using-cloud

Using Microsoft Office 365 securely

Government staff are responsible for checking the applications they use are secure. This guidance will help you use Office 365 to communicate and collaborate securely with colleagues.

Office 365 is a suite of cloud applications for productivity, communication and collaboration. It includes a number of applications including Outlook, Skype for Business, SharePoint, Office Online, Teams, and Yammer.

Unlike other SaaS applications your Office 365 account is likely to be managed centrally, with security policies applied and training and support provided. Much of this guidance still applies in this case, and if you sign up for an Office 365 account independently of your organisation.

Securing your account

Secure your Office 365 account by using:

• a password made up of 3 random words
• two-factor authentication
• a secure (HTTPS) connection and a modern browser

Tell your Office 365 administrator if you:

• think someone may have accessed your account
• lose a device that can access your Office 365 account

You should also reset your password.

Protecting your data

To protect your data when using Office 365, make sure you:

• speak to your security team to find out what your can store in Office 365 - it should be clear where to store sensitive, personal, or other high value data (like commercial or financial information) that could cause harm or embarrassment if lost or exposed
• limit sharing on a need to know basis and know who you are sharing with
• use features like private channels in Teams when you need to control access

When using Office 365, you should also be aware that content, including archived or private content, can be:

• disclosed publicly under the Freedom of Information Act
• exported and viewed by Office 365 administrators and information managers, including private messages and documents
• subject to legal requests to share data by courts, government agencies, or parties involved in litigation in the US

Microsoft have signed up to the EU-US Privacy Shield which requires them to follow European data protection requirements for personal data for their European customers. You own the data you put in Office 365, and their technical security is similar to other popular public cloud services.

Managing information

You must record or summarise important work in a permanent record at regular intervals or at the end of a piece of work.

Make sure you don’t lose content by:

• creating a permanent record of shared information at regular intervals or at the end of a piece of work
• using your document storage or email service to capture important discussions or decisions (name the data so it can be found later)

Getting started

Ensure your account looks official and similar to other government Office 365 accounts by:

• using a recognisable profile photo
• adding profile information to help people find you

Getting help

For help using Office 365, you can use their getting started guide.

Microsoft offer support through a:

• support page
• status page

You should also get help from your internal IT team.