CSULB Guidelines for Securely Using Cloud File Storage

CSULB Guidelines for Securely Using Cloud File Storage

Implements 8065.S003 CSU Cloud Storage and Services Security Standard

Purpose

The purpose of this document is to provide guidance to faculty, staff, and students who use cloud-based data storage to store and share data files while conducting University business.

Background

The University is committed to maintaining the privacy and security of University data. In addition, the University recognizes and supports the use of secure cloud-based file storage solutions to easily access, store, manage, and share University data. To that end, the University has entered into an agreement with Microsoft that allows faculty, students, and staff to use OneDrive for Business as a secure, cloud based file storage service for University-related data. The CSU Microsoft OneDrive for Business agreement meets certain security requirements for FERPA, HIPAA, FISMA, and the U.S. Federal export control regulations that may be necessary to enable University compliance with applicable legal and regulatory obligations. Because these security and privacy features are uniquely built into the CSU version of OneDrive for Business, it is recommended that all faculty, staff, and students use OneDrive for Business to store and share files while conducting University business. Refer to the DoIT OneDrive Service Page for more information.

Guidelines

Secure Computing Devices

• In order to access the campus network or resources, you must use VPN.
• Use only secure network connections when connecting to OneDrive for Business.
• Ensure virus/malware detection software is installed with the latest definitions and operating system up-to-date and patched.
• Make sure your computing device is password-protected with an idle-time screen saver when not in use.
• Avoid synchronizing your OneDrive for Business account across multiple computing devices as this inherently creates the potential for unintended data leakage.

Secure Access, Sharing, and Permissions

• Be cautious when sharing and setting permissions for data stored in the cloud. Limit file sharing to only those with a legitimate need to know for purposes of conducting University business.
• Share files with specific individuals, never with “everyone” or the “public”, unless that is your intention and you have confirmed that the information at issue can be properly shared with the recipients.
• Avoid sharing files with the default "Anyone with the link can edit" permission, which allows the person you shared that file with to further share the file with anyone for the same level of access.
• Never use anonymous guest links, especially when sharing Level 1 and Level 2 data.
• Periodically review sharing privileges in your OneDrive for Business folders. Remove individuals when they no longer need the access to your files or folders.

Secure Data Handling

• Use only Microsoft OneDrive for Business for storing and sharing files, particularly when handling Level 1 and Level 2 data. Refer to Level 1 and Level 2 data definitions below or the Information Classification Standard.
  • If you are storing Level 1 Data (Confidential) and Level 2 Data (Internal Use) online, only use OneDrive for Business.
  • Do not store Level 1 Data (Confidential) in email accounts or on the hard drive of your devices such as desktop and laptop computers or smartphones.
  • Level 3 Data (Public) may be stored and shared in OneDrive for Business, but must be stored and shared in a secure manner.
  • Additional protection may be applied to Level 1 Data (Confidential) by using encryption.
• Do not use consumer-grade cloud file services to conduct University business such as Box.com, DropBox, Google Drive, or personal OneDrive, etc. The University has no authorized contractual agreements with these vendors. As a result, the University cannot ensure that such vendors provide or guarantee the requisite-level of privacy and security for the data.
• All users with a CSULB ID are automatically provided an individual OneDrive for Business account for sharing and storing up to 5 Terabytes of University data (as of January 2022).
• Microsoft OneDrive for Business provided by the University is separate and distinct from any personal OneDrive account you may have already established. Use your CSULB Single Sign-On OneDrive chiclet to log in to your OneDrive for Business account.
• Do not store personal files on OneDrive for Business as this CSULB OneDrive account is intended solely for University business and personal files on CSULB OneDrive may be subject to public disclosure pursuant to the California Public Records Act, unless the information contained in them falls into one or more of the exemptions to disclosure set out in the Public Records Act (see California Government Code Section 6250 et seq.).
• The use of OneDrive for Business is subject to all applicable CSULB policies and standards, including, but not limited to, Acceptable Use Policy, Information Security Policy, and Information Classification Standard.
•  All files stored on OneDrive for Business are subject to Records Retention and Disposition Schedules.
  • Deleted files on OneDrive for Business are recoverable up to 90 days unless they are deleted from the recycle bin, at which time they are not recoverable.
  • Report any lost or stolen University-owned computer/device that is syncing with OneDrive for Business to technology support staff immediately.

History

Issue Date: March 3, 2022

Last Review Date: February 2022

References

• OneDrive for Storing and Sharing Documents
• Storage - OneDrive and SharePoint

Further Information

Information Security Officer email: iso@csulb.edu