Use U-M Box Securely With Sensitive Data

You are responsible for using U-M Box securely if you use it to store or share sensitive university data. You are permitted to store and share multiple types of sensitive data in U-M Box folders as long as you set up and maintain them in accordance with the instructions below.

Secure Use of U-M Box

Only use Core Apps.

Only the Official Box Apps are considered U-M Box Core Apps, and are approved for use with sensitive university data under the contract between Box and the University of Michigan. Box makes a number of non-core apps available, some for a fee and some at no charge. Box non-core apps may not be used to share or maintain any of the university's sensitive data, because they are not covered by the university's U-M Box agreement.

Only store and share approved data types.

Please be aware that even though U-M Box Core Apps are approved for storing and sharing many types of sensitive university data, including information protected by HIPAA, services that Box integrates with may not be.

To modify files containing sensitive data, download them to your computer or use Box Edit, which opens applications residing on your computer. Do not use the integration with Microsoft Office Online, because this is not approved for use with sensitive university data. Only store and share files containing sensitive data using U-M services that are appropriate for the sensitive data types involved. See the Sensitive Data Guide to IT Services for information about appropriate services

Use only a shared U-M Box account that has been set up for sensitive data, and put sensitive data only in the shared account folders set up specifically for that purpose.

Do not put sensitive data in folders owned by individual users at U-M or in folders owned by Box users outside of U-M. See Shared U-M Box Accounts for how to request and use a shared account. When you make your request, ask for an account for use with sensitive data.

Follow unit policies and restrictions.

Check with your unit manager/supervisor to see whether your unit places additional restrictions on sensitive data, or your use of the data is subject to additional laws and regulations.

If you use Box Sync or Box Drive on a personally owned computer, refrain from syncing folders containing sensitive university data.

You don't need to do anything to meet this requirement; folders are not synced unless you set up Box Sync and turn sync on for the specific folder. Box Sync makes a copy of the data in U-M Box on your device, typically a laptop or desktop computer, and keeps it synchronized. This copy might not have appropriate restrictions set up. Additionally, when using Box Drive, U-M sensitive data should not be marked for offline storage/access to personal machines. In general, you should not make additional copies of sensitive data unless they are truly needed and you have applied appropriate access restrictions to them. Having additional copies of the data increases the risk of unintended and inappropriate access.

Secure Collaboration with U-M Box

Configure these settings on your U-M Box shared folder to secure it for use with sensitive data.

These settings are required if you are working with PHI data and recommended for other sensitive data types.

Below are the settings used to secure the top-level folder in shared U-M Box accounts when sharing sensitive data. Note that permission settings on a folder apply to all the folders and files inside it. Configure these settings if they have not already been set for you. If you wish to use your top-level sharing folder, you do not need to designate a different top level folder, but should still review your settings to be sure they are correct.

  • Check "Only Owners and Co-owners can send collaborator invites."
  • Leave "Allow anyone who can access this folder from a shared link to join" unchecked.
  • Check "Restrict shared links to collaborators only" for both files and folders.

Carefully and regularly control who you give access to folders.

Keep your list of collaborators (the people to whom you give access to folders) up-to-date. Only add people who need access to do their university work. Remove people as collaborators immediately when they no longer need that access (For example, when they leave the university or change jobs). See Box's Invite Colleagues And Friends for instructions. Also see Know your Folder Icons to learn how to identify folders with collaborators at a glance.

Use Viewer/Uploader permissions as your default collaborator, and give your folder collaborators only the permissions needed for their work.

Give your collaborators only the permissions they need to do their work, and no more.

  • Viewer/Uploader permissions are sufficient for most collaborators.
  • If someone does not need to make changes to files in a folder, give them only view or preview access. 
  • Do not give collaborators edit access unless they need it for their work.

See Collaborator Access Levels for details.

Additional Best Practices

Consider following these additional best practices to help you keep the sensitive data in your Shared U-M Box account organized. Clearly identify information as sensitive to make it easier to see where security safeguards are needed and where you must be careful to monitor and update access restrictions.

  • Use tags to identify folders containing sensitive data. See Tagging Items in Box for details.
  • Follow naming conventions that clearly identify folders that contain sensitive data. For example, you might want to prefix your folder name with the type of data it contains or its data classification level:
    • HIPAA-
    • Restricted-
    • Contracts (Moderate level)-