Protecting sensitive data in Box

At Indiana University, to store Restricted and some Critical institutional data, such as approved protected health information (PHI), in IU Box:

  1. Verify that your data are allowed in Box; see What types of data are appropriate for my IU Box account?
  2. Put the data in a folder owned by the appropriate account; see At IU, how do I request a Box account for use with sensitive data?
  3. Understand and implement the security measures listed below.
Note:
The following procedures and practices are necessary with Box Health Data Accounts or Box Entrusted Data Accounts, but many of them can be applied anytime you are collaborating in Box.

On this page:


Understanding folder ownership

Although Box itself is a secure platform (for more, see Are files and data safe using enterprise Box?), individual choices determine how secure a given piece of data is. Folder ownership and settings are key to the security of data in Box. When you log into Box for everyday work, you will interact with a variety of shared and private folders, each with its own level of security set by its owner. At Indiana University, non-personal accounts (rather than individual user accounts) are the best folder owners for institutional data.

To maintain security, approved PHI may only be contained in a folder owned by a Box Health Data Account (BHDA), although you will interact with this data from within your own IU Box account. Similarly, UITS strongly recommends that all Restricted data stored in Box be contained in a folder owned by a Box Entrusted Data Account (BEDA).

Configuring folders to protect data

Visual indicators

There is no Box folder icon that will indicate the sensitivity of the data it contains. A folder with Restricted or Critical data will appear alongside personal folders and standard collaboration folders in each individual's Box account. Therefore, the folder owner or co-owner needs to give visual cues to the folder collaborators indicating the nature of the contents. IU has established folder naming conventions for folders in Box Health Data Accounts and Box Entrusted Data Accounts to reinforce collaborators' awareness of the folders they are working in; descriptions and tags are additional options. You should also know the difference between the different folder icons in Box. None of these visual cues will protect files or folders by themselves, but they can help you prevent inappropriate access by making it clear which information you and your collaborators need to take care with.

Folder icons

Folders in Box appear differently based on whether they are shared or private, hosted at IU or hosted externally, and synced or not synced. See the table below for examples. However, in order to see what account owns a given folder, you need to click the folder row and look at the Sharing tab in the right-hand pane (you may need to enlarge your browser window to see it). Keep in mind:

  • Do not put Restricted or Critical data in externally hosted folders.
  • Do not put Restricted or Critical data in a folder owned by an individual. This prevents exposure or loss of the data if an individual account owner leaves the university or changes departments. (Folders owned by BHDAs and BEDAs are, by their nature, not owned by individuals.)
  • See Sync for important guidelines about syncing. (Note that, in addition to the checkmark illustrated below for individual folders, you can also determine which folders you have synced by clicking Synced to Desktop in the left pane.)
Folder type Characteristics Appearance
Personal
  • Hosted on IU Box
  • Only you have access.
Plain yellow folder icon
Personal, synced
  • Hosted on IU Box
  • Only you have access.
  • You synchronize the contents of this folder or a subfolder to your local computer.
Plain yellow folder icon with checkmark to the right
Shared
  • Hosted on IU Box
  • Shared link
  • Description appears when hovering over the info icon.
Blue folder icon
Shared, synced, tagged
  • Hosted on IU Box
  • You synchronize the contents of this folder or a subfolder to your local computer.
Blue folder icon with tag below and checkmark to the right
External
  • Shared folder
  • Hosted externally to IU
Gray folder icon

Folder naming convention

The most visible indication of a folder's contents is its name. To clearly delineate folders containing sensitive data, you must use the following naming conventions for all folders owned by Box Entrusted Data and Box Health Data Accounts (and only those folders). Only folder names need follow these conventions, not individual filenames. Complete and logical folder names will also help you and others use Box's search tool to find information. Folder and file names have a 255 character maximum.

