<<Back to Google Apps at Pepperdine

Google Apps, Drive, Sites, Email Information Security Standards

You are personally responsible for how you share University information you place in Pepperdine Google Drive and Apps. You should not use personal Google accounts to do University work.

Google Drive, Apps, and Email are great tools for collaboration and sharing. Sharing should be done securely according to the classification of the information. Use these guidelines to share securely and contact the Information Security Office for consultation or training on security for your business processes.

Google Apps, Drive, Sites, Email Information Security Standards

What Kind of Information is Allowed in Google Apps?

Information Classification

What Can You Put in Google Apps?

Information Policy Grid

How to Secure Confidential Information in Google Drive?

Sharing Options Appropriate for Confidential Information in Drive

(Learn how to change the Sharing Options in Google Drive)

How Good is Google Apps for Education Security?

Is Google Reading or Ad-search indexing Pepperdine Email and Documents?

What are the Google Role Permissions Settings in Google Drive?

Role Permissions Settings:

Owner Privileges:

Can I Share Documents with Colleagues Outside of Pepperdine?

How to make this change in a Google follow these steps:

Can I Remove a User’s Access to a Document?

Can I share my Pepperdine password to let others access email or calendar?

Can I share a generic/department account password with others?

Can I Use My Personal Gmail or Drive Accounts to do University Business?

References

How to Change the Sharing Options in Google Drive

What Kind of Information is Allowed in Google Apps?

At Pepperdine, information is classified in three different categories Public, Confidential, and Restricted information. It is important to know the differences among these categories in order to know what can and cannot be placed in Google Apps. (To read more on classifications of information in Pepperdine's policy, please visit: http://community.pepperdine.edu/it/security/ )

Information Classification

Information is classified in order to apply the necessary precautions to protect that data from being inappropriately shared or lost, thus ensuring the integrity of the University.

Classification

Examples

Public

  • Maps
  • Directory information        
  • Email addresses
  • Campus wide ID
  • Course catalog
  • Event notices

Confidential

  • Email messages
  • Business records
  • Educational records

Restricted

  • Unencrypted passwords
  • Social security numbers
  • Credit card numbers
  • Health records

 

^Back to top

What Can You Put in Google Apps?

Information Policy Grid

Google App Service:

Classified as

Public

Classified as

Confidential

Classified as

Restricted

Drive & Docs

Allowed

Permitted with user and specified group access only

Forbidden

Email/Gmail

Allowed

Permitted with user and specified group access only

Forbidden

Sites

Allowed

Permitted with user and specified group access only

Forbidden

Summary: Never put information classified as Restricted into Google Apps. Information classified as Confidential is permitted if it is only shared with persons who need to know the information and is password protected for its users and groups.

How to Secure Confidential Information in Google Drive?

Google Drive allows you to create documents, presentations, and forms as well as store items such as .jpeg, .pdf, and audio or video files. Google Drive offers a few sharing settings to help you to share your content in your Drive.

Important: Knowing these sharing options is important to protecting the content in your Drive and important to appropriately share Confidential information with your colleagues while preserving trust in the University.

By default, all documents or files saved in Drive are set to Private for your NetworkID only.

Google Drive Sharing Options:

^Back to top

Sharing Options Appropriate for Confidential Information in Drive

(Learn how to change the Sharing Options in Google Drive)

Sharing Option

When to use this option

What this option does

Private - Only people explicitly granted permission can access. Sign-in required.

Recommended

This option keeps the doc/file private to the owner of the document and to those the owner of the document specifies the file can be visible to.

This will require users to enter their Pepperdine NetworkID and Password to access the information. The owner of the document can also list a Google Group that contains only the appropriate Pepperdine users.

People at Pepperdine University with the link - People at Pepperdine University who have the link can access.

Permitted when appropriate

This will require users to enter their Pepperdine NetworkID and Password to access the information.

Remember: Before selecting this option ask yourself is the information a need-to-know for all faculty, staff, and students at Pepperdine?

Pepperdine University - People at Pepperdine University who have the link can access.

Permitted when appropriate

This will require users to enter their Pepperdine NetworkID and Password to access the information.

Remember: Before selecting this option ask yourself is the information a need-to-know for all faculty, staff, and students at Pepperdine?

Anyone with the link - Anyone who has the link can access. No sign-in required.

Never with this class of information

This option bybasses the required password security.

Public on the web - Anyone on the Internet can find and access. No sign-in required.

Never with this class of information

This option bybasses the required password security.

NOTE: When documents or files are moved into a shared folder (folders within Google Drive that are shared with a specified group of users) those files will adopt the same sharing setting of the shared folder. Be sure to check a file’s sharing permissions when you move it from folder to folder to ensure the proper sharing setting are engaged.

