Skip to Main Content

Information Security Information Resources & Technology

Support Page Content

Secure File Storage & Sharing

Where should I store this file?
How do I know if my file contains protected data?
What happens if this information gets into the wrong hands?

There's a lot to consider about proper file storage and sharing when sensitive Level 1 or Level 2 data is involved. Campus relies more than ever on a hybrid model of on-site resources and cloud-based services to store and share information, which can leave us open to information security breaches.

First, let's cover what is considered Level 1 and Level 2 data, and then which solutions you need to use to securely store and share your files, whether on or off-campus.

Data Classifications

Part of secure file storage and sharing is knowing what the data you're working with is, and then where it should be stored. But what qualifies as confidential Level 1 data, and why do they require different sharing and storage solutions? The simple answer is compliance and information security.

For most of us, this helpful at-a-glance chart covers the most common protected data types and distinguishes between Level 1 versus Level 2 data. If you often work with sensitive Level 1 data, be sure to review all data classification and protection policies and standards.

Level 1 & 2 Data Infographic
Information Security Policies, Standards & Tools

File Storage/Sharing Solutions

From campus-managed solutions to cloud-based storage and sharing tools, file types - and the data those files contain - matters. For instance, if you're working with Level 1 data, privacy and compliance requires that you only use a secure storage and sharing solution. Here are some other questions to consider:

  • What kind of security does my file need? Does it contain Level 1 or Level 2 data?
  • How many records are there? (A file with 500 records of Level 2 data needs to be treated the same as Level 1 data)
  • How large are the files I'm sharing?
  • Does it need long-term backup?
  • Will I need to share a document with someone outside of the University?

What Tool to Use?

Microsoft OneDrive is the recommended storage and sharing tool for most use cases, but not for Level 1 data.

The following chart provides an overview of supported tools and processes based on data type. Outside storage and sharing sources (such as Dropbox) which are not supported by campus should never be used.

Solution  Faculty Staff Student Level 1 Data Level 2 Data On Campus Sharing Off-Campus Sharing
Cloud-Based Storage & Sharing
Microsoft OneDrive & SharePoint
Individuals and syncing between devices
Learn about OneDrive		  ✔  ✔  ✔    ✔   ✔
Microsoft Teams
Group communication, storage, and collaboration
Learn about Teams		  ✔  ✔  ✔   ✔   ✔  ✔
Campus-Managed Storage & Sharing
N: Drive (Shared)
Departments/divisions
Request a Shared Folder		  ✔  ✔      ✔  ✔  
P: Drive (Project)
Cross-functional teams
Request a Project Folder		  ✔  ✔      ✔  ✔  
SacFiles Secure
Storing/sharing confidential data
Request a SacFiles Folder		  ✔   ✔     ✔   ✔   ✔  
Share Level 1 Data off-campus? GoAnywhere Secure Mail  ✔   ✔     ✔       ✔ 

Data Security Tools

Beyond the due-diligence of every campus member, a significant part of our cloud storage security processes are tools and internal audits that support compliance, help identify and mitigate potential risks, and reduce or eliminate information security breaches.

Purview DLP by Microsoft

Purview DLP by Microsoft is an automatic data protection tool that helps ensure that files containing Level 1 data housed within Microsoft 365 tools are stored properly and securely. Think of it like a "Roomba for cloud file storage." Purview DLP will automatically notify you if a file needs to be moved to a secure storage location.

How Microsoft Purview DLP Works

What if My File is Flagged?

To locate/move a file Microsoft DLP has flagged:

  1. Login to Microsoft 365 with your Sac State credentials
  2. Type in the name of the file into the search box
  3. Move the file to a secure storage destination (like OneDrive or other recommended/supported source)

False Positives

On occasion, Microsoft Purview DLP scans may return a "false positive" - meaning a flagged file may not actually contain Level 1 data. If you think your file has been flagged in error, you can override the alert by providing a justification.

Identity Finder/Spirion

Every University-managed workstation/device includes Identity Finder (also known as Spirion), a scanning software you manually run to locate any sensitive data saved locally on your device.

Learn More About Identity Finder

Sensitive Data Inventory Survey

An important part of supporting CSU and industry data privacy policies and standards is educating and regularly evaluating campus-wide data security hygiene involving protected Level 1 and Level 2 data.

On a biennial basis, select administrators and/or staff from each campus department completes the Sensitive Data Inventory Survey to help document how their area manages and stores records containing sensitive data elements, with the goal of providing an important baseline for managing sensitive data moving forward.

How to Prepare

  1. Review the Data Classification and Protection Standard.
  2. Take Inventory/Document
    Whether paper or electronic, sensitive Level 1 and Level 2 data may exist in many forms and locations. It's helpful to create lists of these assets before taking the survey, answering these questions: "what data do we have, where it is located, and who has access to the data?" At the end of the survey, there is a prompt to upload your list.
  3. Review Data Categories Covered in the Survey:
    Personally Identifiable Information (PII) including SSN numbers, DOB, or Drivers' License
    Private Key (digital certificate)
    Psychological counsel records
    Electronic signatures (not including Acrobat Sign)
    Forms of national and/or international ID
    Passwords or credentials
    Credit or debit cardholder data
    Healthcare information
    Law enforcement information
    Employee/Student/Alumni/Job Applicant/University Donor information
    University research
  4. Preview the Survey Questions.
    We've provided the survey questions in advance to help you prepare. For efficiency, please consider organizing/consolidating a single survey response for each logical business unit with your division. Note: This survey can be delegated to another manager or support staff to be completed for your area.

View 2023 Survey Questions

Take 2023 Sensitive Data Inventory Survey

Get Support

Need help on where to start or what's needed to complete the survey?

Join Zoom Drop-in Support

Or contact Brad Grebitus our Desktop and Client Security Lead.

Get Support

Unsure what storage or sharing option is best for the type of information you're working with?

Contact the IRT Service Desk Team at servicedesk@csus.edu or 916-278-7337 during open hours.