Richtline für den Datenzugriff

vom 27. April 2016
zum Schutz natürlicher Personen bei der Verarbeitung personenbezogener Daten durch die
zuständigen Behörden zum Zwecke der Verhütung, Ermittlung, Aufdeckung oder Verfolgung von
Straftaten oder der Strafvollstreckung sowie zum freien Datenverkehr und zur Aufhebung des
Rahmenbeschlusses 2008/977/JI des Rates

Yammer Userguidelines von Microsoft – Ein Beispiel


Microsoft 365 Usage Guidelines

Diese können als ein Beispiel genutzt werden: 


The admin of the Microsoft network requires you to accept this policy to join:

Below you’ll find our Microsoft 365 Usage Guidelines—these outline our expectations for Microsoft users while using Microsoft 365 apps and services. Do not share these guidelines externally. For questions about these guidelines, post in the TechConnect Yammer community.

  • Keep it secure. Be aware of confidential information and store it in places with appropriate labeling
  • Act respectfully. Listen, assume positive intent, and post constructively. Always follow Microsoft principles and policies
  • Be accountable. Information in Microsoft 365 apps may be viewed by employees, suppliers and guests. Apps may process your content to improve your experience and keep data secure.
  • Know your apps. Understand your responsibility to keep your groups up-to-date and use each Microsoft 365 app.

Read all the details below.

Keep it secure. Here’s how:

  • ​​​​​​​​​​​​​​Do not disclose Microsoft confidential information unless there is a compelling business reason to do so and you have obtained a non-disclosure agreement. Sensitive information should only be shared as allowed by Microsoft policy.

    If you see inappropriate disclosure of confidential information, submit a report to the ‘Report It Now’ site, just as you would any other security incident. For details, refer to the Microsoft policy on Confidential Information.

  • Use the Microsoft classification and sensitivity labeling for Microsoft groups and Office documents.

    Classification labels are Public, Non-Business, General, Confidential and Highly Confidential. Confidential and Highly Confidential groups must be set to “Private.” If you create a public Confidential or Highly Confidential group, the privacy will be reset to “Private.”

    For more information, refer to the Data Classification page.

  • Microsoft 365 Group names are discoverable, so you should use non-confidential, work-appropriate language to name your teams in Microsoft Teams, groups in Outlook, communities in Yammer, or SharePoint team sites. Groups with names that are not work-appropriate will be deleted.
  • Do not use software or services that are not approved by Microsoft to send or store business-related data, because they may not retain reliable records of that data on Microsoft systems.

    Instead, use your Microsoft corporate accounts and Microsoft 365 services to send and store this data (e.g., store your documents in OneDrive or SharePoint).

    For more information, refer to the page on Prohibited and discouraged third-party software.

Act respectfully. Here’s what we expect:

  • Be respectful and inclusive with your colleagues. At Microsoft, we strive to have a culture where employees can have an open dialogue and share their opinions and ideas without fear of personal attacks, intimidation, or reprisal.
    • DO assume everyone is coming to the conversation in good faith.
    • DON’T say anything on Yammer, Teams, or other forums that you would not say in a meeting room or in a face-to-face meeting with a colleague.
    • DO respectfully disagree with people. Listen and seek to understand where they’re coming from.
    • DON’T turn disagreements into personal attacks or name-calling.
    • DO avoid using language or statements that could be perceived as threatening.
  • Practice awareness, exercise curiosity, and demonstrate courage. In support of Microsoft’s inclusion principles, we all have a role to play in creating an experience for others that makes them feel valued, respected, and feel that they belong.
  • Microsoft’s Anti-Harassment and Anti-Discrimination Policy and Business Conduct Policy apply to all conversations, electronic or otherwise.

    If you see inappropriate behavior online, please report it to your HR representative, report it to your manager, or email AskHR, just as you would any other inappropriate behavior. Yammer admins may close conversations that are no longer productive or devolve into personal attacks.

Be accountable. Here’s what you should know:

  • Information you share in Microsoft 365 Groups (e.g., Microsoft Teams, Yammer, SharePoint Online, Outlook Groups, etc.) may be viewed by a mixture of Microsoft employees and their guests.

    As an employee at Microsoft, your clicks, information, and data are being collected and stored while you use these products. Activity may be mined and processed both for compliance and/or security purposes (e.g., to help prevent data over-exposure) as well as to help improve Microsoft products and services.

