We helped the university reduce accidental exposure, meet FERPA and HIPAA requirements, and improve awareness.
Overview
One of the top private universities was aiming to upgrade how its community worked and learned together. With almost 500 staff, teachers, and researchers, they rolled out Microsoft 365, bringing in tools like SharePoint, OneDrive, Exchange Online, and Teams to make daily work smoother and more connected. We helped the university gain control over sensitive data without disturbing collaboration. Our team worked closely with IT leaders to reduce accidental data sharing and build a secure, compliant environment.
Challenges
- Growing pressure to protect student PII, health records, and sensitive research data without slowing down collaboration.
- The environment previously failed to fully meet the strict compliance requirements of FERPA and HIPAA.
- Frequent accidental data sharing via email, Teams, and cloud storage posed a high risk of exposure.
- Faculty and staff lacked awareness of data sensitivity, leading to uncontrolled file sharing.
- Collaboration on research sites led to instances of confidential academic data exposure.
- IT teams had little or no visibility into whether social security numbers, grades, or health details were leaving the system.
- The absence of centralized Data Loss Prevention (DLP) controls made it difficult to implement consistent policies across the Microsoft 365 environment.
Our Solutions
Designed a phased approach that balanced compliance, security, and user adoption. The roadmap ensured sensitive data was discovered, policies were aligned to regulations, and staff were guided through proper transition.
Phase 1: Assessment
Worked with IT, compliance, and academic leaders to understand risks and identify sensitive data types like SSNs and health records and used Microsoft Purview tools to map where this data lived.
Worked with IT, compliance, and academic leaders to understand risks and identify sensitive data types like SSNs and health records and used Microsoft Purview tools to map where this data lived.
Phase 2: Policy Design
Created DLP policies for FERPA and HIPAA compliance, set up sensitivity labels, and built policy tips that educated users before enforcement to encourage awareness.
Created DLP policies for FERPA and HIPAA compliance, set up sensitivity labels, and built policy tips that educated users before enforcement to encourage awareness.
Phase 3: Pilot
Tested the policies in audit mode with a department, gathered feedback on false positives, and fine-tuned the thresholds and exceptions to ensure accuracy.
Tested the policies in audit mode with a department, gathered feedback on false positives, and fine-tuned the thresholds and exceptions to ensure accuracy.
Phase 4: Rollout
DLP policies were expanded across all 500+ users, with blocking for high-risk data, overrides for research collaboration, and training sessions for faculty and staff.
DLP policies were expanded across all 500+ users, with blocking for high-risk data, overrides for research collaboration, and training sessions for faculty and staff.
Phase 5: Monitoring & Optimization
Set up continuous monitoring in the Purview Compliance Portal, quarterly reviews with IT and legal, and added new policies as research and compliance needs evolved.
Set up continuous monitoring in the Purview Compliance Portal, quarterly reviews with IT and legal, and added new policies as research and compliance needs evolved.
Business Value Propositions
- Clear visibility into sensitive data transactions across Exchange, Teams, SharePoint, and OneDrive.
- Accidental data leaks reduced by nearly 80% within the first 3 months.
- Faculty and staff awareness strengthened through real-time policy tips.
- Compliance readiness achieved for upcoming FERPA and HIPAA audits.
- Detailed reporting simplified compliance reviews.
Final Perspective
We helped the university move to a safe & compliant environment and helped everyone adapt to audit-only mode and permitting overrides. This solid base allows the university to expand DLP for a safe and secure support system and prepare them for any future research and compliance difficulties.