Because OneDrive is a cloud-based file storage and sharing utility, its use presents some potential risk to PCC and its students, faculty, and staff:
•Data stored in the cloud can be accessed by any workstation, laptop, tablet, or mobile device with access to the Internet.
•Students, faculty, and staff are likely to access data in a variety of ways, including potentially unsecured connections from off-campus locations.
•It is not possible for PCC to govern how OneDrive is being accessed by non-university computers or Internet connections.
•When files are shared with others from a device that is infected with viruses or malware, the data is likely to be compromised as well.
Listed below are data classifications and recommendations for storing and sharing these file types in OneDrive. Alternatives to storing files in OneDrive are also provided where applicable.
Data Classification Recommendations
Listed below are descriptions of confidential, sensitive, or unclassified PCC data. This information should not be stored on OneDrive.
A. Data which, if accessed by unauthorized entities, could cause personal or institutional financial loss.
B. Data which, if accessed by unauthorized entities, would constitute a violation of statute, act or law. This includes but is not limited to:
- Social Security Numbers
- Bank account or credit card numbers, pins or other identifiers including but not limited to elements which require protection per PCI-DSS
- Data covered by the Federal Educational Rights and Privacy Act (FERPA)
- Data covered by the Health Insurance Portability and Accountability Act
- Trade secrets or information that may be purchased for the creation of patented or trade secret information. For example, unique or proprietary chemical formulas or computer code.
- Login/password credentials or other authentication credentials implemented to control access to systems or resources.
- Credentials for other systems or applications that provide access to any system containing information classified as confidential or sensitive.
C. Sensitive Data
Information generally used internally at the college or with its authorized partners. Information which, if released to unauthorized individuals would not result in any financial loss or legal compliance issues but would negatively impact the privacy of the individuals named or the integrity or reputation of the college. This includes but is not limited to the following:
- Employees who have chosen to suppress their directory information.
- Identities of donors or other third party partner information maintained by the University not specifically designated for public release.
- Proprietary financial, budgetary or personnel information not explicitly approved by authorized parties for public release.
- Emails and other communications regarding internal PCC matters which have not been specifically approved for public release.
Data that does not meet the criteria as confidential, sensitive or private as defined above shall be considered non-classified data. Please note that this classification does not imply that the data does not need to be properly managed. Such data may be subject to open records requests.
Online File Storage Alternatives
If you have confidential or sensitive data that must be stored and/or shared online, please consider the following alternatives:
- De-identify data before sharing on OneDrive:
- Use a random identifier and store both the identifiable data and its encrypted identifier on an internal network drive.
- De-identified data can be stored and shared with others via OneDrive.
- Encrypt and store data that cannot be de-identified on a network drive:
- Ensure the party you are sharing these files with has met the requirements associated with the type of data being shared (e.g., signing a confidentiality agreement or signing a BAA for HIPAA data)
- OneDrive can be used to share encrypted files if the other party is properly authorized to receive and care for the data, the encryption key or password is exchanged over the phone, and the file(s) are removed from OneDrive once transferred.
How to Use OneDrive Securely
Secure the workstation or device you are using to access OneDrive:
•Install virus/malware detection software with the latest definitions
•Run a firewall that blocks in-bound traffic
•Do not log into your workstation or device as an administrator (unless absolutely necessary)
•Keep your operating system and software up-to-date
•Password-protect your workstation or device and use idle-time screen saver passwords where possible
•Talk to your departmental IT support for help securing your computers and other devices
Use only secure network connections:
•Use the PCC wired network or PCC WiFi when on campus
•Implement the FTC’s best practices for using public WiFi connections
•Implement the FTC’s best practices for securing home wireless networks
Exercise caution when sharing files online:
•Use folders to share groups of files with others online
•Share files with specific individuals, never with “everyone” or the “public”
•Be careful sending links to shared folders because they can often be forwarded to others who you did not provide access to
•Remember that once a file is shared with someone and they download it to their device, they can share it with others
Review sharing privileges in OneDrive on at least a quarterly basis:
•Remove individuals when they no longer require access to files or folders
•See this How-To on reviewing sharing privileges for more information
Review file access logs in OneDrive on at least a weekly basis:
•Enable all audit settings
•Turn on reporting features
•Review your audit log reports
Any copywrited data stored on the OneDrive is subject to terms set by Administrative Policy 200-34. http://prattcc.edu/about-pcc/computer-and-internet-use.
This is considered part of the Pratt Community College computer systems, and as such, any use deemed improper by PCC will require that the user remove such information from OneDrive and may result in PCC removing the user from Office 365 and OneDrive.