Collaboration platform (Microsoft Teams) guideline

Introduction

To ensure consistency and interoperability in a federated environment, the Queensland Government will use Microsoft Teams (Teams) as the primary platform for collaboration within and across the Queensland public service. This will allow the Queensland Government to realise savings through leveraging whole-of-government procurement arrangements and shed light on the comparative risks associated with using the chosen platform.

Purpose

This guideline provides information and advice for Queensland Government departments to consider when implementing the Collaboration platform (Microsoft Teams) policy. These guidelines are intended to provide relevant subject matter experts the necessary high-level information to adopt O365, the associated Teams capability and understand associated risks. These guidelines are for information only, and agencies are strongly recommended to further investigate any obligations considering their own business requirements and seek expert advice where necessary.

Audience

This document is primarily intended for Queensland Government O365 administrators and security staff.

Scope

Use of Teams within and across the Queensland Public Service is in scope of this guideline.

Information related to choosing tools and platforms for collaboration and communication with external users (e.g. when engaging with the public as part of service delivery) is outside the scope of the guideline. However, this does not exclude agencies from considering the use of Teams for external use.

What is the current contractual arrangement for O365?

All core departments are contractually covered to operate Microsoft Office 365 Teams under the following arrangements:

• Microsoft Products (including Online Services) (ICTSS.1305)
• Provision of Microsoft Products and Associated Licensing Solution Partner Services (ICTSS.1308)
• Microsoft licences individually owned by Queensland government agencies and entities.

The contractual arrangements are available for all budget funded agencies and all eligible entities described in ICTSS.1305.

Please note the above arrangements were made under the previous Government Information Technology Contracting (GITC) not the more recent Queensland Information Technology Contracting (QITC). It is expected agencies use the core functionality of Teams as the primary platform for all intra and inter agency collaboration, including instant messaging, ad-hoc voice/video calls and audio/video meetings, and other associated online services.

Agencies need to enable Teams within the agency's tenant combined with the installation of the appropriate Teams client on the department managed devices.

Teams is included as part of the Whole of Government Office 365 arrangement and as such has no additional licensing cost for agencies to implement.

For best configuration guidelines and practices for the implementation of Teams Federation, agencies should contact qgea@qld.gov.au.

Key security considerations for video conferencing

Large numbers of people turn to video-teleconferencing (VTC) platforms like Microsoft Teams and Zoom to stay connected and maintain business as usual (BAU) while working remotely. The aim is to facilitate cross collaboration at the executive, staff and student levels. It is likely, when organisations increase their use of these VTC apps, both externally and internally, it will increase the risk of exposing sensitive information and breaching privacy laws. Cyber threat actors are also using this as an opportunity to diversify their avenues of exploitation.

Comparative risk analysis security and privacy concerns

As with all technology investments there are risks associated with using Teams. Considerations specifically around security, privacy and the data is being stored offshore should be understood. The current GITC agreement with Microsoft covers the online services and was created at the time all services were offshore. Additional clauses referring to section 33 of the Information Privacy Act 2009 (Qld), parts 1 and 3 of Chapter 2 of that Act, and the Australian Privacy Principles as set out in the Privacy Act 1988 (Cth), have been contractually agreed with Microsoft.

The comparative risk of using Teams with the existing contractual protections has been factored into the development of this guideline. Specifically, some key provisions in ICTSS.1305 and ICTSS.1308 include:

• Privacy and disclosure of personal information consent has been provided to the transfer outside of Australia of any Personal information uploaded to the Online Services. This is subject to restrictions to or in countries in violation of United States embargo laws to or in Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria.It also includes a range of provisions in terms of the privacy of information, for example personal information is protected against loss, unauthorised access, use, modification or disclosure and other misuse as per the Information Privacy Act 2009 (Qld).
• Offshore data while certain parts of the cloud services will allow storage of our data within Australia, other parts of the services (primarily text-based chat and conversation data on a Teams channel) will reside outside of Australia. Provisions reside within the contract that as services become available in Australia, the contractor will notify the Queensland Government, and the Queensland Government can request variations to the contract.

