Managing Data, Files and Folders in OneDrive
Information Security Best Practice


Information Security Best Practices (ISBP) are developed in support of District Information Security Standards including the California Community College Information Security Standard.

PII in OneDrive

To prevent the accidental sharing of sensitive information, a data loss prevention (DLP) policy has been implemented in OneDrive. If this policy detects an attempt to share protected data with someone outside the institution, it will email a warning notification, including the suspected data type, to both the sender and ITS.

See Remediating PII in OneDrive for further details.

Periodically Review Permissions

To minimize the risk of accidental or inappropriate exposure of confidential information and protected data, users shall perform periodic reviews of existing shares and remove those accounts (former employees, prior vendors, etc.) that no longer require access.

See Change Existing Permissions or Stop Sharing with Users for instructions.

Sharing Files and Folders

OneDrive is a great resource that provides the institution with increased opportunities; however, we, as users, must constantly question how we store, share, and transmit information in order to protect ourselves against those that would perpetrate fraud. Luckily, there are a few simple things we can do in OneDrive to help with that effort.

  • Select permissions based on the need to know.
  • Do not use the default option Anyone with this link.
  • Do share files and folders using the option Specific People
  • Periodically review file and folder permissions and adjust accordingly.
  • Do not use District resources to conduct confidential personal business.

If you use OneDrive to share folders and files, please review the following ITS Information Security Procedure for sharing files and folders in OneDrive.

Non-Business Related Activities and Personal Accounts

District information and technology resources should not be used for personal activities unrelated to appropriate District functions (including commercial use), except in an incidental manner (Administrative Regulation 6006).

Users should be aware that all communications conducted on or from district systems whether electronic or otherwise are subject to review and disclosure outlined by the California Public Records Act, current case law, as well as other Federal and/or State laws and regulations. Therefore, users should exercise extreme caution in using electronic communications to communicate or store information of a confidential or sensitive nature (Administrative Regulation 6006).

Using District systems to transmit personal taxes, refinance forms, medical verification forms, or anything else containing your confidential information puts you at risk should your account, or the account of the business you deal with, become compromised.

Personal accounts used while conducting business may be subject to discovery in response to a request for production in a lawsuit or investigation.