Remediating PII in OneDrive
Information Security Procedure

Post

Information Security Procedures (ISPR) provide formal methods for which Information Security Regulations, Standards, and Best Practices are conducted.

This ISPR directly supports the ISBP for sharing files and folders in OneDrive.

PII and OneDrive

In today’s evolving threat landscape, we must protect ourselves from those who would perpetrate fraud against us by constantly questioning how we store and transmit confidential information.

To prevent the accidental sharing of sensitive information, a data loss prevention (DLP) policy has been implemented in OneDrive. If this policy detects an attempt to share personally identifiable information (PII) with someone outside the institution, it will email a warning notification, including the suspected data type, to both the sender and ITS.

Note: At times these security systems generate false positives (looks like confidential information but isn’t).

If the File Contains Confidential Information

  1. If it is necessary to share the file with someone outside the institution as part of an authorized business process defined by your department in concert with ITS, you may need to find another method to deliver the data; for instance, by using a fax machine, an encrypted USB, etc.

    Please contact the ITS Help Desk for assistance if you cannot find an appropriate alternative.

  2. If the need to share the file with someone outside the institution is legitimate but the sensitive data is not required, remove or redact the offending data (see below), find an alternative delivery method, or stop sharing the file or folder.

If the Data Has Been Misidentified

  1. If you still intend to share the file with someone outside the institution, you can either remove or redact the offending data (see below), find an alternative delivery method, or contact the ITS Help Desk for guidance.

  2. If you no longer intend to share the file with someone outside the institution, remove the unnecessary permissions.

Redacting a Digital Document

Properly redacting information in a digital document requires more than just hiding text by covering or highlighting PII with a black foreground.

If you receive a message that a document you tried to send or share contains PII, open it and perform a search using the PII identified in the warning. If the text is found, the PII was simply covered, not redacted.

Although MS Word provides no acceptable redaction method, Adobe provides detailed instructions on how to remove sensitive information from PDFs.

Securing File and Folder Shares in OneDrive

To ensure access to PII is being properly restricted from within OneDrive, see Information Security Procedure for Sharing Files and Folders.

Non-Business Related Activities and Personal Accounts

District information and technology resources should not be used for personal activities unrelated to appropriate District functions (including commercial use), except in an incidental manner (Administrative Regulation 3720).

Users should be aware that all communications conducted on or from district systems whether electronic or otherwise are subject to review and disclosure outlined by the California Public Records Act, current case law, as well as other Federal and/or State laws and regulations. Therefore, users should exercise extreme caution in using electronic communications to communicate or store information of a confidential or sensitive nature (Administrative Regulation 3720).

Using District systems to transmit personal taxes, refinance forms, medical verification forms, or anything else containing your confidential information puts you at risk should your account, or the account of the business you deal with, become compromised.

Personal accounts used while conducting business may be subject to discovery in response to a request for production in a lawsuit or investigation.