Box Security Information


Storing regulated data in box

Confidential and regulated data (Student records, Protected Health Information, etc.) may be stored within Box if there is a legitimate business need but steps must be taken to ensure the data is secure. Please review the PowerPoint created by the Augusta University Information Security Office and reference the information below for the proper way to secure data stored in Box.

Securing Regulated Data on Box at Augusta University (PDF)

Be aware of the Folder icons

Folders in Box appear differently based on whether they are shared or private, hosted at AU or hosted externally, owned by you or someone else, and synced or not synced. See the table below for examples.

Keep in mind:  Do not put regulated data in externally hosted folders.

Folder type Folder description
Single Folder
  • Personal folder
  • Hosted on AU Box
  • Only you have access.
Folder Synching
  • Personal folder
  • Hosted on AU Box
  • Only you have access.
  • You synchronize the contents of this folder or a subfolder to your local computer.
Shared Folder  
  • Shared folder
  • Hosted on AU Box
  • You have some access, but are neither an owner nor co-owner.
 Shared Syncd Folder  
  • Shared folder
  • Hosted on AU Box
  • You are the owner.
  • You synchronize the contents of this folder or a subfolder to your local computer. 
 Outside Folder  
  • Shared folder
  • Hosted externally to AU
  • You have some access, but are neither an owner nor co-owner. 

 

Configuring folders to protect data

Tag the folder:  Tags help visually indicate the purpose or nature of items in Box, and are also useful for filtering and searching. Tag the folder so that all folder collaborators know regulated data is stored in the folder. This will provide a visual indicator that this folder contains regulated data.   Folder Tag

 Configure Collaboration Settings in Folder:  Before inviting collaborators, the folder owner or co-owner must set the proper security restrictions to protect the data in the folder. By AU policy, links that do not require authentication should never be used to grant someone access to confidential or regulated data. Folders that contain regulated data including PHI should never utilize the “People with the link” option or the “People in your company” option.  These options are not restrictive enough to secure the folder for regulated data. Only use the “People in your folder option” if you must use links at all. For research projects, collaborators formally listed on your research protocol should be the only collaborators in the folder.  File Sharing

 The following settings are found under Properties and then selecting folder settings. They should be carefully reviewed and configured. It is highly recommended that the “Restrict collaboration to within Augusta University” be checked unless you have a legitimate need to share with external collaborators. For IRB studies these collaborators must be formally listed on the research protocol.Collaboration Settings

Restrict the ability to invite collaborators to only owners and co-owners. This is the single most important setting for securing your files and folders. Only individuals who own the content should be in full control of who is able to access the content.

Set the appropriate permissions for all collaborators

Box uses waterfall permissions, i.e., collaborators will have the same permission level in subfolders as they do in the top folder. Choose these options based on the minimum necessary level of access needed to collaborate in the folder. For IRB studies these collaborators must be formally listed on the research protocol. Co-owners and editors may sync folders.Collaborator Permissions

Data Synchronization

Syncing folders allows data to be transferred without a log trail, which presents a security risk for regulated data. In addition, having extra copies of data on a local device increases the risk of inappropriate access. Therefore:

  • Do not sync folders containing PHI or other regulated data unless it is absolutely necessary for your work.
  • Per the Electronic Data Storage and Backup Policy do not sync folders containing PHI or other sensitive university data onto a personally owned computer under any circumstances.
  • Enterprise owned devices must be encrypted if they utilize the data synchronization capabilities of Box to store confidential/regulated data.
  • Unless your collaborators require Sync to perform their tasks, prevent them from syncing folders by inviting them at a permission level that does not allow it, e.g., Viewer Uploader.
 Email Uploads

'Allow uploads to this folder via email' (unchecked): If anyone (you or your collaborators) were to send sensitive data via an unencrypted email message, the data would not be protected in transit. It is more secure to only allow uploads using the web interface. Uploading From Email