Important:
Because collaborators added at a lower level only see the name of the folder at which they're added, you must maintain these conventions for all subfolders as well.
  • Box Entrusted Data Accounts: Folder names must begin with [Box Entrusted], (Box Entrusted), or {Box Entrusted}. Whichever option you choose, use it consistently for all folder names in the account. Example folder and sub-folder names for a review committee might be:
    • [Box Entrusted] Prof. John Doe Tenure Committee
      • [Box Entrusted] Prof. John Doe Tenure - Supporting Documents
  • Box Health Data Accounts: Folder names must begin with [Box Health], (Box Health), or {Box Health}. Whichever option you choose, use it consistently for all folder names in the account. An example folder name for a research project might be:
    • [Box Health] Jones Pancreatic Cancer Study Team
    Note:
    Box Health Data Accounts will be regularly audited to ensure this naming convention is followed. For Box Entrusted Data Accounts, co-owners are responsible for monitoring and maintaining the naming convention.

Descriptions

Any file or folder in Box can have a brief description. A folder's description will appear at the top of the page when you're in the folder; in the folder list view, you can hover over the information icon to the right of a file or folder name or click the Details tab in the right-hand pane to see the description. UITS recommends using the description field to indicate the purpose or nature of an item to collaborators. You may see the option to add a description when creating or uploading an item; to add one to an existing file or folder in Box, in the folder view, click the row of the item, and in the Details tab in the right pane, enter your text under "Description".

Tags

Tags help visually indicate the purpose or nature of items in Box, and are also useful for filtering and searching. Tags can be applied to files as well as folders. You must tag each item manually (i.e., tags do not automatically propagate to contents or subfolders), but you can select more than one item at the same level and tag them all at once.

Note:
Simply tagging a file as "sensitive", "Entrusted Data", or "Health Data" does not meet the requirements for storing sensitive data if the files are not stored in the appropriate account.

To apply tags:

  1. Right-click the file or folder and choose More Actions, and then Add or Edit Tags.
  2. In the new window that opens, enter your tag.

Folder security settings

Before inviting collaborators, the folder owner or co-owner must set the proper security restrictions to protect the data in the folder.

Note:
In Box Health Data accounts, the folders' security settings will be set for you by administrators. Do not change any of those settings without first consulting with CAITS support or your departmental IT Pro.
  1. Right-click the folder, or click ... (More Options).
  2. Select Settings.
  3. Set the following options:
    • Invitation Restrictions:
      • Only Owners and Co-owners can send collaborator invites (checked): Restrict the ability to invite collaborators to only owners and co-owners. No other permission level will be able to invite collaborators. This is the single most important setting for securing your files and folders. Only individuals who own the content should be in full control of who is able to access the content.
      • Restrict collaboration to within Indiana University (depends): This setting determines whether or not this folder and its content will allow collaborators outside of IU, which will vary by your project needs. It is your responsibility to share data with only those who should have access to the data.
      • Hide collaborators (unchecked): UITS does not recommend hiding collaborators with Restricted or Critical data; it is more secure to know exactly who has access to files and folders.
      • Allow people who can access this folder from a shared link to join as a collaborator (unchecked): This option is only useful if you are sharing with "People with the link" or "People in your company." Do not check this for any folder containing Restricted or Critical data.
    • Commenting:
      • Disable commenting for this folder (unchecked): As sharing and collaboration is the goal of using Box, UITS does not recommend disabling the ability to comment on folders. Keep in mind that all roles (except Uploader) have the ability to view comments.
    • Shared Link Access:
      • Only collaborators can access this folder via shared links (checked): Shared links provide quick access directly to files and folders by only clicking the link. This setting limits access to shared links to those who already have access to the content as collaborators. This is an important access control for any folder you are trying to secure and monitor. Leave the option next to "For:" set to Files and Folders.
    • Watermarking:
      • Enable watermarking for this folder (checked): Watermarking can help deter unauthorized re-sharing of sensitive information in your Box account. When you turn on watermarking for a file, it places a semi-transparent overlay of the current viewer's email address or IP address (depending on whether the viewer is logged in or not), as well as time of access across the document's contents. For more, see Watermarking.
    • Uploading:
      • Allow uploads to this folder via email (unchecked): If anyone (you or your collaborators) were to send sensitive data via an unencrypted email message, the data would not be protected in transit. It is more secure to only allow uploads using the web interface.

