Information Security
Guidance for Securely Storing Information in Microsoft 365 SharePoint Online, OneDrive, or Teams
Last modified 2/12/2024
Microsoft 365 services SharePoint Online, OneDrive, and Teams are powerful tools for storing and sharing information, but it's important to follow best practices for keeping the information secure. This guidance provides information resource owners with instructions on how to securely store information in Microsoft 365.
Teams vs SharePoint vs OneDrive
While the overarching user interface and experience differs across each service, SharePoint Online, OneDrive, and Teams ultimately use the same cloud storage solution. The principles of secure sharing in one service apply to the others.
- Step 1: Determine the Sensitivity of the Information
The first step in securely storing information in SharePoint Online or OneDrive is to determine the sensitivity of the information. This will help you understand the level of security required and determine the appropriate storage location within the platform.
Data Classification
Refer to the data classification procedures and registry to assist in determining sensitivity of information.
9.8.1 Data Classification Procedure | University Policies and Procedures | Illinois State
- Step 2: Create Secure Sites or Folders
Create a secure team, site, or folder within SharePoint Online, OneDrive, or Teams to store the information. Review the permissions to understand groups or individuals that have access to protect the site or folder from unauthorized access.
Request the Creation of a Team for Microsoft Teams | Help - Illinois State
Teams Includes SharePoint
By default, every Teams resource automatically includes a SharePoint site and in effect a OneDrive repository for files. This can confuse users that understand the services as distinctly separate. In most cases, if you read about sharing for Teams, you will find very similar for SharePoint and OneDrive.
- Step 3: Control Access to the Information
Control access to the information by using SharePoint Online or OneDrive's sharing options. This may include granting access only to specific individuals or groups.
Access Reviews
Follow our Guidance for Conducting Access Reviews for Information Resources to ensure only authorized individuals have access.
Default Sharing Setting
The default sharing setting of Microsoft 365 at Illinois State University is "People in IL State University." This setting enables any student, faculty, staff, or guest account to access the shared file. This setting is not acceptable for any file or folder that has highly sensitive or otherwise controlled data. Instead, adjust the sharing settings to "People you choose" and enter their email, name, or username to grant them access directly (see below).
While this can create an inconvenience for sharing the file further, anyone that opens the shared file without access can request it from you.
- Step 4: Regularly Monitor Activity
Regularly monitor the activity on the site or folder to check for any unauthorized access or activity. This may include reviewing logs, checking for unusual activity, or conducting regular access reviews.
- Step 5: Back up the Information
Back up the information stored in SharePoint Online or OneDrive to prevent data loss in the event of a disaster or cyber-attack. This may include using cloud-based backup solutions, or regularly copying the information to a secure, offline location.
Version History
Information stored in SharePoint Online and OneDrive can track past versions as updates are made. However, for highly sensitive information, secondary and additional backup strategies are recommended.
- Step 6: Educate Yourself and Others
Stay informed about the latest security risks and best practices for using SharePoint Online or OneDrive. Educate others, including staff and students, about the importance of keeping the information secure and the steps they can take to protect it.
LinkedIn Learning for Employees
LinkedIn Learning is available to employees of the University. The following chapter of a course on Microsoft Teams provides a good overview of sharing in that app specifically.