Storing Restricted Data in Box

Overview

Computing and Technology Services (CTS) have implemented Box Shield and Box Governance to protect Duquesne's most sensitive data and reduce risk when collaborating with internal and external partners.

With Box Shield, you can classify sensitive University data stored in Box to add additional security controls and prevent unauthorized access.


Data classifications

Data classifications are based on who should have access to institutional data stored in Duquesne's Box environment and help restrict sharing and download capabilities. Information stored in Box falls into one of four classifications: Public, Internal, Restricted and Restricted–Collaborative.

Definition:

Data that is open to the public. The disclosure, alteration or destruction of this data poses little or no risk to the University.

Restrictions:

None

Examples:

  • Course catalogs
  • Job postings
  • Campus maps
  • Directory information for faculty, staff, or students (excluding information for which a Family Educational Rights and Privacy Act (FERPA) block has been requested.)

Definition:

Data that should be protected from general access and restricted to protected groups or individuals. The disclosure, alteration or destruction of this data poses some risk to the University.

Restrictions:

  • Shared links cannot be made publicly accessible.
  • External collaboration restricted.
  • Download restricted on web for external users.
  • Download restricted on mobile for external users.
  • Download restricted on Box Drive for external users.

Examples:

  • Non-Banner information stored in or accessed via DORI
  • Non-public contracts
  • Unpublished research papers
  • Building floor plans

Definition:

Data that could seriously or adversely impact the University. The disclosure, alteration or destruction of this data could cause a significant level of risk to the University.

Restrictions:

  • Shared links allowed for collaborators only.
  • External collaboration restricted.
  • Download restricted on web, except Owners/Co-Owners/Editors. Also restricted for external users.
  • Download restricted on mobile, except Owners/Co-Owners/Editors. Also restricted for external users.
  • Download restricted on Box Drive, except Owners/Co-Owners/Editors. Also restricted for external users.
  • Some application restrictions apply.

Examples:

  • PII (Social Security numbers, driver's license numbers)
  • Banking or financial account information
  • Credit card information (PCI)
  • Student protected data (FERPA)
  • Health protected data (HIPAA)
  • Human resource data
  • University financial data
  • Central authentication data
  • Intellectual property data

Definition:

Restricted data available outside of Duquesne University with security controls applied to restrict access.

Restrictions:

  • Download restricted on web, except Owners/Co-Owners. Also restricted for external users.
  • Download restricted on mobile, except Owners/Co-Owners. Also restricted for external users.
  • Download restricted on Box Drive, except Owners/Co-Owners. Also restricted for external users.

Classify data stored in Box

You can add, edit or delete classifications to data stored in Box by performing the following steps:

  1. Go to duq.edu/box and sign in with your MultiPass username and password.
  2. Click More options [...] on a file or folder that you want to classify.
  3. Select Classify.

Add a classification

  1. Choose the classification level you want to apply to the selected file or folder.
  2. Click Apply.

Edit a classification

  1. Choose the new classification level you want to apply to the selected file or folder.
  2. Turn on the Overwrite all existing classifications with this value toggle to apply the new classification.
  3. Click Apply.
  4. On the Overwrite Existing Classifications alert, click Proceed.

Delete a classification

  1. Click Remove.
  2. On the Remove Classification alert, select whether you want to remove an individual classification or all classifications.
  3. Select I understand this cannot be undone and operation may take time based on volume of content.
  4. Click Remove.

Box Shield security features

In addition to data classifications, Box Shield offers the following security features to further protect Duquesne's information:

  • Malware protection: Analyzes files uploaded by internal and external users to identify potential malware.
  • Anomalous downloads: Tracks suspicious download behavior of Duquesne users who may be misusing University data.
  • Suspicious logins and location: Detects access activities that may be occurring from untrusted locations or high-risk countries.
  • Automatic data classification: Personally identifiable information (PII) is automatically classified as Restricted.

Box Governance retention policies

Box Governance allows CTS to set data retention periods for data that has regulatory requirements, such as HIPAA and financial records. If you or your department would like to request a Box Governance retention policy, please send an email to help@duq.edu.