These practices are intended to provide guidance on how to safeguard data stored or shared in the Duke Box.com (Box) instance.
Duke users have the ability to share many types of data in their Box account, including data considered Sensitive (See the Duke Data Classification Standard). Users are responsible for ensuring that data stored in their Duke Box account is not intentionally or unintentionally disclosed to unauthorized parties.
Box and Sensitive Data
Box has been approved by the Security Offices for sharing of Duke Sensitive data, however, you must use the Sensitive Data folder for that purpose.
In order to store and share Sensitive data, Duke users can make use of the SENSITIVE folder provided in Box. The SENSITIVE folder has been configured to prevent sharing of files to anonymous individuals (those without a Box account).
- Collaborators may be invited via link and are required by the system to have a strong password following Duke Password requirements.
- If your collaborator already has a Box account, and the password meets the password requirements, no changes need to be made.
- If your collaborator already has a Box account but the password does not meet the password requirements, they will be asked to update their password.
- If your collaborator does not have a Box account, they will be invited to create one with a strong password.
- The folder entitled SENSITIVE has been provided for Duke Box users working with Sensitive information (as defined in the Duke Data Classification standard) for sharing, collaboration, or storage of that data.
- The SENSITIVE folder may be requested as needed for those users that did not receive the folder during their account creation, including those within Duke University. Duke University users may request a SENSITIVE folder through Support@Duke. Users can create as many additional subfolders within the SENSITIVE folder as needed.
- The SENSITIVE folder is automatically provisioned for all faculty and staff in Duke Medicine.
- Where possible, users should exercise care by removing files containing Sensitive information from their Duke Box account once those files are no longer being actively used or shared. In particular, expiration dates can and should be set by users to remove links sharing Sensitive data after they are no longer needed for collaboration.
The Box Sync application should not be used to synchronize the full contents of a user’s hard drive to a Box account. Instead, files and directories should be explicitly selected and stored in the Box folder for synchronization through Box.
Detecting Suspicious Logins
The Duke Box system provides users with emailed notifications of logins from new locations. Users can report any suspicious logins through Support@Duke.
Projects and Duke University Classes Containing Sensitive Data
In addition to individual accounts provided to Duke faculty, students and staff, Duke Box accounts may be provided for projects and classes. Researchers working with human subject research or other protected research should ensure that the IRB or external grant providers have approved the use of Box for their research protocols. A Duke user may request this service by submitting a ticket through Support@Duke.
Accounts and Access
Multifactor Authentication is strongly encouraged for any user’s Duke Box account that is used to store or share Sensitive data. Users may enroll at https://oit.duke.edu/mfa.
Access will be terminated when an account holder leaves Duke, typically on the last day worked. Users may transfer personal files out of Box prior to leaving Duke. Duke data will not be transferred to personal accounts; instead Duke data that are to be retained should be transferred to an appropriate Duke employee in advance of the account holder’s departure or deleted if appropriate.
The following practices are recommended when sharing data with collaborators:
- The user granting the collaborator access is responsible for removing the collaborator’s access when the access is no longer required for legitimate Duke activities.
- Duke Box users should not enable anonymous sharing of Sensitive or Restricted data.