Introduction

This article describes:

• The recommended approach for working with sensitive or highly sensitive data in Microsoft 365 (M365)
• Other actions/alternatives that are permitted, and
• Actions that are not permitted when working with sensitive or highly sensitive data using M365.

Contents

• Recommended Approach
• Other Permitted Actions
• Actions Not Permitted

Instructions

When working with sensitive or highly sensitive data, files and documents containing the information must remain in the M365 environment. You may only download or save a file to your local system if your local system meets the high-risk data classification controls found at this Virginia Tech Standard for High Risk Digital Data Protection. To learn how to disable local caching of documents to OneDrive, please see this Knowledge Base article.

Recommended Approach

1. Create a Microsoft Team for the members of your project
   
   • All transactions within Team are encrypted in rest and in transit
   • Approved non-VT project members may be invited as guests to your Microsoft Team even if they do not have an M365 license
     
     
2.  Communicate with members of the project using the Microsoft Teams channel posts feature
   
   • Using Team channel posts allow members to have conversations on specific files and share documents with each other without needing to email documents or copy and paste links
   • Teams also has a mobile app to allow members to participate in conversations when they are away from their local system
     
     
3. Store, share, and collaborate on files through the Files section of Microsoft Teams
   
   • All members of the Team will automatically have access to all files uploaded to the team. If you need to exclude some team members from certain resources, you can create a “private” channel within a Microsoft Team to limit access to a subset of members that you identify when setting up the “private” channel.
   • If you need to share a specific file with an approved user outside of the team, you can use the Share feature when editing a document to specifically email a link to the Virginia Tech or non-Virginia Tech user so he or she can read and comment on the document securely
   • Notify members when you want them to review a document by clicking the document in Teams, then start a conversation on the document, and then @mention the individual(s), channel, or team that you want to review it

 

4. If you need to meet online, use the built-in Microsoft Teams functionality
   
   • Instantly launch or schedule online meetings from any channel and all members will see the meeting and be able to join if needed
   • Record your online meetings and the video of the meeting will be automatically posted to the channel where the meeting was conducted

Top of page

Other Permitted Actions

• Create a SharePoint site to store and share your project files. Microsoft Teams uses SharePoint behind the scenes. The only difference between creating a SharePoint Site and the Microsoft Team (as described above) is that Teams gives your members built-in chat and online meeting capability.
  
  
• Edit Office documents in the locally installed Word, Excel, or PowerPoint. Before using the locally installed Microsoft Office apps to edit a document you must make sure your local system meets the high-risk data classification controls found at this Virginia Tech Standard for High Risk Digital Data Protection.
  
  
• Email a message or attachment to a colleague using the sensitivity setting “EPHI”. This setting will automatically encrypt the message and most attachments types. It will also prevent recipients from forwarding the message to others. Instructions on using sensitivity label can be found in KB0011856: Microsoft 365 Sensitivity Labels? As noted above in the recommended approach above, the best way to share documents and ensure their security is to use the “share” option when editing the documents in Microsoft Teams.  

Top of page

Actions Not Permitted

Before taking any of the following actions, your local system must meet the high-risk data classification controls found at this Virginia Tech Standard for High Risk Digital Data Protection

 

• Do not download or save files to your local system. Keep the documents in Microsoft Teams or SharePoint. You will still be able to edit them using your installed desktop Microsoft Office apps as noted in the Recommended Approach above. 
  
  
• Do not use your OneDrive when working with ePHI data.  You must use Microsoft Teams or SharePoint. OneDrive is typically configured for most users to automatically sync with their local system. Since saving or downloading files to your local system is not permitted, OneDrive should not be used. To learn how to disable local caching of documents to OneDrive, please see this Knowledge Base article.
  
  
• Do not share files through the direct Chat option in Microsoft Teams. Files shared with you through direct chat are saved to your OneDrive which is not allowed. If you need to share a document, see the instructions in the Recommended Approach section.
  
  
• Do not save email attachments to your local system or your OneDrive. Microsoft is planning to release an option for users to post an email with attachments directly into Microsoft Teams, but this feature is not available yet. We recommend sharing as detailed in the “Recommend Approach” section above.

Top of page