Skip to main content
While there are many ways to classify, control, and restrict content, many different industries have developed best practices that work well within those industries. Organizations within those industries that use Box can carry those practices into Box. This topic describes how to design Shield access policies for several industries, as well as a general use case best practice, in the following sections: For each, this topic suggests a set of Classification Labels, as well as how to configure Shield access policies for those labels within those industries. See Creating and Using Classification Labels Based On Industry Best Practices for detailed descriptions of each Classification Label.

Shield Access Policy General Best Practices

For general use cases, the best practice is to keep you security stance simple. Consider these classification labels:
  • Optionally one for content that can be made generally available: Public
  • One for content that is intended to be kept within your organization: Internal
  • One for content that requires specific authorization for access: Confidential

Public Shield Access Policy: General Use

For general use, this is how you would configure Shield access policy security controls to manage content with the Public classification label: Some organizations, to keep their classification scheme simple, consider not classifying content such as this.

Internal Shield Access Policy: General Use

For general use, this is how you would configure Shield access policy security controls to manage content with the Internal classification label:

Confidential Shield Access Policy: General Use

For general use, this is how you would configure Shield access policy security controls to manage content with the Confidential classification label:

Shield Access Policy Legal/M&A Best Practices

In the legal industry, a significant amount of content must be restricted to a limited amount of people. A classification schema that supports the needs of a legal organization could include:
  • One classification for content that can be made generally available: Public
  • Two classifications for content that should be accessible only to people within your organization: Internal and Confidential
  • One classification for content that’s meant to be accessible only to specific people within your organization and specifically identified people outside of your organization: Client Content/Client Collaboration
For Legal M&A use, this is how you would configure Shield access policy security controls to manage content with the Public classification label: Some organizations, to keep their classification scheme simple, consider not classifying content such as this. For Legal M&A use, this is how you would configure Shield access policy security controls to manage content with the Client Content or Client Collaboration classification labels: For Legal M&A use, this is how you would configure Shield access policy security controls to manage content with the Internal classification label: For Legal M&A use, this is how you would configure Shield access policy security controls to manage content with the Confidential classification label:

Shield Access Policy Financial Services Best Practices

The financial services industry requires both confidentiality and governance. Content can contain information that includes both personally identifying information (PII) and sensitive financial information. A financial services organization might consider the following classification schema to keep their content in Box secure:
  • One classification for content that can be made generally available: Public
  • Two classifications for content that should be accessible only to people within your organization: Collaborators Only and Internal
  • Three classifications for content that you share only with specifically defined people, either within or outside your organization: Confidential, Extremely Confidential, and PII

Public Shield Access Policy: Financial Services

For Financial Services use, this is how you would configure Shield access policy security controls to manage content with the Public classification label: Some organizations, to keep their classification scheme simple, consider not classifying content such as this.

Internal Shield Access Policy: Financial Services

For Financial Services use, this is how you would configure Shield access policy security controls to manage content with the Internal classification label:

Collaborators Only Shield Access Policy: Financial Services

For Financial Services use, this is how you would configure Shield access policy security controls to manage content with the Collaborators Only classification label:

Confidential Shield Access Policy: Financial Services

For Financial Services use, this is how you would configure Shield access policy security controls to manage content with the Confidential classification label:

Shield Access Policy Healthcare Best Practices

The healthcare industry includes many different types of organizations, from hospitals and medical practices to pharmaceutical and medical device developers to public and private research institutions. Some organizations can benefit from a simple classification structure, while others others may require more fine-grained levels of content security, especially when working with governmental organizations. Many organizations settle on a basic schema plus specific categorization for content containing personal health information (PHI). A healthcare organization might consider the following to keep their content in Box secure:
  • One classification for content that can be made generally available: Public
  • Two classifications for content that should be accessible only to people within your organization: Collaborators Only and Internal
  • Three classifications for content that you share only with specifically defined people, either within or outside your organization: Confidential - De-Identified PHI, Restricted - PHI, and Restricted - Sensitive
The following sections describes common classification label naming, descriptions, and purpose in the healthcare industry, along with how an organization would typically configure Shield access policies to manage content with each classification.

Public Shield Access Policy: Healthcare

For Healthcare use, this is how you would configure Shield access policy security controls to manage content with the Public classification label: Some organizations, to keep their classification scheme simple, consider not classifying content such as this.

Collaborators Only Shield Access Policy: Healthcare

For Healthcare use, this is how you would configure Shield access policy security controls to manage content with the Collaborators classification label:

Internal Shield Access Policy: Healthcare

For Healthcare use, this is how you would configure Shield access policy security controls to manage content with the Internal classification label:

Confidential - De-Identified PHI Shield Access Policy: Healthcare

For Healthcare use, this is how you would configure Shield access policy security controls to manage content with the Confidential - De-Identified PHI classification label:

Restricted - PHI and Restricted - Sensitive Shield Access Policy: Healthcare

For Healthcare use, this is how you would configure Shield access policy security controls to manage content with the Restricted - PHI and Restricted - Sensitive classification labels: