Loyola Marymount University (LMU) has contracted with Box to provide Enterprise Box accounts to all students, faculty, and staff. These guidelines describe LMU’s Box service and its appropriate use. By reviewing these guidelines, users will become familiar with the University’s recommendations for using Box. The following is guidance on appropriate use of the Box service with respect to safeguarding institutional data.
Box is a secure file sharing and storage service that enables users to store work documents in the cloud, and to access those documents anywhere, anytime they can connect to the Internet. LMU’s Enterprise Box service is a centrally provisioned cloud service that allows users to easily share and collaborate with people inside and outside of LMU.
Box, with unlimited storage, will replace the bulk of departmental network drives with department Box folders, and individual network drives with individual Box folders. Users can access Box on the iPhone, iPad, Android devices and Windows Phones. Users can access their LMU Box account as long as they are an active LMU or LLS student, faculty or staff.
Box can be accessed on the latest version of most browsers. However, if Java-based programs are used for work, such as Banner, MetaViewer, or Nolij Web, ITS recommends that users use Google Chrome to access Box.
Once files are uploaded to Box, they are completely encrypted. Box encrypts data while it is sitting in any Box account. This is called encryption at rest. All content stored in Box is kept in multiple data centers with multiple providers, ensuring redundancy of service and high availability for user data. All Box data centers use a variety of secure mechanisms to protect user data, including strict access policies plus secure vaults and cages. Please note, though, that if users delete an item from their Box account, those files stay in the Trash for 30 days.
While ITS supports both Google Apps for Education and Box, it is highly encouraged that users follow these general guidelines.
- Box: Any department that creates business-related documents should store these files in Box. Committees and student groups are also encouraged to use Box to store and share documents.
- Google Drive: For academic use, faculty can use Google Drive to share class-related documents with the class. If users decide to move contents from Google Drive to Box, it is the responsibility of the owner to download those documents to a computer and then upload them to Box.
Content stored in Box is encrypted and safe to store FERPA data. Box also provides the administrative, technical, and physical safeguards to support HIPAA compliance. However, it is still important that the users protect LMU/LLS account credentials to prevent unauthorized access to Box accounts.
Sensitive documents containing Social Security numbers, driver's license numbers, credit and debit card information, or bank account numbers should not be stored in Box. This is a University-wide guideline.
Some departments, due to an existing workflow, databases, or complicated Excel macros or functions, will still store this type of data on a network drive. ITS will work with these departments to address their needs, ensure there are no interruptions to business practices, and create a new network drive to meet their needs. These departments will not be keeping their current departmental network drive.
Permissions for existing department network drives will not be transferred automatically to the new network drive.
Individual Folders: Students, faculty, and staff should login to LMU Box to activate their account. These individual folders are associated with an active user and typically are used to store work-in-progress files or class-related files.
Department Folders: Department folders are considered non-personal account that is not associated with an individual. Two department co-owners are recommended at the top-level folder. Any department that creates business-related documents should store these files in Box.
Group Folders: Similar to department folders above, this type of account is not associated with any individual. Two co-owners are recommended at the top-level folder. Committees, student clubs or organizations should contact ITS Service Desk at firstname.lastname@example.org to request a group folder.
Users are responsible for managing their data, which includes deleting non-essential or obsolete files in accordance with their department’s retention policy.
- Routinely review and revise access privileges to each Box folder. This includes work-study students no longer employed and staff transferred to another department. or left the University. Box provides clear information showing who has access to a folder and the scope of their access.
- Consider carefully the access granted to each Box folder. Limit a folder’s access to those persons with a need to know the information for a university purpose. Give folder collaborators only the permissions they need to do their university work and no more.
- Do not sync a Box folder or download information from Box onto a device, including a laptop, tablet or mobile phone, unless there are strong controls on the endpoint device. Box permits only users with owner, co-owner or editor permission to sync Box folders.
- Consider using naming conventions that clearly identify folder content.
Each user, department, or group is responsible for moving data from existing network drive to corresponding Box folders. Departments with large amounts of data and complicated folder structure are encouraged to contact ITS Service Desk at email@example.com for a file transfer solution.
Before moving any files, take time to clean up old files that are no longer needed. Consider the business value of the file. If files haven not been accessed or modified in over a year, chances are the content is no longer valuable for ongoing collaboration and social sharing. If uncertain, consider moving older data into “archive” folders for future review and deletion.
ITS recommends two methods for initial content migration to Box.
- Upload File or Upload Folders: In Box, click Upload and locate the files or folders. Uploading folders currently only works in Google Chrome.
- Drag and Drop: Simply drag files or folders to a Box folder.
When faculty and staff leave the University, access to their account is removed. This includes their access to Box files and folders. Student account deprovisioning is currently being revised and will be updated here once complete.
Request to access data stored in a former staff’s Box account should be made to Human Resources directly. Access is not provided to former student data.