Carnegie Mellon University

Box

Summary

Box is a cloud based storage solution. Carnegie Mellon has contracted with Box to provide Enterprise Box accounts to all students, faculty and staff. The following is guidance on appropriate use of the Box service with respect to safeguarding institutional data.

Personal vs. Enterprise Box Accounts

Personal Box accounts are made available by Box to the general public. These accounts are not sponsored by Carnegie Mellon and do not offer the same level of security or contractual protections that are afforded to an enterprise Box account.

Enterprise Box accounts are offered by Carnegie Mellon to its students, faculty and staff. Carnegie Mellon has entered into a contractual relationship with Box to offer this service to its constituents. These Box accounts offer additional technical and contractual safeguards in comparison to personal Box accounts. Enterprise Box accounts leverage your Andrew ID and password for authentication.

Guidance to Students

Carnegie Mellon’s Box service can be safely used to store most of your documents. As with any other cloud storage solution, you should use caution when storing documents that contain sensitive information, such as your Social Security number, driver’s license number or credit card information. Students should consider encrypting documents that contain sensitive information (e.g. Adobe Acrobat and Microsoft Office both offer encryption features) or redacting the sensitive portions of the document prior to uploading to Box.

Guidance to Faculty and Staff

Use of personal Box accounts for storage of institutional data should be avoided. With that being said, sufficient safeguards are in place for storage of Public data. Carnegie Mellon's Box service can be used to store many of the documents that you use on a day-to-day basis. Specifically, appropriate safeguards have been implemented for Public and Private data. However, it may not be appropriate for storage of Restricted data (i.e. data considered sensitive by the institution). Some types of Restricted data should not be stored using Box while others may be acceptable based on the particular use case. As a general rule of thumb, you should consult with the appropriate Data Steward prior to using Box for storage of Restricted data.

The following table shows a comparison between personal Box accounts and enterprise Box accounts with respect to how they can be used for storage of institutional data.


Classification

Personal Box Account

(non-CMU sponsored)

Enterprise Box Account

(CMU sponsored)

Public green check green check
Private green check green check
Restricted

green check

See table below

The following table shows which types of Restricted data a user can store using the Box service. Note that this only applies to enterprise accounts. As mentioned above, personal accounts should not be used to store Private or Restricted data. For more information on what these categories of Restricted data include, review Appendix A of the Guidelines for Data Classification. Note that this list is not comprehensive and only represents Restricted data that has been identified by the Information Security Office and the Office of General Counsel. Other types of data may be considered Restricted that are not listed here. When in doubt, consult with the appropriate Data Steward or your supervisor prior to using the service.


Restricted Data Usage Details
Authentication Verifiers (e.g. passwords) green check

As a general rule of thumb, users should avoid using cloud storage solutions to store passwords, shared secrets or encryption keys. While there may be use cases for using cloud services to store personal account passwords, such services should not be used for storing Carnegie Mellon account passwords unless explicitly authorized. 

Covered Financial Information Consult with Data Steward Acceptable use of the Box service for Covered Financial Information may vary based on use case.
Export Controlled Materials Consult with Data Steward Acceptable use of the Box service for Export Controlled Materials may vary based on use case.
Federal Tax Information Consult with Data Steward Acceptable use of the Box service for Federal Tax Information may vary based on use case.
Payment Card Information green check The Box service does not adequately segment data to ensure that payment card data is segmented from other types of data. Additionally, contractual provisions are insufficient to accommodate PCI DSS compliance. Use of the Box service to store Payment Card Information would also unnecessarily expand the scope of the institution's compliance obligations.
Personally Identifiable Education Records (FERPA data) Consult with Data Steward Acceptable use of the Box service for FERPA protected data may vary based on use case.
Personally Identifiable Information green check The privacy of Personally Identifiable Information (PII) is highly regulated by state and federal government. Unauthorized access to PII can introduce legal, financial and reputational risks for the institution as cause harm to those individuals whose information is inappropriately accessed. As a result, this information should not be stored using the Box service.
Protected Health Information green check Contractual provisions are insufficient to accommodate HIPAA compliance. Box has declared, via the University-wide contract, that it is not a "business associate" or a "covered entity" as defined by HIPAA.

Revision History
Status:  Published 
Published:  10/17/2012
Last Reviewed:  11/23/2020
Last Updated:  10/17/2012

Frequently Asked Questions

The following are several frequently asked questions regarding the status of security and contractual related matters.

Yes. Carnegie Mellon has entered into a contractual relationship with Box. This contract only applies to Enterprise accounts and includes a number of provisions to safeguard institutional data. Contact the University Contracts Office at university-contracts@andrew.cmu.edu for additional details.
No. There is a single enterprise contract in place for Carnegie Mellon.
Yes. The Information Security Office has completed a formal review of the security of this service. Contact the Information Security Office at iso@andrew.cmu.edu for additional details.
Yes. Information on how to set up and use a CMU Box account is available on Computing Services website under Use Your CMU Box Account.