You are responsible for using U-M Box securely if you use it to store or share sensitive data. Meeting the requirements below will reduce the risk of costly fines and penalties.
Expand All Content
Secure Use of U-M Box
Only the Official Box Apps are considered U-M Box Core Apps, and are approved for use with sensitive university data under the contract between Box and the University of Michigan. Box makes a number of non-core apps available, some for a fee and some at no charge. Box non-core apps may not be used to share or maintain any of the university's sensitive data, because they are not covered by the university's U-M Box agreement.
Please be aware that even though U-M Box Core Apps are approved for storing and sharing many types of sensitive university data, including information protected by HIPAA, services that Box integrates with may not be.
To modify files containing sensitive data, download them to your computer or use Box Edit, which opens applications residing on your computer. Do not use the integration with Microsoft Office Online, because this is not approved for use with sensitive university data. Only store and share files containing sensitive data using U-M services that are appropriate for the sensitive data types involved. See the Sensitive Data Guide to IT Services for information about appropriate services
Do not put sensitive data in folders owned by individual users at U-M or in folders owned by Box users outside of U-M. See Shared U-M Box Accounts for how to request and use a shared account. When you make your request, ask for an account for use with sensitive data.
Check with your unit manager/supervisor to see whether your unit places additional restrictions on sensitive data, or your use of the data is subject to additional laws and regulations.
You don't need to do anything to meet this requirement; folders are not synced unless you set up Box Sync and turn sync on for the specific folder. Box Sync makes a copy of the data in U-M Box on your device, typically a laptop or desktop computer, and keeps it synchronized. This copy might not have appropriate restrictions set up. In general, you should not make additional copies of sensitive data unless they are truly needed and you have applied appropriate access restrictions to them. Having additional copies of the data increases the risk of unintended and inappropriate access.
Secure Collaboration with U-M Box
These settings are required if you are working with PHI data and recommended for other sensitive data types.
Below are the settings used to secure the top-level folder in shared U-M Box accounts when sharing sensitive data. Note that permission settings on a folder apply to all the folders and files inside it. Configure these settings if they have not already been set for you. If you wish to use your top-level sharing folder, you do not need to designate a different top level folder, but should still review your settings to be sure they are correct.
- Check "Only Owners and Co-owners can send collaborator invites."
- Leave "Allow anyone who can access this folder from a shared link to join" unchecked.
- Check "Restrict shared links to collaborators only" for both files and folders.
You can check in Folder Properties to make sure these are set appropriately. (See Set the Appropriate Folder Security Settings for Protecting Sensitive Data.)
Keep your list of collaborators (the people to whom you give access to folders) up-to-date. Only add people who need access to do their university work. Remove people as collaborators immediately when they no longer need that access (For example, when they leave the university or change jobs). See Box's Invite Colleagues And Friends for instructions. Also see Know your Folder Icons on U-M Box: Protecting Sensitive Data to learn how to identify folders with collaborators at a glance.
Give your collaborators only the permissions they need to do their work, and no more.
- Viewer/Uploader permissions are sufficient for most collaborators.
- If someone does not need to make changes to files in a folder, give them only view or preview access.
- Do not give collaborators edit access unless they need it for their work.
See Understanding your Permissions on U-M Box: Protecting Sensitive Data for details.
Additional Best Practices
Consider following these additional best practices to help you keep the sensitive data in your Shared U-M Box account organized. Clearly identify information as sensitive to make it easier to see where security safeguards are needed and where you must be careful to monitor and update access restrictions.
- Use tags to identify folders containing sensitive data. See Tags on U-M Box: Protecting Sensitive Data for details.
- Follow naming conventions that clearly identify folders that contain sensitive data. For example, you might want to prefix your folder name with the type of data it contains or its data classification level:
- Contracts (Moderate level)-