Carnegie Mellon University

Secure File Sharing

Carnegie Mellon University offers many services which help to facilitate collaborative work efforts with partners of the university, as well as within the university’s various departments. File sharing services provide convenient methods of electronically transferring data and sharing files for work purposes. However, if done incorrectly it can leave the data and files vulnerable to access by unintended persons. Extra precautions are necessary to ensure that data is shared with authorized users only. It is also important that the type of data being shared is first reviewed and classified by following the Guidelines for Data Classification to determine if the data contains confidential or private Institutional Data and if there are any sharing restrictions currently in place.

You should also be aware that sharing copyrighted files is a violation of U.S. Copyright laws. If you have any questions about whether the materials in the folders you are sharing are copyrighted, you should determine if they are, who the copyright owner is, and whether you have the copyright holder's permission to share those files prior to turning on file sharing. Visit the Digital Copyright and DMCA webpage to learn more about copyright law.

The following are best practices for sharing electronic files and data securely.  Additionally, you can review how to securely use each file sharing service licensed by Carnegie Mellon University in the sidebar.

Share With Care

  • Use a university licensed file sharing service where possible to share and access files.
  • Limit file sharing access to only the individuals that need to have access to the file.
  • When inviting other collaborators to a file or folder, set the access level appropriately for the intended use of the shared file. Setting the shared file invitation as “Viewer” is the most restrictive, while “Co-Owner” is the least restrictive.
  • Do not expose restricted information when naming a file, in a note to the recipient, or in text appended to the notification subject line. Refer to Appendix A of the Guidelines for Data Classification for a list of Predefined Types of Restricted Data.

Removing Access

  • When individuals no longer need access to a file, remove their access immediately.
  • Set expiration dates to limit sharing for a finite period on individual files and folders.
  • Prior to separation from the university, or change in job role and/or function, ensure that there is an ownership transfer of folders and files to a supervisor or manager.