For information on the specific provisions, see the various SOA documents which form part of ICTSS.1305 and ICTSS.1308.

Where an agency deems the risks unacceptable, agencies can look at how they could limit certain functionality within MS team to make the risks more acceptable, for example agencies have the option to turn chat off and just use video conferencing facilities.

Teams vs email

Teams operates in a similar way to email however the barrier to entry is higher than email, as it requires a user to be a registered Microsoft customer. Agency security staff are encouraged to use the same security language and approaches for Teams as they do for email i.e. be aware of phishing, scams, etc.

Use of Teams for sensitive information

Information security classification should still be central to decisions on how products such as Teams should be used. For example, Teams may not be deemed an appropriate channel to discuss sensitive information due to high confidentiality business impacts. As per the Queensland Government Information Security Classification Framework, information that has been assessed as having a high business impact level to confidentiality (C), integrity (I) or availability (A) may only be stored or processed offshore where the agency:

• has undertaken a risk assessment related to the C, I and A business impacts
• accountable officer or delegate has documented acceptance of the off-shored information risk assessment.

Preferred configuration

Federation for agency to agency collaboration

Open Federation

Agencies can configure the federation of Teams in one of two ways. By default, Teams will operate in Open Federation mode. This mode will enable the treatment of people as external contacts and will allow a person to be directly contacted from a Teams client. This may be appropriate for small organisations.

This setting is at https://admin.teams.microsoft.com/company-wide-settings/external-communications (Opens in new window)

Closed Federation

If an agency wishes to control the organisation that can directly dial a person, they must add each domain to the Add a Domain list. This list needs to match at both tenants to enable the direct contacts to be established. This list may become quite extensive. The Customer and Digital group will make available to agencies an up to date list of domains to include.

Current list of Queensland Government Domains (Queensland Government employees only)

Current list of Queensland Local Government Authority Domains (Queensland Government employees only)

Coexistence Mode set to Teams Only

The objective of all agencies adopting Microsoft Teams is to standardise, simplify and streamline the experience of all staff across the public sector.

Whilst departments, agencies, statutory bodies, etc all have different digital/ICT priorities, the QGCDG requests the implementation of Teams and setting their Office 365 Tenancies to Teams Only mode as soon as practical. More information on this is available here:
https://docs.microsoft.com/en-us/microsoftteams/migration-interop-guidance-for-teams-with-skype

Agencies should start by deploying Teams through their preferred desktop management tool (SCCM/Intune/etc) and then following agency change processes to empower staff to adopt the new platform.

Migrating Users from Skype for Business to Teams in a staged manner

Apart from a big bang approach, it is possible to use powershell scripts to migrate users individually, in batches, in bulk, with powershell commands, normal testing and validation practices apply. This requires the powershell module called SkypeOnlineConnector.

Reference:
https://docs.microsoft.com/en-us/powershell/module/skype/grant-csteamsupgradepolicy?view=skype-ps (Opens in new window)

Powershell Module (as at April 2020):
https://www.microsoft.com/en-us/download/details.aspx?id=39366 (Opens in new window)

The specific commands are:

Grant-CsTeamsUpgradePolicy -PolicyName UpgradeToTeams -Identity $SipAddress
Grant-CsTeamsInteropPolicy -PolicyNameDisallowOverrideCallingTeamsChatTeams -Identity $SipAddress

Management and Monitoring

Similar to the other Microsoft online services additional management should be activated and configured inline with the departments existing monitoring approaches. For further guidance on configuring Teams for logging and legal hold refer to:

https://docs.microsoft.com/en-us/microsoftteams/security-compliance-overview (Opens in new window)

Teams can also be configured in conjunction with Data Loss Prevention (DLP) which would provide both the discussions and documents to be controlled by DLP to suit the departments document controls:

https://docs.microsoft.com/en-us/microsoft-365/compliance/dlp-microsoft-teams?view=o365-worldwide (Opens in new window)

Existing collaboration tools in use

It is acknowledged that some agencies may have already invested in collaboration tools or are using existing tools such as Skype. As Teams is freely available under a contract it is expected agencies move away from other tools when operationally convenient, unless there is a documented risk assessment signed off by the accountable officer.

