On This Page:
Secure Online Storage at UMass Amherst can be used for storing or sharing most types of university data, using certain additional security measures, including some data that that is considered sensitive data. For specific information see Understand Sensitive Data at UMass Amherst. For information about the different types of sensitive data see Data Classification at UMass Amherst. For information about what data can be stored in Box, see What types of data are appropriate for my Secure Online Storage at UMass Amherst account?
At UMass Amherst, to store sensitive data in Secure Online Storage at UMass Amherst provided by Box:
- Verify that your data is allowed in Box; see What types of data are appropriate for my Secure Online Storage at UMass Amherst account?
- Put the data in a folder owned by the appropriate account
- Understand and implement the security measures listed below.
A note about Box Sync at UMass Amherst
- A file or document in the Box Cloud is covered by the contract and BAA.
- The copy of the file downloaded to a Sync folder on a computer is not covered by the contract and BAA.
- The downloaded Sync copy is a file on a computer, and the security of the computer and the network applies, not Box.
If you have any questions about the Terms of Service or the security issues involved, please contact security@umass.edu
Understanding folder ownership
Although Box itself is a secure platform (for more, see Are files and data safe using Secure Online Storage at UMass Amherst?), individual choices determine how secure a given piece of data is. Folder ownership and settings are key to the security of data in Box. When you log into Box for everyday work, you will interact with a variety of shared and private folders, each with its own level of security set by its owner. At UMass Amherst, role accounts (rather than individual user accounts) are the best folder owners for university data.
Configuring folders to protect data
Visual indicators
There is no Box folder icon that will indicate the sensitivity of the data it contains. A folder with sensitive data will appear alongside individual folders and standard collaboration folders in each individual's Box account. Therefore, the folder owner or co-owner needs to give visual cues to the folder collaborators indicating the nature of the contents; descriptions and tags are additional options. You should also know the difference between the different folder icons in Box. None of these visual cues will protect files or folders by themselves, but they can help you prevent inappropriate access by making it clear which information you and your collaborators need to take care with.
Folder icons
- Do not put sensitive data in externally hosted folders.
- Do not put sensitive data in a folder owned by an individual. This prevents exposure or loss of the data if an individual account owner leaves the university or changes departments.
Folder type |
Folder description |
|
|
|
|
|
|
|
|
|
Descriptions
Any file or folder in Box can have a brief description, which will appear below the item name in the folder list view. It is recommended to use the description field to indicate the purpose or nature of an item to collaborators. You may see the option to add a description when creating or uploading an item; to add one to an existing file or folder in Box, in the folder view, either right-click the item, or click the drop-down menu to the right of the item name. Then choose General Info. Enter the description in the "Description:" field, and then click Save.
Tags
Tags help visually indicate the purpose or nature of items in Box, and are also useful for filtering and searching. Tags can be applied to files as well as folders. You must tag each item manually (i.e., tags do not automatically propagate to contents or subfolders), but you can select more than one item at the same level and tag them all at once.
Folder security settings
Before inviting collaborators, the folder owner or co-owner must set the proper security restrictions to protect the data in the folder.
- Right-click the folder, or from within the folder, click More.
- Select Properties, and then Security.
- Set the following options:
-
Restrictions:
- Only Owners and Co-owners can send collaborator invites (checked): Restrict the ability to invite collaborators to only owners and co-owners. This is the single most important setting for securing your files and folders. Only individuals who own the content should be in full control of who is able to access the content.
- Restrict collaboration to within Umass Amherst (depends): This setting determines whether or not this folder and its content will allow collaborators outside of UMass Amherst, which will vary by your project needs. It is your responsibility to share data with only those who should have access to the data.
- Hide collaborators (unchecked): does not recommend hiding collaborators with sensitive data; it is more secure to know exactly who has access to files and folders.
- Disable commenting for this folder (unchecked): As sharing and collaboration is the goal of using Box, does not recommend disabling the ability to comment on folders. Keep in mind that all roles (except Uploader) have the ability to view comments.
-
Membership:
- Allow people who can access this folder from a shared link to join (unchecked): This option is only useful if you are sharing with "People with the link" or "People in your company." Do not check this for any folder containing sensitive data.
-
Shared Links:
- Restrict shared links to collaborators only (checked): Shared links provide quick access directly to files and folders by only clicking the link. This setting limits access to shared links to those who already have access to the content as collaborators. This is an important access control for any folder you are trying to secure and monitor. Leave the drop-down menu set to For both files and folders.
Collaborator permission levels
It is recommended that you invite collaborators at a level no higher than Viewer Uploader. Note that the default setting (Editor) is higher than this recommendation. Viewer Uploader is adequate for editing tasks.
Box uses waterfall permissions, i.e., collaborators will have the same permission level in subfolders as they do in the top folder. For details, see Sharing files on Box.
Action | Co-owner | Editor | Viewer Uploader | Previewer Uploader | Viewer | Previewer | Uploader |
Download | Yes | Yes | Yes | No | Yes | No | No |
Comment | Yes | Yes | Yes | Yes | Yes | Yes | No |
Delete | Yes | Yes | No | No | No | No | No |
Create tasks | Yes | Yes | Yes | No | Yes | Yes | No |
Tag | Yes | Yes | No | No | No | No | No |
Invite people | Yes | Yes | No | No | No | No | No |
Edit folder name | Yes | Yes | No | No | No | No | No |
Edit folder properties | Yes | No | No | No | No | No | No |
Preview | Yes | Yes | Yes | Yes | Yes | Yes | No |
Send view-only links | Yes | Yes | Yes | No | Yes | No | No |
Upload | Yes | Yes | Yes | Yes | No | No | Yes |
View items in folder | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Sync folder | Yes | Yes | No | No | No | No | No |
Set access permissions | Yes | Yes | No | No | No | No | No |
Restrict invitations | Yes | No | No | No | No | No | No |
View access stats | Yes | Yes | No | No | No | No | No |
Create/edit Box Notes | Yes | Yes | Yes | No | No | No | No |
View Box Notes | Yes | Yes | Yes | Yes | Yes | Yes | No |
Using Box with sensitive data
Everyone who interacts with sensitive data in Box, including owners, co-owners, and other collaborators, must help keep it secure. If you put sensitive data in Box, you are responsible not only to abide by the following policies and guidelines, but also to make sure that anyone with whom you share the data is aware of them.
Editing sensitive data
The most secure way to edit files in Secure Online Storage for UMass Amherst is to use the online Box Edit; you can edit Microsoft Office files directly and securely within the Box browser interface.
Box apps
Only a subset of Box Apps are approved for use with university data. Apps not listed in the approved list may not be used to share or maintain any of the university's sensitive data, because they are not covered by the university's Box agreement.