Remediation of HSD in Email (O365)

Table of Contents

1.  Purpose and Background
2.  Procedures
     a) User Remediation of HSD Found in ITS Office 365
     b) Departments Not Utilizing the ITS O365 tenant
3.  Definitions
4.  Related Links
5.  Further Guidance
6.  Exceptions

[Return to Library]

1. Purpose and Background

In order to maintain the privacy and security of confidential personal information and other highly sensitive data the University enacted the UVA Data Protection of University Information (IRM-003) policy and its related standards and procedures.  
The UVA IRM-003 policy and the University Data Protection Standards (UDPS) require that highly sensitive data (HSD) not be stored in general purpose file storage locations such as Microsoft OneDrive, SharePoint, or UVA Box or transmitted via unencrypted email.  The UDPS also requires scanning for and remediation of HSD in these locations.  

Information Technology Services (ITS) enabled Microsoft’s Office 365 Security and Compliance Center Data Loss Prevention (DLP) scanning policies to detect HSD found within its Office 365 tenant.  This procedure outlines the responsibilities of users and departments of the University to remediate HSD found in email systems, especially the ITS-managed Office 365 tenant. 
 This procedures and any associated standards and policies apply to all non-student users.

[Table of Contents]

2. Procedures

User Remediation of HSD Found in ITS Office 365 

DLP policies within the ITS-managed O365 tenant automatically emails notifications to users who store or transmit HSD when: 

  • Emails with HSD are sent/received (including attachments) in O365 Email.
  • New files with HSD are uploaded to OneDrive and/or SharePoint. 
  • Any file with HSD is transferred to a new owner within OneDrive and/or SharePoint.

Users who receive this notification must:

  • review the notification and determine if the identified item(s) is highly sensitive data or not.  If it is HSD, users must either: 
    • delete all copies of the email or file AND empty the trash or 
    • securely move it to an approved and appropriate secure server.  
  • The Electronic Data Removal Procedures provide details regarding removal of HSD.

Initially, ITS-managed Office 365 DLP scans for Social Security Numbers (SSNs) and credit card numbers.  Additional types of HSD may be added to these scans. 


Departments Not Utilizing the ITS O365 tenant

All departments or units of the University utilizing non-ITS Office 365 (O365) tenants or other email servers must develop and implement a Data Loss Prevention (DLP) scanning procedure that is consistent with this procedure and approved by the University Information Security office.  These departments must contact University Information Security to request review of their non-ITS managed DLP solutions prior to deployment.

[Table of Contents]

3. Definitions

See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.

[Table of Contents]

4. Related Links

[Table of Contents]

5. Further Guidance

[Table of Contents]

6. Exceptions

If you cannot meet this procedure’s requirements, you must use the policy exception request process.

[Table of Contents]

APPROVER: Chief Information Security Officer