Product information

Overview

The Box Best Practices Workgroup, composed of IT and administrative professionals from across UC Davis, has developed a set of recommended practices and configurations for using Box in an institutional context, such as a department, workgroup, or lab. The recommendations address security, sharing, managing access, common practices, etc.

The full whitepaper can be found here: https://ucdavis.box.com/v/box-best-practices

In summary, the recommendations are:

Accounts & Permissions

• When storing business, research, or other organizational data, use a departmental account that is not tied to an individual.
• Larger organizational units should create a single departmental Box account, then create separate delegated folders for each business/research unit within the larger organization.
• Leverage Box groups by assigning permissions to groups rather than to individuals.
• Use uConnect Active Directory/Box group sync to manage membership of Box groups.
• Grant permissions at the lowest level in the folder tree rather than at the root level.
• Grant Co-Owner rights only when there is a demonstrated business need, and use Editor or lower access levels in most cases.

Policies

• Set a policy and expectation that all work-related data must be stored within the department-managed Box folder structure.
• Set policies and expectations regarding what can and should be shared publicly and what should remain private.
• Do not use Box as a backup solution.  Other services, such as Crashplan, are available for backing up data.

Sensitive Content

• Check https://cloud.ucdavis.edu/services/box-davis for what types of data can be stored in Box.
• For sensitive content, restrict the use of shared links to collaborators.
• For sensitive content, either limit most users to the Viewer Uploader access level or use folder settings to explicitly restrict inviting collaborators to folder Owner and Co-Owner access levels.
• Carefully evaluate the kinds of sensitive data that might be stored in Box in the context of departmental business needs and set policies and procedures regarding what data is appropriate to store in Box, what technical AND administrative controls should be applied to data in Box, and how employees are expected to handle data, generally.
• Departments that have standardized on Windows and Office should consider deploying Box for Office. Organizations that work with sensitive data and that use email for transmitting that data as attachments should deploy Box for Office and train users to use Box shared links to retain more control over shared data.

Training

• Train users to avoid creating separate files for different versions and instead leverage Box version history.
• Leverage the free training resources provided by Box to ensure that users are fluent in the use and features of Box.

Migrating Content

• For departments that need to migrate large or even moderate amounts of data (e.g., more than 20GB) to Box, use the Box FTP service rather than the web interface to quickly transfer the data.
• Migrate individual business units or workgroups separately, rather than attempting to move the entire department at one time.

Folder Names

• Use a naming convention where all folders are prefixed with the root department name or abbreviation to distinguish them from user-created folders.
• Clearly delineate folders that are intended to be public from folders that are intended to remain private via a naming convention.

Maintaining Security

• Use the “Only folder owners and co-owners can send collaborator invites” security setting to prevent Editors from inviting additional users to collaborate.
• To prevent users from creating and sharing links with other users outside of your department or outside of UC Davis, use the “Only collaborators can access this folder via shared links” security setting.
• Use the “Restrict collaboration to within UC Davis” security setting to prevent collaboration with external Box accounts.
• With the Box mobile apps, implement reasonable mobile security practices including PIN, password, or fingerprint access along with automatic locking after a short period of inactivity.

Box Sync

• Departmental Box administrators should carefully consider the pros and cons of Box Sync and set a clear policy regarding its use.
• Be careful when restoring a local Box Sync folder from backup to ensure that Box Sync does not overwrite newer versions store on Box with older versions restored from backup.
• Do NOT configure multiple cloud storage sync utilities to attempt to synchronize same local folder.

Box Edit

• If users will be encouraged to use the Box web interface, best practice is to ensure that Box Edit is installed.

Metadata Controls

• When files will be shared publicly or even with a university-wide audience, ensure that policies, practices, and training regarding appropriate metadata controls are in place.

FTP

• Use an FTP client that supports the encrypted FTPS or FTPES protocols. Do NOT use unencrypted FTP to Box.
• When using Box FTP, set a secure Box external password or passphrase, as this credential grants full access to all data stored within the associated Box account.

Backups

• Do not use Box as a backup or archival solution.  Other campus services, such as Crashplan, exist for this function.
• Most departmental uses of Box do not require separate backups.

Permanently Deleting Data

• To request permanent deletion of data prior to the 90-day Trash expiration, submit a request to IT Express. Once data reaches the 90-day Trash expiration, or is permanently deleted from Trash through a request to IT Express, that data is not recoverable.