In this blog post I will explain and start the journey with the Classify and Label Steps of our Information Protection Process. The process is explained in my previous blog post. The first thing if you would like to protect your documents, is to define which classification you need for your documents. In my experience, it is easier to start with a few default classifications, than to start with a big list and confusing your end users.
Well Known Classifications
As an example, we can use the well known classification systems of the military or other big organizations. We can see, that they rely on only five classifications:
Classification | Description |
Top Secret | Disclosure of top secret data would cause severe damage to national security. |
Secret | Disclosure of secret data would cause serious damage to national security. This data is considered less sensitive than data classified as top secret. |
Confidential | Confidential data is usually data that is exempt from disclosure under laws such as the Freedom of Information Act but is not classified as national security data. |
Sensitive but Unclassified (SBU) | SBU data is data that is not considered vital to national security, but its disclosure would do some harm. Many agencies classify data they collect from citizens as SBU. |
Unclassified | Unclassified is data that has no classification or is not sensitive. |
Or for example the business version:
Classification | Description |
Sensitive | Data that is to have the most limited access and requires a high degree of integrity. This is typically data that will do the most damage to the organization should it be disclosed. |
Confidential | Data that might be less restrictive within the company but might cause damage if disclosed. |
Private | Private data is usually compartmental data that might not do the company damage but must be keep private for other reasons. Human resources data is one example of data that can be classified as private. |
Proprietary | Proprietary data is data that is disclosed outside the company on a limited basis or contains information that could reduce the company’s competitive advantage, such as the technical specifications of a new product. |
Public | Public data is the least sensitive data used by the company and would cause the least harm if disclosed. This could be anything from data used for marketing to the number of employees in the company. |
Let us start smart, and don’t plan for more classifications at the beginning. Only if you would like to protect a specific workflow with special permissions, then you can define a special classification for this type of documents.
The most important part is to define the rules for the different classification and that your employees are aware of them. Otherwise, they don’t classify the documents correctly. If you own the Azure Information Protection P2 Subscription, then you have also the possibility to automate the classification based on the content. For example, you can detect if a specific pattern like a credit card number was found and automatically classify the document with the Private Label.
Labels / Classification
A label defines, if the content should be:
- protected/encrypted by Azure RMS.
- a visual marking should be added.
- conditions and rules for automatic labeling with Azure Information Protection P2.
The configuration of a label looks like that:
Side note, classifications are called label in Azure Information Protection.
The classifications, which are available per default in Azure Information Protection are a good starting point and are displayed in the following table.
Label | Tooltip |
Personal | Non-business data, for personal use only. |
Public | Business data that is specifically prepared and approved for public consumption. |
General | Business data that is not intended for public consumption. However, this can be shared with external partners, as required. Examples include a company internal telephone directory, organizational charts, internal standards, and most internal communication. |
Confidential | Sensitive business data that could cause damage to the business if shared with unauthorized people. Examples include contracts, security reports, forecast summaries, and sales account data. |
Highly Confidential | Very sensitive business data that would cause damage to the business if it was shared with unauthorized people. Examples include employee and customer information, passwords, source code, and pre-announced financial reports. |
Scoped Labels
You have the possibility to create scoped labels, which are only available to specific users. This will not block access to the documents by other users. They are only not able to classify documents with these labels.
End User Experience
In Word you will then see the following information, when the label was selected:
If you would like to read more about how to define the Azure RMS Protection, then read my next blog post and follow me on twitter @ThomasKurth_CH.
- Microsoft Sentinel ASIM Parser demystified - March 31, 2024
- Enhancing Network Security Insights with IDS/IPS of Ubiquiti Dream Machine Pro and Microsoft Sentinel - March 10, 2024
- Ubiquiti Dream Machine Pro Logs to Microsoft Sentinel - February 6, 2024
1 Comment
Protect your Data – Stop losing control over it – E-Mail Service - Workplace Management Blog by baseVISION · May 11, 2017 at 16:52
[…] Classify and Label your documents […]