Tips for Securing Sensitive Data in Box

August 2020

It is critical for Box users to apply protections to any Box folders that contain sensitive data. Information about how to do this is provided below. To understand what data requires protection, please review Sensitive File Storage Guide.

Securing Box Folder Access

Box uses waterfall permissions. This means that people who have permissions at the top level of the folder structure have the same permission in any of the subfolders.

Take the following steps to ensure greater security for any Box folders that contain sensitive data.

1. Limit the number of collaborators who can access the data.
2. Limit the number of collaborators with access at the top level of the folder structure, and only add additional collaborators to lower-level subfolders.
3. Limit the level of permission you give collaborators. This restricts what they can do with the data. Examples of restricted permissions are:
   • Previewer. Collaborators are able to preview data. They are not able to print or download.
   • Previewer Uploader. Collaborators are able to preview data and upload files and folders into a folder. They are not able to print or download.
   • Viewer Uploader. Collaborators are able to upload, download, preview, share, and edit. Caution should be taken in assigning this level of permission: If a user has permission to “share,” they can create a shared link and send it to anyone, and the recipients are then able to view and download the data.
4. Limit collaborators from being Editors and Co-Owners. Both of these permissions allow collaborators to share the folder with anyone and allows them to give editor and co-owner permissions to anyone.
5. Be careful when creating shared links, which can put sensitive data at risk.
   • When creating a shared link, make sure to select “Invited People Only.” This ensures that no one else will get access to the folder when clicking on the shared link.
     
     
6. Set expiration dates for shared links.
   • Select “Share Link” and select “Link Settings.”
   • Put a check mark in “Disable Shared Link on” and select the date you want the shared link to expire.
   • Select “Save.” The shared link will no longer work past the expiration date.
     
     
7. Modify the folder at the top folder level to secure the folder and subfolders and block editors from sending collaboration invitations.
   • Select the … tab on the right side of folder
     
   • Select “Settings”
     
   • Under Collaboration check:
     1. Only folder owners and co-owners can send collaborator invites.
     2. Restrict collaboration to within University of California, Office of the President. This will prevent any invitations to collaborators outside UCOP.
     3. Select “Save Changes” in the top right to enable this on folder.
        
8. Conduct periodic reviews of folder contents and folder access. Any files that are no longer needed, or are no longer required per the UC Records Retention Schedule, should be deleted from Box. In addition, folder access should be removed for anyone who no longer has a “need-to-know,” for example, if collaborators have taken on new roles or have left the organization.

Questions

For general Box questions or support, please contact IT Client Services. For consultation regarding storing sensitive files on Box, contact records@ucop.edu.