    For details, refer to the Microsoft policy on Responsible use of technology and Microsoft’s access to business and non-business related data.

  • Privacy laws vary by country. Refer to the page on Privacy to find your Privacy contact.
  • Our services add intelligence such as recommendations, insights, and information connections. Anything you have in Microsoft 365 may be processed by those services and surfaced to people who already have access to the content.

    Permissions applied to the content are respected, so personal content will only have recommendations and insights for you. Conversations and files shared with others may have connections and recommendations visible to anyone who has access to them.

    For instance, if you provide a comment to a Yammer topic, anyone with access to that Yammer topic may be prompted with related intelligence. You can control this by managing permissions to limit access; for example, if you do not want guests to have permission to access content, use the “Internal Only” label.

  • As an internal Microsoft user there are additional guidelines that you should be aware of when working with external guests, e.g., vendors without a account.

    Highly Confidential groups do not allow sharing with external users without a security exception. All Highly Confidential groups are automatically set to block external sharing.

    Use private teams and groups to share information that you don’t want publicly available within Microsoft. Refer to the page on External Sharing for more information.​​​​​​​​​​​​​​​​​

Remain informed. Here’s what you should keep in mind about our products:

Microsoft 365 Groups (Microsoft Teams teams, Yammer communities, SharePoint sites, Outlook groups, Microsoft Planner plans, Microsoft Stream channels, etc.)

  • Microsoft 365 Groups adhere to Microsoft security policies, which require:
    • Two (2) valid owners, at least one of whom must be a full-time employee (FTE).
    • Site classification is set using the appropriate classification and sensitivity labels. Refer to the Data Classification page for more information.
  • Use private teams and groups to share information that you don’t want publicly available within Microsoft.
  • A public group is open to all of Microsoft, has searchable files, and is available for everyone in the company to join. A private group is only open, searchable, and viewable by the members of that group. In either case, the group name, description, picture, and membership can be discovered by non-members.
  • In a few rare cases, you may create a Microsoft 365 Group with the same name as an existing Distribution Group or Security Group. In these cases, our Global Helpdesk support staff will contact you and help you rename your Microsoft 365 group while we work on a permanent solution in the system.

SharePoint ​​Online

  • Help us keep costs down by using out-of-the-box solutions like page web parts instead of customizing your site.
  • Don’t build apps for SharePoint Online that are resource intensive. Work with our Front Desk team to build it right.
  • If you need to share files larger than current file size limits visit the File Share page for information about large file transfer resources.


  • Yammer is an internal social forum and content should not be copied and shared externally.
  • Anyone with valid Microsoft credentials has access to the internal Microsoft Yammer network.
  • You can store Highly Confidential data on Yammer if it’s in a Private community.

​​​​​​​​​​​​​​Meeting Recordings (OneDrive, Microsoft Teams, Microsoft Stream)

  • Recording meetings in Teams makes it easy for those that cannot attend to quickly catch-up. All meeting recordings and transcripts are on the record and anything you say will be attributed to you. Refer to the page on Recording and live transcription for meetings in Teams.
  • Get permission from other participants before recording a meeting as there are times when recording a meeting may not be in the best interest of the company. Refer to the CELA statement on Smart Use Recording Meetings.
  • Microsoft Stream is an internal video platform and content should not be copied and shared externally. Anyone with valid Microsoft credentials has access to the internal Microsoft Stream platform. When you manually upload videos to Stream, you will be asked to attest to usage guidelines stating that you have the necessary rights and permissions from people in your video and that your video will not violate the copyright, privacy, or rights of others.
  • You can upload and store confidential videos on Stream if it’s in a Private group or channel. Video permissions can be set in the video settings.

You can also find the Microsoft 365 Usage Guidelines on TechWeb.


