Microsoft 365 Security Policy

*Formerly the SharePoint Online Security Policy

Boston University Microsoft 365 managed apps are approved for accessing, storing, and processing Confidential and Restricted Use Information

Microsoft 365 is Microsoft’s cloud-based offering of a number of services, including SharePoint. Boston University’s Information Services & Technology (IS&T) maintains a tenant in Microsoft 365, through which it offers departments, research groups, and others the opportunity to request and manage their own SharePoint site collections. Boston University has approved the following managed Microsoft apps within BU’s tenant for storing Confidential and Restricted Use Information (including HIPAA data, though subject to change by Microsoft):

• Access Online, Customer Lockbox (extra cost), Exchange Online, Forms, Teams, Office 365 Microservices (including but not limited to Sway, Power Automate), Office Online, Office Pro Plus, OneDrive for Business, Planner, Power Apps, Power Bi, SharePoint Online, Stream

The basis for this policy begins with our agreements with Microsoft regarding security in their data centers, some of which is described in the Office 365 Trust Center. But that security must be preserved and extended through the awareness, choices, and actions of each local site collection administrator. Everyone responsible for maintaining security, such as promptly removing team members when access is no longer required, within any Microsoft app should refer to our guidance at Configuring Security in Microsoft 365/SharePoint Online. This is particularly important before beginning to use a site to store Confidential or Restricted Use Information.