Whilst maintaining existing collaboration solutions, efforts should be made to enable interoperability with as the preferred government platform.

Information privacy considerations

When assessing collaboration platforms, agencies need to ensure they have an understanding of how and where data is stored, and whether the product shares information with affiliates and/or other third parties.

Most products should only collect information to support the provision of their services, so it is important that agencies understand what information is collected and for what purpose it is used. Agencies should be careful of products that are silent on whether they share data, or statements that they share data for business purposes (as these types of statements are unclear to what degree and who data is being shared with).

Agencies should choose products where they have control of privacy settings and ensuring videos are not stored automatically (unless the host has chosen to record the meeting). The option of being able to consent is an important feature, but note, many times if you don't consent, you don't get to use the services (or sometimes specific features will be disabled).

Teams can be configured to ensure files are stored locally, however content associated with functionality such as text chat and conversation may not be stored locally, it is dependent on when Teams was enabled in the tenant, and agencies need to understand where such content will reside. If information will potentially be stored overseas or support services which may require access to data will be provided from overseas, agencies need to consider how they will meet their obligations under s33 of the IP Act.

It is important agencies have clear policies and processes in place on what type of information can be transmitted/stored over chat and meetings. For example, agencies may set policies that prohibit using chat for SENSITIVE and PROTECTED information. Remember no matter what product is used, agencies must ensure the Privacy Principles in the Information Privacy Act 2009 are adhered to.

More information on privacy considerations for cloud solutions can be found in Cloud computing and the privacy principles produced by the Queensland Office of the Information Commissioner.

Ownership of content and copyright

Agencies need to ensure they understand where ownership resides be careful of products not allowing users to retain ownership of their content and intellectual property. When using video conferencing and posting/sharing content, users still should ensure they are not breaching copyright laws, such as sharing works of others without their consent. For further information see the Queensland Public Sector Intellectual Property Principles and the Use of copyright materials guideline.

Recordkeeping considerations

Agencies must consider their recordkeeping requirements when using any collaboration product. Not all collaboration features are suitable for all types of work activities or decisions. For instance, employees should not use chat type features to record major business decision unless a record of that decision is kept in an appropriate recordkeeping or businesses system.

As many employees may have limited or no access to corporate networks, agencies may need to be pragmatic and look at ways for these staff to store, access and share records and information. You may also need to look at what processes need to change to enable staff to continue to create and capture records they need (e.g. using a manual timesheet instead of dedicated apps).

Office 365 in conjunction with Teams enables users to create, collaborate, access and share files. Agencies may wish to consider how to best use this type of solution to strike a balance between their security obligations, recordkeeping obligations and the need to deliver and support vital services to Queenslanders. In a recent blog Public records from private couches and kitchen tables, Queensland State Archives talk about their approach in using Microsoft Team/SharePoint for recordkeeping and how they use this in conjunction with their eDRMS system. It also includes advice on what records to capture and how and public records in private accounts where employees need to use a personal device like their mobile phone for work purposes.

Some specific matters to think about include:

• creating a file structure that is easy to use
• ensuring only those team members who need access to files have access
• making sure you have good version control of files so:
  • you can easily identify the latest version
  • keep older versions too so you can identify the changes made over time (e.g. key policy changes or changes in actions)
• identifying original files in your business or recordkeeping system that you are taking offline to work on in Teams (so there is no confusion about which version should be used)
• ensure that all verbal or chat based approvals or discussions that take place Microsoft Teams are later formally endorsed via email and saved into a records compliant business system.
• when holding meetings via Teams, ensure that suitable agendas, minutes and notes are still taken and captured and saved into a records compliant business system.
• name Team Channels effectively so that all members will understand what that channel is used for. This will help later when the records captured in Teams need to be moved to a records compliant business system.
• keep your screen and documents out of view of others.
• don't let your family use your laptop or access work sensitive data.

For further information on recordkeeping obligations see the Records governance policy and the Managing information in the cloud factsheet.