^Back to top

How Good is Google Apps for Education Security?

The systems that make up Google Apps for Education are as secure as Pepperdine University’s best local systems, if not more so. You are the key to security and ensuring the appropriate documents are shared to the appropriate people will preserve the trust in the University.

Is Google Reading or Ad-search indexing Pepperdine Email and Documents?

No. Google Apps for Education (GAFE) terms do not permit ads. As in contrast to commercial Google Apps instances, all indexing done by Google in GAFE is private to our organization’s individual users (e.g. to allow you to search your documents folders or inbox). Find out more about Google Apps privacy and security in their overview document.

What are the Google Role Permissions Settings in Google Drive?

In Google Docs the owner of a document or file has the ability to share his or her file with colleagues or a group of people as well as determine what their colleagues can or cannot do with the file this is called Role Permissions.

Role Permissions Settings:

The owner of the document/file can dictate the roles of other users. The owner can choose one of the following roles for each of the users he or she has share their document/file with:

Role

Permissions

Is owner (default setting if you created or uploaded the file to Google Drive)

The original owner of the document can transfer ownership to another user. The new owner can then dictate the roles of all the shared users.

Note: Only the owner of a document/file in Google can change the Role Permissions Settings. There can be only one owner for each document/file.

Can edit (default setting for those users you share the document/file with)

This user can view, edit and comment in the document/file. These users can also add or change users of that document.  These users can change roles of other users of the document, however, they cannot change the owner of the document.

NOTE: These users can also change the Sharing Option covered in the previous section. Be sure these users know the University’s policy on Public, Confidential, and Restricted information.

Can comment

This user can view and comment in the document/file, but cannot make changes/edit it.

Can view

This user can only view the document/file.

^Back to top

Owner Privileges:

As owner, you are able to dictate who can own, edit, comment, and view your document/file. The owner as well as the editors (those who are marked as Can edit) can change the Sharing Options of the file. Be sure these users know the University’s policy on Public, Confidential, and Restricted information.

The owner does have the ability to block all shared users from changing any of the Share Options or Role Settings. When sharing a document a owner can choose one of two choices:

Owner’s choices

What it means

Editors are allowed to add people and change the permissions. (default setting)

Editors have full control to add and remove people and change the visibility of the item. Only the owner can delete the item.

Only the owner can change the permissions.

Editors cannot add or remove people or change the visibility of the item.

^Back to top

Can I Share Documents with Colleagues Outside of Pepperdine?

When it is appropriate to share information with colleagues outside of Pepperdine it is permitted. Owners of the file/document should consider choosing the “Only the owner can change the permissions” choice in the Share Settings.

How to make this change in a Google follow these steps:

  1. Click on the blue “Share” button in the upper right hand corner of your the Google document or file.
  2. A “Sharing Settings” screen will pop up. At the bottom of the screen above the blue “Done” button locate the sentence “Editors will be allowed to...
  1. Click on the [Change] link.
  1. The following screen will pop up. Choose “Only the owner can change the permissions” and click save. Now only the owner of the document will be able to add users or change visibility options.

^Back to top

Can I Remove a User’s Access to a Document?

Just as with LAN file shares (e.g. S:drive), once a person has access to a document, they can copy it to their personal computer. You can remove access to the share, but you can’t take back any documents that your collaborator has sync’d or download.

Can I share my Pepperdine password to let others access email or calendar?

No. It is not necessary to share your password to share any of these things. See 'delegation' in the Google Apps Help center, linked from google.pepperdine.edu.

Can I share a generic/department account password with others?

No. In fact, you don't need to know the generic account password yourself. To share a generic or department email or calendar or files contact the Help Desk for assistance in getting started. Some aspects you can manage directly (e.g. delegating calendar permissions) and some you will need IT assistance (delegation for a generic email account).

Can I Use My Personal Gmail or Drive Accounts to do University Business?

While many people access their consumer Gmail and Drive accounts for personal reasons during the workday, this is not a reason to use a personal account to handle work or store University data. Use of personal email and cloud storage for handling University business or records is strongly discouraged as it removes University control from its data.

References

  1. http://it.stonybrook.edu/help/kb/controlling-google-docs-editing-permissions
  2. http://its.ucsc.edu/google/security.html
  3. http://its.ucsc.edu/google/docs/card.pdf

How to Change the Sharing Options in Google Drive

  1. Click on the blue “Share” button in the upper right hand corner of your the Google document or file.
  2. A “Sharing Settings” screen will pop up. Click on the Change... link beneath the title “Who has access”

  1. The following screen will pop up. Based on the classification of your document or file choose Private, People at Pepperdine University with the link, Pepperdine University, Anyone with the link, or Public on the web.
  1. Refer to the section on information classification to find out which setting to use for your document or data:

^Back to top