Because OneDrive for Business is a cloud-based file storage and sharing utility, its use presents some potential risk to UWM and it’s students, faculty, and staff:
- Data stored in the cloud can be accessed by any workstation, laptop, tablet, or mobile device with access to the Internet.
- Students, faculty, and staff are likely to access data in a variety of ways, including potentially unsecured connections from off-campus locations.
- It is not possible for UWM to govern how OneDrive is being accessed by non-university computers or Internet connections.
- When files are shared with others from a device that is infected with viruses or malware, the data is likely to be compromised as well.
Listed below are UWM’s data classifications and recommendations for storing and sharing these file types in OneDrive. Alternatives to storing files in OneDrive are also provided where applicable.
Data Classification Recommendations
Listed below are general recommendations for storing files containing confidential, sensitive, or unclassified UWM data in your OneDrive account. A full definition of all data classifications and examples of each are available in the UWM Information Security Office’s Data Classification and Criticality Standards.
Confidential data should NOT be stored or shared using OneDrive; see “Online File Storage Alternatives” listed below.
Sensitive data may be stored and shared in OneDrive, but must be stored and shared in a secure manner (see “How to Use OneDrive Securely” below).
Unclassified data may be stored and shared in OneDrive, but must be stored and shared in a secure manner (see “How to Use OneDrive Securely” below).
Online File Storage Alternatives
If you have confidential or sensitive data that must be stored and/or shared online, please consider the following alternatives:
De-identify data before sharing on OneDrive:
- Use a random identifier and store both the identifiable data and its encrypted identifier on an internal network drive.
- De-identified data can be stored and shared with others via OneDrive.
Encrypt and store data that cannot be de-identified on a network drive:
- Use the UWM Information Security Office’s recommended tools.
- Ensure the party you are sharing these files with has met the requirements associated with the type of data being shared (e.g., signing a confidentiality agreement or signing a BAA for HIPAA data).
- OneDrive can be used to share encrypted files if the other party is properly authorized to receive and care for the data, the encryption key or password is exchanged over the phone, and the file(s) are removed from OneDrive once transferred.
How to Use OneDrive Securely
Secure the workstation or device you are using to access OneDrive:
- Install virus/malware detection software with the latest definitions.
- Run a firewall that blocks in-bound traffic.
- Do not log into your workstation or device as an administrator (unless absolutely necessary).
- Keep your operating system and software up-to-date.
- Password-protect your workstation or device and use idle-time screen saver passwords where possible.
- Talk to your departmental IT support for help securing your computers and other devices.
Use only secure network connections:
- Use the UWM wired network or UWM WiFi when on campus.
- Implement the FTC’s best practices for using public WiFi connections.
- Implement the FTC’s best practices for securing home wireless networks.
Exercise caution when sharing files online:
- Use folders to share groups of files with others online.
- Share files with specific individuals, never with “everyone” or the “public”.
- Be careful sending links to shared folders because they can often be forwarded to others to whom you did not provide access.
- Remember that once a file is shared with someone and they download it to their device, they can share it with others.
Review sharing privileges in OneDrive on at least a quarterly basis:
- Remove individuals when they no longer require access to files or folders.
- See this KnowledgeBase article on OneDrive sharing for more information.
- Additionally, see this KnowledgeBase article on how to stop sharing files and folders in OneDrive.
Review file access logs in OneDrive on at least a weekly basis:
- Enable all audit settings.
- Turn on reporting features.
- Review your audit log reports.
- See this KnowledgeBase article on OneDrive settings for more information.