Blog

The Ultimate Manual To Box Governance

Marie ProkopetsMarie Prokopets,Co-founder of Nira

Box, a leading cloud storage provider, finally made good on its promise to deliver full FINRA compliance. The company announced a new add-on tool in a bid to woo regulated industries to the cloud, but is it a viable solution for your organization? Read on as we discuss Box Governance and decode its basics in more detail.

What is Box Governance Anyway?

Box Governance aims to simplify how clients manage sensitive business data and comply with regulatory policies. It can help you satisfy e-discovery requests when needed and improve data hygiene.

Admins can use this information governance tool to secure, classify, and store their content to maintain transparency across the entire Box environment—all the while ensuring top-notch security.

How Box Governance Works

Life before Box Governance was hard. Organizations had to use solutions that weren’t exactly designed for external and mobile access.

Most of the solutions were fragmented, which means the content has to be moved—a lot. Not only did this result in misplaced documents and inconsistent policies, but it also significantly increased the risk of regulatory and financial penalties.

Seeing this, Box introduced its Governance add-on in a bid to transform content management from a monolithic—and if we’re brutally honest, obtuse—on-premises system into an efficient cloud-based digital tool.

Box Governance gives customers a new approach to managing content. It makes content accessible on a global level via a cloud-based solution that lets users seamlessly manage the entire lifecycle of their business documents, from creation to retention to disposition—all on a single platform.

Moreover, it also makes compliance easy.

When announcing the launch of Box Governance, Box also announced that it supports FINRA and SEC 17a-4 compliance for financial services firms. Thanks to its new add-on service, users can meet compliance standards without any interruption, simplifying things for employees and reducing any burden on administrators to ensure compliance.

Box Governance Categories

Box Governance can be broken down into three categories:

Retention Policies
Box users can set global or folder-based retention policies directly in the platform to ensure compliance. They can also select predefined or custom retention schedules to ensure nothing is misplaced or lost.

Users can choose what happens to the content when the retention time period ends after setting the schedule (also known as “disposition action“). They can also decide who gets notified of this action.

Let us explain this in more detail. Suppose you hold a past employee’s information for two years after they leave the company. You can customize this policy based on specific folders, new content, and metadata.

You must be careful while doing this, though. Once the policy is set, it cannot be changed.

Legal Holds
The legal hold functionality lets you comply with standards to protect your business in the event of litigation. This way, you can apply a legal hold to a specific folder or user under investigation while Box saves all of the produced content. The platform also gives you complete control over who can permanently delete their trash.

However, in case of litigation, you can only grant this privilege to a few admins or co-admins. It’s also possible to prevent or flag downloads and uploads or share sensitive information (credit card numbers, Social Security numbers).

Disposition Controls
Box can enforce any policy necessary for your organization’s well-being by implementing disposition controls.

Disposition controls are guard rails set around user activity to safeguard an organization’s critical and sensitive information. Box admins can set built-in controls to manage user permissions, watermark content, and classify files, making security and compliance a breeze.

Box Governance in the EDRM

Box Governance has another key role to play when it comes to Box eDiscovery.

Although the tool does a good job of collecting and storing information, it can only go so far in the EDRM process. This is mostly because of Box Governance’s limitations when it comes to data index, which subsequently ends up restraining processing and search.

You see, Box only indexes the first 10,000 characters of a document. This makes it more likely to create defensibility and search relevancy issues and can also present difficulties when indexing PDFs, scanned documents, or images. Additionally, Box’s indexing doesn’t index previous versions of a document—it’s only the current version that’s indexed.

So Box users need to take more proactive measures to safeguard their files. But still, Governance is an excellent initiative to uncomplicate the lives of Box users.

How Companies Use Box Governance

Here’s a shortlist of the different ways you can use this innovative tool:

  • Maintaining Sec17a-4 and Sec17a-3 compliances for storing records.
  • Retaining current employee records for three years and customer records for seven years.
  • Retaining blueprints and other plans for about a decade post job completion.
  • Preventing data leakage with security classifications.
  • Placing proprietary product information and IP on legal hold.
  • Centralizing held content for attorney review in the event of litigation.
  • Safeguarding PII and PHI in the cloud.

How to Get Started with Box Governance

You have to first sign up for Box’s Governance package before being able to use the add-on. Box also offers a 14-day free trial for you to test out the tool.

Let’s take a look at how you can incorporate Box Governance as a part of your existing system.

Step 1: Sign Up for Box Governance’s Add-On

In a gist, Box Governance helps you easily configure retention and legal hold policies within your organization’s Box environment. The idea here is to meet legal, regulatory, compliance, and security requirements to store, manage, and protect content in the cloud.

However, to implement Governance into your system, you’ll have to first contact Box’s support team to get customized feedback on how Box can help simplify your work. You’ll have to get in touch with the customer support team even if you’re already a Box user.

Once you’ve purchased the Governance add-on for your Box subscription and added the tool to your system, you have to understand how it can help your business.

Step 2: Familiarize Yourself With Retention Policies in Box Governance

To get started with retention, you have to first create a security policy. Next up, you should know the automated processes and security policies, along with any limitations, in Box.

Retention policies are also essential to managing content deletion, editing existing security policies, and complying with your company email policies. Although detailed, these can help you ensure compliance and preserve vital data.

Step 3: Understand Legal Holds in Box Governance

Legal Holds are a crucial part of Box’s Governance package that you can use to place a hold on users in content related to an investigation or litigation. This will prevent any content pertinent to the legal matter from getting permanently deleted.

This is also where custodians come into play.

Custodians refer to a managed user in your enterprise and the policy that holds everything that person has access to or has interacted with within the selected date range. Typical custodian actions that trigger legal hold include the follows:

  • Review
  • Upload
  • Download
  • Box note is opened
  • File is edited
  • File is moved or copied
  • Item is sent to the trash

You can set up the system accordingly to place legal holds on custodians, folders, and API files.

Step 4: Knowing Security Classifications with Box Governance

As an admin, you can already create, modify, and delete security classifications for content in your organization’s Box deployment. With security classifications in place, you can classify your file based on their sensitivity and then enforce access policies associated with that particular sensitivity level.

Box supports up to 25 different classifications. To enable this, you’ll have to first create a classification in Box and then modify it as needed. You can specify which user roles can make these modifications to prevent unauthorized changes too.

You can visit Box’s support page to get a more detailed overview of how Box Governance works and how to get started with it.

Incredible companies use Nira

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
Former VP of IT at GitLab

Incredible companies use Nira