
  • Do not log into your workstation or device as an administrator (unless absolutely necessary)
  • Keep your operating system and software up-to-date
  • Password-protect your workstation or device and use idle-time screen saver passwords where possible
  • Talk to your departmental IT support for help securing your computers and other devices

Use only secure network connections:

  • Use the UWM wired network or UWM WiFi when on campus
  • Try to avoid using public WiFi, but if you need to use it, follow FTC's best practices
  • Secure your home wireless network using the FTC's guide

De-identify confidential or sensitive data before sharing on OneDrive for Business:

  • Use a random identifier and store both the identifiable data and its encrypted identifier on an internal network drive

Encrypt confidential or sensitive data that cannot be de-identified:

  • Use the UWM Information Security Office's recommended tools
  • Ensure the party you are sharing these files with has met the requirements associated with the type of data being shared (e.g., signing a confidentiality agreement or signing a BAA for HIPAA data)
  • Encryption key or password should be exchanged over the phone

Exercise caution when sharing files online:

  • Share files with specific individuals, never with everyone or the public
  • Use folders to share groups of files with others online
  • Be careful sending links to shared folders because they can often be forwarded to others who you did not provide access to
  • Remember that once a file is shared with someone and they download it to their device, they can share it with others

Review sharing privileges in OneDrive on at least a quarterly basis:

  • Remove individuals when they no longer require access to files or folders
  • See this How-To on reviewing sharing privileges for more information

Review file access logs in OneDrive on at least a weekly basis:

  • Enable all audit settings
  • Turn on reporting features
  • Review your audit log reports

See the UWM Information Security Office for more information.

See Also: