> ## Documentation Index > Fetch the complete documentation index at: https://docs.box.com/llms.txt > Use this file to discover all available pages before exploring further. # Configuring Shield Access Policies to Match Industry Best Practices
While there are many ways to classify, control, and restrict content, many different industries have developed best practices that work well within those industries. Organizations within those industries that use Box can carry those practices into Box. This topic describes how to design Shield access policies for several industries, as well as a general use case best practice, in the following sections: For each, this topic suggests a set of Classification Labels, as well as how to configure Shield access policies for those labels within those industries. See [Creating and Using Classification Labels Based On Industry Best Practices](/en/box-shield/getting-started-with-box-shield/creating-and-using-classification-labels-based-on-industry-best-practices) for detailed descriptions of each Classification Label. ## Shield Access Policy General Best Practices For general use cases, the best practice is to keep you security stance simple. Consider these classification labels: * Optionally one for content that can be made generally available: Public * One for content that is intended to be kept within your organization: Internal * One for content that requires specific authorization for access: Confidential ### Public Shield Access Policy: General Use For general use, this is how you would configure Shield access policy security controls to manage content with the *Public* classification label: * [Shared Link Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#shared-link-restriction-settings): People with the link Some organizations, to keep their classification scheme simple, consider not classifying content such as this. ### Internal Shield Access Policy: General Use For general use, this is how you would configure Shield access policy security controls to manage content with the *Internal* classification label: * [External Collaboration Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#external-collaboration-restriction-settings): Block all external collaboration * [Shared Link Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#shared-link-restriction-settings): People in your company and invited people * [Download and Print Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#download-and-print-restriction-settings): Restrict all External Users for Web App, Mobile, and Desktop ### Confidential Shield Access Policy: General Use For general use, this is how you would configure Shield access policy security controls to manage content with the *Confidential* classification label: * [Shared Link Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#shared-link-restriction-settings): Invited people only * [Download and Print Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#download-and-print-restriction-settings): * Restrict all Managed Users (except Owners/Co-owners) for Web App, Mobile, and Desktop * Restrict all External Users for Web App, Mobile, and Desktop * [Integration Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#integration-restriction-settings): Block all integrations from downloading content * [FTP Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#ftp-restriction-settings): Enable Restrict FTP downloads * [Watermarking Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#watermarking-settings): Enable watermarking * [Sign Request Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#box-sign-request-restriction-settings): Enable Restrict users from requesting signatures on content using Box Sign ## Shield Access Policy Legal/M\&A Best Practices In the legal industry, a significant amount of content must be restricted to a limited amount of people. A classification schema that supports the needs of a legal organization could include: * One classification for content that can be made generally available: Public * Two classifications for content that should be accessible only to people within your organization: Internal and Confidential * One classification for content that's meant to be accessible only to specific people within your organization and specifically identified people outside of your organization: Client Content/Client Collaboration ### Public Shield Access Policy: Legal M\&A For Legal M\&A use, this is how you would configure Shield access policy security controls to manage content with the *Public* classification label: * [Shared Link Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#shared-link-restriction-settings): People with the link Some organizations, to keep their classification scheme simple, consider not classifying content such as this. ### Client Content/Client Collaboration Shield Access Policy: Legal M\&A For Legal M\&A use, this is how you would configure Shield access policy security controls to manage content with the *Client Content* or *Client Collaboration* classification labels: * [Shared Link Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#shared-link-restriction-settings): People in your company and invited people ### Internal Shield Access Policy: Legal M\&A For Legal M\&A use, this is how you would configure Shield access policy security controls to manage content with the *Internal* classification label: * [External Collaboration Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#external-collaboration-restriction-settings): Block all external collaboration * [Shared Link Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#shared-link-restriction-settings): People in your company and invited people * [Download and Print Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#download-and-print-restriction-settings): Restrict all External Users for Web App, Mobile, and Desktop ### Confidential Shield Access Policy: Legal M\&A For Legal M\&A use, this is how you would configure Shield access policy security controls to manage content with the *Confidential* classification label: * [External Collaboration Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#external-collaboration-restriction-settings): Block all external collaboration * [Shared Link Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#shared-link-restriction-settings): Invited people only * [Download and Print Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#download-and-print-restriction-settings): * Restrict all Managed Users (except Owners/Co-owners) for Web App, Mobile, and Desktop * Restrict all External Users for Web App, Mobile, and Desktop * [Integration Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#integration-restriction-settings): Block all integrations from downloading content * [FTP Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#ftp-restriction-settings): Enable Restrict FTP downloads * [Watermarking Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#watermarking-settings): Enable watermarking * [Sign Request Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#box-sign-request-restriction-settings): Enable Restrict users from requesting signatures on content using Box Sign ## Shield Access Policy Financial Services Best Practices The financial services industry requires both confidentiality and governance. Content can contain information that includes both personally identifying information (PII) and sensitive financial information. A financial services organization might consider the following classification schema to keep their content in Box secure: * One classification for content