Using Microsoft Teams with sensitive data

Description

Teams is approved for use with sensitive data; however, it is the responsibility of the Team Owner(s) to ensure that the principle of least privilege is followed when granting access.

Environment

Mac, PC, web browser, mobile app

Solution 

Membership in Teams and Chats

• Grant each individual only the access they need to complete their job duties and no more.

• Owners of a Team or Chat that is intended to be utilized for the sharing of sensitive data are responsible for ensuring that membership is limited to individuals who have a justifiable business need to access that data.

File sharing outside of Teams or Chats

• Owners and Members of a Team or Chat are not permitted to share files containing sensitive information outside of the Team or Chat unless there is a justifiable business reason.

• Any Member who has a need to share a file outside the Team or Chat must make the Owner aware of the business case and potential recipient(s).

• Document collaboration within Teams should be done within the cloud, not on local devices. Examples of acceptable cloud collaboration methods include:

  • Built-in document viewers in Teams

  • Browser-based versions of Office clients like Word, Excel, and PowerPoint

• Do not download a file that contains sensitive data from Teams onto your device or onto removable media.

Multi-factor authentication required

For units utilizing Teams to collaborate with sensitive information, Owners, Members and any individual that needs to access sensitive information within the given Team must enable multi-factor authentication for all University services.

Recordings, Transcriptions, and Screen Captures

Screen capture, recording, or automated transcription of meetings, chats, or screen sharing within units utilizing Teams for collaboration with sensitive data is not recommended.  
 
When considering recording meetings that discuss HIPAA, FERPA, ITAR or other regulated/sensitive data types it is recommended that the meeting owner consult with the Information Security Office to ensure appropriate data handling.

Outcome: You should now know how to use Microsoft Teams with Sensitive Data.

Get help from OIT

• Visit the Microsoft Teams page to create a ticket

• Visit the Help and Resources article for further assistance with Microsoft Teams

• Visit the Technology Resources and Training page for an OIT training

• Visit the Information Security page for more information on appropriate data handling