Re: O365 A1 and OneDrive

[David D Grisham <DGrisham () SALUD UNM EDU>]

I didn't see an answer to Michael Schalip's post about anyone moving to O365 & OneDrive in a Health Science Center. 
Further, if you have a hospital or hospital system that will be in the same network as the Health Science Center did 
you include the healthcare components or just education and research?
We are concerned about securing the healthcare component's email systems.
Cheers.-grish David Grisham
David Grisham, PhD, CISM, CRISC
Manager, Cybersecurity, UNM Hospitals, UNM Health Science Center
505.272.5657  Dgrisham () salud UNM edu<mailto:Dgrisham () salud UNM edu>
DO NOT provide your username, password, or any personal information in any email.
UNMH WILL NEVER ask you for your username or password via email.
DO NOT CLICK links or attachments unless you are positive the content is safe.




From: The EDUCAUSE Security Community Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Patricia 
Malek
Sent: Wednesday, October 31, 2018 8:26 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] O365 A1 and OneDrive


[[-- External - this message has been sent from outside the University --]]
Aaron,

Your matrix is very helpful.  Just a follow up question regarding sensitive data that falls under the umbrella of 
FERPA, GDPR or GLBA, do you have controls in place to prevent downloading of sensitive data to non-authorized storage 
such as local hard drives of personal computers?

Thank you.

Patricia Malek, CISSP, GSEC
Director of CyberSecurity
Technology Services
[Description: Description: Description: cid:3336388681_2393357]
pamalek () loyola edu<mailto:pamalek () loyola edu>

www.loyola.edu/informationsecurity<http://www.loyola.edu/informationsecurity>

Security Alert: Loyola Technology Services will never ask for your password.  Please do not share it with others.


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Baillio, Aaron
Sent: Wednesday, October 31, 2018 9:28 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] O365 A1 and OneDrive

We're also on an A1+ license and have allowed faculty and staff to use OneDrive for almost 3 years now.  We developed a 
data matrix that show what types of data can be placed in which locations.  
http://www.ou.edu/content/dam/IT/security/Docs/CloudStorageMatrix.pdf

We also got a CASB in place to do malware/DLP and UEBA.  It's been invaluable and puts the lawyers at ease about using 
these locations for certain data types because we can monitor for it.

B. Aaron Baillio, Sec+, CEH, CISSP
University of Oklahoma, Information Technology
Deputy CISO
O: 405-325-7948
C: 254-400-6404

From: The EDUCAUSE Security Community Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Childs, 
Aaron
Sent: Wednesday, October 31, 2018 7:51 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] O365 A1 and OneDrive

Good Morning Brent,

Unfortunately no.  It does not appear you can target an audience for DLP.  That would be a nice feature request for 
Microsoft.  Our entire campus is in the same instance.

Have a good day,
Aaron

Aaron Childs, Director

[cid:image006.jpg@01D2D928.B291E230]

Infrastructure Services
Information Technology Services
Wilson Hall - 577 Western Ave. Westfield MA 01086
P  413.572.5527   F 413.572.5615
aaron () westfield ma edu<mailto:aaron () westfield ma edu>



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Haselhoff, Brent
Sent: Wednesday, October 31, 2018 8:42 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] O365 A1 and OneDrive


Caution External Email: This email originated outside of WSU. Do not click links, open attachments, or respond if it 
appears to be suspicious.
Aaron,

We you able to set up different DLP policies for Faculty/Staff vs. students?  Or are your faculty/staff on a different 
instance from your students?
Thanks
Brent

Brent Haselhoff
Manager, IT Security and Identity Management
brent.haselhoff () wku edu<mailto:brent.haselhoff () wku edu>
270-745-2012

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Childs, Aaron
Sent: Wednesday, October 31, 2018 7:28 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] O365 A1 and OneDrive

** This message originated from outside WKU. Always use caution following links. **
Good Morning William,

We have slowly allowed our Faculty and Staff to use OneDrive.  We give them a preamble of what they can and cannot save 
on the OneDrive before assigning the license.  In addition to that we have enabled a couple of Data Loss Prevention 
policies in the Security & Compliance Admin Center.  So far it works well.  We get an email notification if someone 
violates the policy.  You can also change the sharing settings in the OneDrive Admin Center to control how your faculty 
and staff can share files.

Have a good day,
Aaron

Aaron Childs, Director

[cid:image006.jpg@01D2D928.B291E230]

Infrastructure Services
Information Technology Services
Wilson Hall - 577 Western Ave. Westfield MA 01086
P  413.572.5527   F 413.572.5615
aaron () westfield ma edu<mailto:aaron () westfield ma edu>



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Ferland, William
Sent: Tuesday, October 30, 2018 5:06 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] O365 A1 and OneDrive


Caution External Email: This email originated outside of WSU. Do not click links, open attachments, or respond if it 
appears to be suspicious.

Everyone - I apologize.  The question is in regard to OneDrive, not OneNote.

________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Ferland, William <wferland () CCRI EDU<mailto:wferland () CCRI EDU>>
Sent: Tuesday, October 30, 2018 4:17 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] O365 A1 and OneNote


Hello everyone,



We have just migrated our faculty and staff to the O365 A1 Education Plan and are now looking at what level of OneNote 
access permissions to provide users.  I have some anxiety relative to data security and how we proceed.



Any experience/advice/concerns you can share would be greatly appreciated.





Thanks.



Bill





William Ferland

Director of IT Operations and Information Security

Community College of Rhode Island

400 East Road

Warwick, RI  02886