These practices are intended to provide guidance on how to safeguard data stored or shared in the Duke Box.com (Box) instance.
Duke users have the ability to share many types of data in their Box account, including data considered Sensitive (See the Duke Data Classification Standard). Users are responsible for ensuring that data stored in their Duke Box account is not intentionally or unintentionally disclosed to unauthorized parties.
Box and Sensitive Data
Due to the risk that personal data (including Sensitive data) could be inadvertently shared, the Box Sync application should not be used to synchronize the full contents of a user’s hard drive to a Box account. Instead, files and directories should be explicitly selected and stored in the Box folder for synchronization through Box.
Detecting Suspicious Logins
The Duke Box system provides users with emailed notifications of logins from new locations. Users can report any suspicious logins through Support@Duke.
Projects and Duke University Classes Containing Sensitive Data
In addition to individual accounts provided to Duke faculty, students and staff, Duke Box accounts may be provided for projects and classes. Researchers working with human subject research or other protected research should ensure that the IRB or external grant providers have approved the use of Box for their research protocols. A Duke user may request this service by submitting a ticket through Support@Duke.
Accounts and Access
Multifactor Authentication is strongly encouraged for any user’s Duke Box account that is used to store or share Sensitive data. Users may enroll at https://oit.duke.edu/mfa.
Access will be terminated when an account holder leaves Duke, typically on the last day worked. Users may transfer personal files out of Box prior to leaving Duke. Duke data will not be transferred to personal accounts; instead Duke data that are to be retained should be transferred to an appropriate Duke employee in advance of the account holder’s departure or deleted if appropriate.
The following practices are recommended when sharing data with collaborators:
- The user granting the collaborator access is responsible for removing the collaborator’s access when the access is no longer required for legitimate Duke activities.
- Duke Box users should not enable anonymous sharing of Sensitive or Restricted data.