Storing Restricted, Protected, and Sensitive Information @ USNH

Summary

This article contains information regarding storing restricted, protected, and sensitive information at USNH using SharePoint and OneDrive.

 

Content

SharePoint and OneDrive are the preferred storage locations for restricted and sensitive data

  • USNH Information Classifications and Storage

    • Public Information(no lock): No restrictions on storage in OneDrive and SharePoint
    • Sensitive Information(1 lock): No restrictions on storage in OneDrive and SharePoint
    • Protected Information(2 locks): May be stored in OneDrive or SharePoint with Data Steward approval or proper configuration.
    • Restricted (legally protected) Information(3 locks): Restricted Informationcan be stored in SharePoint when properly configured. Never store Restricted Data in OneDrive, or SharePoint without first consulting the ET&S M365 team. Submit a ticket if you must store Restricted Data in SharePoint.
  • Don't store unnecessary data:

    • Scan existing files with Identity Finder (where possible) before transfer to OneDrive and SharePoint to locate SSN's and credit card numbers.
    • Old and outdated files no longer useful (e.g., "just in case")
    • No business need for the data (or obsolete business need).
    • Legal exposure; data is discoverable in lawsuits.
    • Define and use a record retention policy (USNH Policy)
  • *SharePoint is the only acceptable cloud storage location for the below information- when configured properly by the M365 team.

    • Protected health information (PHI) subject to HIPAA/HITECH regulations
      • Understand "cover entity"
      • PHI not covered by HIPAA still must be protected
    • Credit Card information
      • Customer data; does not apply to P-Cards
      • Policy, not law
    • Export controlled research data
      • Sharing risk
  • Be wary of syncing desktop files and SharePoint when storing restricted information.

    • Places inappropriate information on local devices
    • Use only with encrypted devices when storing restricted data

 

Can I store my own sensitive data in OneDrive and SharePoint?

While we do not explicitly prohibit incidental personal use of OneDrive, or SharePoint, we strongly discourage and do not recommend using OneDrive, and SharePoint for personal files. Remember that OneDrive and SharePoint is a university-provided resource, subject to legal and right-to-know discovery.

If you have any questions about the storage of information or classifications, please contact Cybersecurity.GRC@usnh.edu.

 

Further Reading

 Introducing USNH ET&S Information Classification - Approved Storage Locations

 

Need additional help?

Submit a ticket if you must store Restricted Data in SharePoint.

If you have any questions about the storage of information or classifications, please contact Cybersecurity.GRC@usnh.edu.

Visit the Technology Help Desk Support page to locate your local campus contact information or to submit an online technology support request.  For password issues you must call or visit the Help Desk in person.