All faculty, staff, students, and units have an obligation to protect institutional data.  Storing data on Box at Penn State reduces your risk compared to storing it on your desktop, removable media (i.e. flash drives), or commercial cloud storage services. Box is a secure cloud provider which uses a multi-layered approach to keep Penn State information secure, examples of those measures include:

  • Contractual: Penn State’s contract specifies severe monetary penalties if Box compromises our data
  • Technical: Files stored in Box are encrypted both in transit and at rest; two-factor authentication
  • Physical: remote data centers with strong physical security; redundant utilities and environmental systems
  • Access Controls: User settings within each Box account so account owners can control access to their data

Keep your Information secure by storing it on Box at Penn State.

Classification Levels

Penn State information is divided into four broad categories:

Source Document: AD95
Sensitive Information ClassificationDefinitionExamples
Restricted (Level 4) Access and use is strictly controlled and restricted by laws, regulations, or contracts. Unauthorized access, use, disclosure, or loss will have significant legal consequences, including civil and criminal penalties, loss of funding, inability to continue current research, and inability to obtain future funding or partnerships.

Level 4 (Restricted) data may not be stored on Box at Penn State. If you have questions, please contact the Office of Information Security at security@psu.edu.
--Payment Card Industry Data Security Standard (PCI-DSS) Data
--Data subject to Federal Information Security Management Act (FISMA) moderate or high standards
High (Level 3)Unauthorized access, use, disclosure, or loss is likely to have significant and severe adverse effects for individuals, groups, or the University. These adverse effects could include, but are not limited to, social, psychological, reputational, financial, or legal harm. Compliance requirements are not as strict as for Restricted Information.

To determine if your Level 3 (High) data may be stored on Box at Penn State, please contact the Office of Information Security at security@psu.edu.
--Personally Identifiable Information (PII) as defined in Privacy Policy AD53
--Health Insurance Portability and Accountability Act (HIPAA) data and PHI
Moderate (Level 2)Unauthorized access, use, disclosure, or loss is likely to have adverse effects for individuals, groups, or the University, but will not have a significant impact on the University. These adverse effects could include but are not limited to social, psychological, reputational, financial, or legal harm.

Moderate-level data may be stored on Box at Penn State.
--Non-PII student records
--Personnel records
Low (Level 1)Unauthorized access, use, disclosure, or loss is likely to have low or no risk to individuals, groups, or the University. These adverse effects may, but are unlikely to, include limited reputational, psychological, social, or financial harm. Low Risk Information may include some non-public data.

Low-level data may always be stored on Box at Penn State.
--Data made freely available by public sources
--Published data
--Educational data
--Initial and intermediate Research Data

For assistance in classifying your information, please refer to the Information Classification Decision Tool.

Since Penn State has engaged in a Business Associate Agreement with Box, Protected Health Information (PHI) may be stored on Box at Penn State if certain requirements are followed.  These requirements can be found on this page.

For additional information regarding Penn State’s Information Classification, please refer to University Policy, AD95, Information Assurance and IT Security, and its corresponding security standards.

Skip to toolbar