Collaborator permission levels

To share data, invite others into the appropriate folder as collaborators. To protect sensitive data, always make an intentional choice about the permission level of each collaborator in each folder, giving each person the lowest level necessary to accomplish his or her tasks.

  • UITS strongly recommends inviting collaborators at a level no higher than Viewer Uploader. Note that the default setting (Editor) is higher than this recommendation. Viewer Uploader is adequate for editing tasks, but does not allow Sync or content deletion. If you need higher permissions for your collaborators, consult with CAITS (for Box Health Data Accounts) and/or your departmental IT Pro.
  • Box uses waterfall permissions, i.e., collaborators will have the same permission level in subfolders as they do in the top folder. For details, see Sharing files on Box.
Action Co-owner Editor Viewer Uploader Previewer Uploader Viewer Previewer Uploader
Download Yes Yes Yes No Yes No No
Comment Yes Yes Yes Yes Yes Yes No
Delete Yes Yes No  No  No  No  No 
Create tasks Yes Yes Yes No  Yes No  No 
Tag Yes Yes No  No  No  No  No 
Invite people Yes Yes* No  No  No  No  No 
Edit folder name Yes Yes No  No  No  No  No 
Edit folder properties Yes No  No  No  No  No  No 
Preview Yes Yes Yes Yes Yes Yes No 
Send view-only links Yes Yes Yes No  Yes No  No 
Upload Yes Yes Yes Yes No  No  Yes
View items in folder Yes Yes Yes Yes Yes Yes Yes
Sync folder Yes Yes No  No  No  No  No 
Set access permissions Yes Yes No  No  No  No  No 
Restrict invitations Yes No  No  No  No  No  No 
View access stats Yes Yes No  No  No  No  No 
Create/edit Box Notes Yes Yes Yes No  No  No  No 
View Box Notes Yes Yes Yes Yes Yes Yes No 

* Disabled by default in Box Health Data Accounts and Box Entrusted Data Accounts.

Using Box with sensitive data

Everyone who interacts with sensitive data in Box, including owners, co-owners, and other collaborators, must help keep it secure. If you put sensitive data in Box, you are responsible not only to abide by the following policies and guidelines, but also to make sure that anyone with whom you share the data is aware of them.

Box apps

Only a subset of official and third-party Box Apps are approved for use with institutional data. Apps not listed in the approved list may not be used to share or maintain any of the university's sensitive data, because they are not covered by the university's Box agreement. Also, certain apps are approved for use with most institutional data, but not approved for PHI; these may not be used with any data in Box Health Data Accounts.

Laptop and mobile device security

IU's Mobile Device Security Standard (IT-12.1) applies to all faculty, staff, affiliates, and student employees who use a mobile computing device to access, store, or manipulate institutional data, regardless of who owns the device. It outlines the requirements for any mobile device, including laptop computers, that will access or store university data. Full compliance with this policy is a requirement for using Box with sensitive data.

Box Sync

Syncing folders allows data to be transferred without a log trail, which presents a security risk for regulated data. In addition, having extra copies of data on a local device increases the risk of inappropriate access. Therefore:

  • Do not sync folders containing PHI or other sensitive university data unless it is necessary for your work.
  • Do not sync folders containing PHI or other sensitive university data onto a personally owned computer under any circumstances.
  • Unless your collaborators require Sync to perform their tasks, prevent them from syncing folders by inviting them at a permission level that does not allow it, e.g., Viewer Uploader, as recommended above.
  • If you feel that Sync is necessary for you or your collaborators, consult with CAITS (for Box Health Data Accounts) and/or your departmental IT Pro before enabling it.

Also, be aware that tags and descriptions do not propagate via Sync.

Note:
The information here is based on work done by Information and Technology Services at the University of Michigan.

This is document bfpj in the Knowledge Base.
Last modified on 2017-05-25 08:02:01.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.