Purpose: It is the responsibility of each Smartsheet user to ensure the security of the data contained in their Smartsheet solutions. Smartsheet can be used for sensitive data but periodic audits need to be performed to ensure your data is not being shared with any unqualified users

Understand the three Deschutes County Data Classification levels

  1. Public -this is information intended for general use and would cause no personal or organizational harm if publicly shared
  2. Restricted-this is data commonly used to conduct business but is personal in nature. (This includes PII but see other examples here)
  3. Confidential –This is the most restrictive level and pertains to information that could have serious negative consequences if compromised (This includes HIPAA but see the full list here)


Properly organize your Smartsheet account and the objects inside it

  1. Store all sheets/reports/dashboards within Workspaces. This will make your periodic audits significantly more efficient.
  2. Name workspaces based on the data restriction levels of the information contained in them. This will help you know what spaces to pay closer attention to. For example, if you have HIPAA data in any of the sheets or attachments in the workspace, begin your workspace name with that indication like “Confidential: Vital Records Ordering”
  3.  Perform periodic audits of ALL your shared items. The easiest way to do this is to download a “Workspace Sharing Report”. 


Instructions

1. In your Smartsheet account, right click on the Workspace (or object) you wish to audit. If you have properly named your workspaces using the data classification levels and maintained your workspaces to accurately reflect the data inside them you will always know which spaces to audit most closely.

 

2. Select Download Workspace Sharing Report

3. Check your email for the report (it often takes a minute or two to send so be patient)

4. Review both of the downloaded files focusing specifically on the Workspace Sheet Access report

  • Review the Shared To column looking for any users named there who seem to be out of place
  • Look first at any email addresses not belong to Deschutes County employees. Ensure their level of access is as expected
  • Remove any Deschutes County Employees who are no longer employed (these will not be able to access your data if IT was properly notified of their termination but best practice is to remove them anyway).



5. Remove any unintended shares by going to the object (see it's name in the Name column) and editing the share options in that object. (Ex. In the case above I can see that a gmail address has viewer access to my "Smartsheet Project Dashboard" and I want to revoke that access so I'll go modify the share options in that dashboard)