What Classification of data can be stored in OneDrive for Business?

Any classification of data can be stored in OneDrive for Business, however it is not the appropriate storage location for institutional records.

Data classification/categorization information can be found in the Information Security Handbook, under section 7.3.

In general, storage of information must adhere to institutional policies and standards for protecting information, including physical security. The protection of information must be commensurate with the value of the information (e.g., category I requires the highest level of security, therefore no unauthorized sharing, access, or use of the information is allowed).

In regard to the exchange of information:

• Services provided by a third-party must adhere to institutional requirements for protecting information.  Microsoft meets this requirement with their implementation of OneDrive for Business.
• Information exchanged within the institution must be done in a secure manner.

In regard to mobile devices:

• All institutionally owned laptops must be encrypted, and category information can be stored on mobile devices as long as encryption technology is enabled on the device.  If no encryption is in place the information cannot be stored on the device.

In regard to backups:

• Backup processes must protect the confidentiality, integrity and availability of stored information.

In regard to who can store information, it is up to the information owner to make that decision, as they approve access to their information.   Users must adhere to institutional policies and standards for protecting information when accessing resources and information remotely.

In summary, regardless of the technology used to store information, institutional policies and standards must be followed to ensure its protection.