All faculty, staff, students, and units have an obligation to protect institutional data. Storing data on Box at Penn State reduces your risk compared to storing it on your desktop, removable media (i.e. flash drives), or commercial cloud storage services. Box is a secure cloud provider which uses a multi-layered approach to keep Penn State information secure, examples of those measures include:
- Contractual: Penn State’s contract specifies severe monetary penalties if Box compromises our data
- Technical: Files stored in Box are encrypted both in transit and at rest; two-factor authentication
- Physical: remote data centers with strong physical security; redundant utilities and environmental systems
- Access Controls: User settings within each Box account so account owners can control access to their data
Keep your Information secure by storing it on Box at Penn State.
Penn State information is divided into four broad categories:Source Document: AD95
|Sensitive Information Classification||Definition||Examples|
|Restricted (Level 4)||Access and use is strictly controlled and restricted by laws, regulations, or contracts. Unauthorized access, use, disclosure, or loss will have significant legal consequences, including civil and criminal penalties, loss of funding, inability to continue current research, and inability to obtain future funding or partnerships.|
Level 4 (Restricted) data may not be stored on Box at Penn State. If you have questions, please contact the Office of Information Security at firstname.lastname@example.org.
|--Payment Card Industry Data Security Standard (PCI-DSS) Data
--Data subject to Federal Information Security Management Act (FISMA) moderate or high standards
|High (Level 3)||Unauthorized access, use, disclosure, or loss is likely to have significant and severe adverse effects for individuals, groups, or the University. These adverse effects could include, but are not limited to, social, psychological, reputational, financial, or legal harm. Compliance requirements are not as strict as for Restricted Information.|
To determine if your Level 3 (High) data may be stored on Box at Penn State, please contact the Office of Information Security at email@example.com.
--Health Insurance Portability and Accountability Act (HIPAA) data and PHI
|Moderate (Level 2)||Unauthorized access, use, disclosure, or loss is likely to have adverse effects for individuals, groups, or the University, but will not have a significant impact on the University. These adverse effects could include but are not limited to social, psychological, reputational, financial, or legal harm.|
Moderate-level data may be stored on Box at Penn State.
| --Non-PII student records
|Low (Level 1)||Unauthorized access, use, disclosure, or loss is likely to have low or no risk to individuals, groups, or the University. These adverse effects may, but are unlikely to, include limited reputational, psychological, social, or financial harm. Low Risk Information may include some non-public data.|
Low-level data may always be stored on Box at Penn State.
| --Data made freely available by public sources
--Initial and intermediate Research Data
For assistance in classifying your information, please refer to the Information Classification Decision Tool.
Since Penn State has engaged in a Business Associate Agreement with Box, Protected Health Information (PHI) may be stored on Box at Penn State if certain requirements are followed. These requirements can be found on this page.
For additional information regarding Penn State’s Information Classification, please refer to University Policy, AD95, Information Assurance and IT Security, and its corresponding security standards.