Microsoft 365 – Security Best Practices

Es gibt einige Basisinformationen und Handlungen, die ihr durchführen solltet, um eine Härtung einer Microsoft 365 Umgebung durchzuführen. Hier kommen die üblichen Hinweise:


  1. Aktivieren von MFA für alle Nutzer:innen und Einrichtung vorher
  2. Nutzung von Conditional Access / Zero Trust Prinzipien
  3. Nutzen Sie dedizierte Administrationskonten
  4. Häufige Durchführung von Schulungen zum Sicherheitsbewusstsein der Mitarbeiter:innen
  5. Automatisches Weiterleiten von E-Mails verhindern
  6. Proaktive Überwachung Ihrer Umgebung
  7. Beauftragen Sie regelmäßige Office 365-Sicherheitsbewertungen


Information Protection mit Azure Information Protection – Name und Icons verwenden

 Im Rahmen des Informationsschutzes ist das Labeln, also das Bezeichnen der Dateien mit Labeln, um so wichtiger. Dabei kommt es auf den Namen an, sowie alle Möglichkeiten den Nutzer:innen zu zeigen, wie und was sie gerade Labeln. Dies ist in Kombination mit Namen und Icon, sowie eine knackigen Beschreibung sinnvoll.


Eine typische Einteilung kann so aussehen:

Variante 1

Deutsch English
Privat Private
Öffentlich Public
Intern Internal
Vertraulich Confidential
Hochvertraulich High confidential

Variante 2

Deutsch English
Öffentlich Public
Intern Internal
Vertraulich Secret


Icon zum Namen

Nun ist es möglich, dass ihr zu dem Namen auch ein Icon dazu bauen könnt. Diese Icons könnt ihr bei Windows mit der Tastenkombination mit Windows + Punkt. 


Icon Deutsch English
🪧 Öffentlich Public
🛡️ Intern Internal
📛 Vertraulich Secret


Icon Ansicht

Die Icons werden angezeigt:

  • mobile Apps
  • Webbrowser
  • Office Suite mit und ohne Client

Webseite und Projekte mit einer Security txt ausstatten

Es kommt immer wieder vor, dass auch gut gewartete Systeme oder auch Webseiten Sicherheitslücken haben. So ist es sinnvoll, dass man eine Security.txt hinterlegt, so dass Sicherheitsforscher oder auch Personen von Organisationen, wie dem CCC die richtigen Personen schnell erreichen können ohne sich durch allgemeine Emailverteiler oder Hotlines durchfragen zu müssen. 


Diesen praktischen Generator habe ich gefunden:

Azure data residency – Wo wird was gespeichert und verarbeitet? Beispiel: Deutschland

Es wird immer wichtiger, genau zu wissen wo und wann welche Daten verarbeitet werden. Dies gerade für Microsoft Azure und die vielen verschiedenen Dienste, ist dies nicht gerade einfacher geworden. Dazu kommt, dass Microsoft mit dem EU Boundary Program nun auch viele Dienste in die EU verschiebt. 

Eine gute Webseite ist diese: 



Wie verhindere ich den Zugriff von Microsoft und US Behörden in Office 365?

Ich bekomme seit Monaten immer wieder genau die gleiche Frage gestellt: Wie verhindere ich den Zugriff von Microsoft und US Behörden in Office 365?  Diese Frage prägt einen guten Teil meiner Diskussionen, Gutachten und vor allem auch Gutachten, die ich von lieben Kolleg:innen lesen darf. Ich möchte nun einmal mit ein paar Mythen aufräumen und ganz objektiv mich der Frage annehmen. 

Continue reading

Wie darf ich die Archivbilder aus Office 365 einsetzen?

Microsoft bietet im Rahmen der Office 365 / Microsoft 365 Lizenz eine Bilddatenbank an namens “Archivbilder”. Diese enthalten nicht nur schicke Bilder, sondern auch Icons, Comics und vieles mehr. 

Verfügbarkeit der Archivbilder

  • Office Desktop, wie Word und PowerPoint
  • Office Online
  • SharePoint Online Sites/ Communicationsite

Nutzung der Bilder

Die Bilder werden beispielsweise vom PowerPoint Designer genutzt, um schöne Folien zu erstellen und tolle Hintergründe zu erzeugen. So kommen gleich zwei verbundene Erfahrungen zusammen.

Archivbilder als verbundene Dienste

Die Archivbilder sind verbundene Dienste. Der Suchbegriff wird übertragen und die Bilder angezeigt, die dann in Präsentationen oder auch Dokumente eingebaut werden können. 

Erlaubter Einsatz

  • Nutzung der Bilder im kommerziellen und nicht kommerziellen Einsatz  (Enterprise/Business Lizenz)
  • Nutzung der Bilder innerhalb von Office 365 / Microsoft 365 (z.b. Intranet)

Verbotener Einsatz

  • Verkauf der Bilder
  • Einsatz der Bilder ohne Bildnachweis