Best Practices for Sharing Sensitive Information via Box
Sensitive information is defined as data that is required to be protected from being accessed by unauthorized parties. This can include but is not limited to financial information, confidential letters, and identity-related information. When sharing sensitive information, the best place to start is by checking with your Manager and/or DTA for any department-specific processes and approvals that may be required prior to sharing access to any folders or files on Box. Beyond that, please be sure to follow these best practices:
Notifying Owners and Collaborators before Sharing
Make sure that all contributing collaborators of a file are aware that it will be shared before sharing it.
Inviting Collaborators vs. Share Links
Share by inviting collaborators via their official UCLA Directory emails rather than using share links. If you decide to use a share link, be sure to mark that only “People In Your Company” can view and edit this file so that anyone who clicks on the link must sign in through the UCLA SSO page (this is the default designation when creating a share link).
Sharing Folders vs. Files; Waterfall Permissions
When sharing access to a specific folder, understand that the user that you shared with now has access to all of that folder’s contents, including any subfolders. This is also known as waterfall permissions. If you would like to avoid this, you should instead share specific files rather than whole folders. Additionally, you may need to rearrange content into a different folder if you would like to share a folder but keep some of its contents hidden.
Make it clear in your communication that what you are sharing is sensitive. This can be done by including a tag of [Sensitive] in the file name or email subject line.
You may want to share a file or folder with someone for only a certain period of time. In this case, set a reminder in your calendar at the end of that share period so that you remember to remove that person from the permissions.
Sharing Outside of Your Department
If you are sharing sensitive information with someone outside of your department, you must receive approval from your manager before doing so.