that can be made generally available: Public * Two classifications for content that should be accessible only to people within your organization: Collaborators Only and Internal * Three classifications for content that you share only with specifically defined people, either within or outside your organization: Confidential, Extremely Confidential, and PII ### Public Shield Access Policy: Financial Services For Financial Services use, this is how you would configure Shield access policy security controls to manage content with the *Public* classification label: * [Shared Link Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#shared-link-restriction-settings): People with the link Some organizations, to keep their classification scheme simple, consider not classifying content such as this. ### Internal Shield Access Policy: Financial Services For Financial Services use, this is how you would configure Shield access policy security controls to manage content with the *Internal* classification label: * [External Collaboration Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#external-collaboration-restriction-settings): Block all external collaboration * [Shared Link Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#shared-link-restriction-settings): People in your company and invited people * [Download and Print Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#download-and-print-restriction-settings): Restrict all External Users for Web App, Mobile, and Desktop ### Collaborators Only Shield Access Policy: Financial Services For Financial Services use, this is how you would configure Shield access policy security controls to manage content with the *Collaborators Only* classification label: * [Shared Link Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#shared-link-restriction-settings): Invited people only ### Confidential Shield Access Policy: Financial Services For Financial Services use, this is how you would configure Shield access policy security controls to manage content with the *Confidential* classification label: * [External Collaboration Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#external-collaboration-restriction-settings): Block all external collaboration * [Shared Link Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#shared-link-restriction-settings): People in your company * [Download and Print Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#download-and-print-restriction-settings): * Restrict all Managed Users (except Owners/Co-owners) for Web App, Mobile, and Desktop * Restrict all External Users for Web App, Mobile, and Desktop ## Shield Access Policy Healthcare Best Practices The healthcare industry includes many different types of organizations, from hospitals and medical practices to pharmaceutical and medical device developers to public and private research institutions. Some organizations can benefit from a simple classification structure, while others others may require more fine-grained levels of content security, especially when working with governmental organizations. Many organizations settle on a basic schema plus specific categorization for content containing personal health information (PHI). A healthcare organization might consider the following to keep their content in Box secure: * One classification for content that can be made generally available: Public * Two classifications for content that should be accessible only to people within your organization: Collaborators Only and Internal * Three classifications for content that you share only with specifically defined people, either within or outside your organization: Confidential - De-Identified PHI, Restricted - PHI, and Restricted - Sensitive The following sections describes common classification label naming, descriptions, and purpose in the healthcare industry, along with how an organization would typically configure Shield access policies to manage content with each classification. ### Public Shield Access Policy: Healthcare For Healthcare use, this is how you would configure Shield access policy security controls to manage content with the *Public* classification label: * [Shared Link Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#shared-link-restriction-settings): People with the link Some organizations, to keep their classification scheme simple, consider not classifying content such as this. ### Collaborators Only Shield Access Policy: Healthcare For Healthcare use, this is how you would configure Shield access policy security controls to manage content with the *Collaborators* classification label: * [Shared Link Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#shared-link-restriction-settings): Invited people only ### Internal Shield Access Policy: Healthcare For Healthcare use, this is how you would configure Shield access policy security controls to manage content with the *Internal* classification label: * [External Collaboration Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#external-collaboration-restriction-settings): Block all external collaboration * [Shared Link Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#shared-link-restriction-settings): People in your company and invited people * [Download and Print Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#download-and-print-restriction-settings): Restrict all External Users for Web App, Mobile, and Desktop ### Confidential - De-Identified PHI Shield Access Policy: Healthcare For Healthcare use, this is how you would configure Shield access policy security controls to manage content with the *Confidential - De-Identified PHI* classification label: * [External Collaboration Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#external-collaboration-restriction-settings): Block all external collaboration * [Shared Link Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#shared-link-restriction-settings): People in your company * [Download and Print Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#download-and-print-restriction-settings): * Restrict all Managed Users (except Owners/Co-owners) for Web App, Mobile, and Desktop * Restrict all External Users for Web App, Mobile, and Desktop ### Restricted - PHI and Restricted - Sensitive Shield Access Policy: Healthcare For Healthcare use, this is how you would configure Shield access policy security controls to manage content with the *Restricted - PHI* and *Restricted - Sensitive* classification labels: * [External Collaboration Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#external-collaboration-restriction-settings): Block all external collaboration * [Shared Link Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#shared-link-restriction-settings): Invited people only * [Download and Print Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#download-and-print-restriction-settings): * Restrict all Managed Users (except Owners/Co-owners) for Web App, Mobile, and Desktop * Restrict all External Users for Web App, Mobile, and Desktop * [Integration Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#integration-restriction-settings): Block all integrations from downloading content * [FTP Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#ftp-restriction-settings): Enable Restrict FTP downloads * [Watermarking Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#watermarking-settings): Enable watermarking * [Sign Request Restriction](/en/box-shield/shield-smart-access-policies/shield-access-policy-settings#box-sign-request-restriction-settings): Enable Restrict users from requesting signatures on content using Box Sign