Documents - Use Sensitivity Labels
What are sensitivity labels?
A Sensitivity label is a label that is applied to a document that classifies the document based on the sensitivity level of the data within that document. These labels make it simple for a teammate to properly label and protect our organization's data to comply with regulatory compliance requirements.
Sensitivity Labels Description for Sea Consortium Users
See the below quick reference table for a description of each Sensitivity Label, a summary of when that label should be used, and what protection is applied when a certain label is chosen.
Sensitivity Labels |
Examples |
Require Description for user* |
Protection |
Label Restriction |
Personal |
It includes information that is not related to business activities, such as personal photos, videos, personal documents, and other non-commercial content. This data should not be used for any business purposes and is meant solely for individual, private use. |
Non-business data, for personal use only. |
|
|
Public |
Product and pricing information, website content, advertisements, job opening announcements, and press releases, media content |
Business data that is specifically prepared and approved for public consumption, benefiting the company by being in the public domain. |
|
|
General |
Company internal telephone directory, Organizational charts, internal standards, Most internal communication |
Business data that is not intended for public consumption. However, this can be shared with external partners, as required. Examples include a company internal telephone directory, organizational charts, internal standards, and most internal communication. |
|
|
Confidential\ Limited Access |
Policies and procedures, SOPs, marketing materials, event handbooks, organization structure, departmental plans. |
Assign Permission as needed. Confidential data requiring protection, accessible with limited permissions to selective employees and external users. Data owners have the capability to track and revoke access. General company information stored on company systems, intended for internal use, poses no reputational risk or loss if shared among internal groups and relevant third parties. |
Emails are Encrypted: When users apply the label to an email in Outlook, the email is encrypted and recipients must be authenticated. Recipients have no restrictions except that they can't remove the encryption |
User to Assign Permissions for Internal and External user access(View,Edit,Save Print) |
Confidential\ Sea Consortium Data |
Detailed events plan, contracts, RFPs, RFQs, commercial bids and proposals, internal meeting minutes, internal presentations, contracts |
Refers to information specifically intended for dissemination both internal and to external third parties. Such information is defined as having low internal restrictions on access and usage but will have restrictions when sharing externally. Unauthorized disclosure of this information may have any business impact on the organization, its customers, or its business partners. |
Emails are Encrypted: When users apply the label to an email in Outlook, the email is encrypted and recipients must be authenticated. Recipients have no restrictions except that they can't remove the encryption |
Permissions for Internal User: Full Access |
Highly Confidential\ Limited Access |
Financial statements, Board and shareholder materials, salary information, venue security plans, high value/commercially sensitive contracts, employee data (including salary information) |
Assign Permissions as needed. Data owners have the capability to track and revoke access. Information belonging to the company which is intended for both internal use only the broader dissemination of which would cause the company serious loss, damage or reputational risk |
Emails are Encrypted: When users apply the label to an email in Outlook, the email is encrypted and recipients must be authenticated. Recipients have no restrictions except that they can't remove the encryption |
User to Assign Permissions for Internal and External user access(View,Edit,Save Print) |
Highly Confidential \Sea Consortium Data |
Passwords, government security plans |
Data that does require protection should be handled with caution and justified by appropriate business reasons. Information that must remain confidential, if disclosed, could result in severe legal and regulatory consequences for the company and its stakeholders. |
Emails are Encrypted: When users apply the label to an email in Outlook, the email is encrypted and recipients must be authenticated. Recipients have no restrictions except that they can't remove the encryption |
Permissions for Internal User: Full Access |
Frequently Asked Questions
What is Sensitivity label restrictions?
The sensitivity label you select may come with pre-defined restrictions or you may be prompted to choose who can read or change the file. If permissions are required, you'll see a dialog box.
Which label should I use: Deciding on the appropriate label for an item can be challenging. By default, all newly created items are labeled ‘General’. If your document is not included in the above stated list. For more information, please contact the compliance admin.
2. How can I assign permissions?
When using labels like “Confidential\ Limited Access” or “"Highly Confidential\ Limited Access”. Users will be asked to provide a list of people and their permissions to access the document.
Check the box next to “Restrict permission to this document” and enter the email address of the individuals that need access to the document. You can grant “Read Only” access to some, and “Change/Modify” access to others. You can enter more than one address on each line.
Important considerations if you are granting permissions by domain
If you specify a domain to grant permissions to, you are granting those permissions to all the accounts in that organization.
That means if that organization has other domain names in their Azure Active Directory (AD) these permissions also extend to those users. For example, if Tailwind Toys also owns the contosogames.com domain in their Azure AD then all the users of contosogames.com would also gain the permissions granted to tailwindtoys.com users.
If you wish to adjust the permissions further, click on “More Options”.
CAUTION: You are the owner of this document. You can add the additional owners to the document under the “More Options” tab by selecting “Full Control” as the granted permission. It is important to consider if your manager or teammates need to be added here, or if they simply need read-only or modify access. For example, you may need to add a colleague as an owner of the document so they can add other teammate access while you are out on vacation, or if you change departments.
3.How are permissions restricted to viewer access?
https://learn.microsoft.com/en-us/azure/information-protection/configure-usage-rights#usage-rights-and-descriptions
4. How can I Justify changes to sensitivity label?
Your administrator can have a policy that requires you to provide justification before changing a sensitivity label from a higher sensitivity to a lower sensitivity. In this configuration, you may be asked to choose a justification reason or provide your own when selecting a less sensitive label.
Note: You will only be asked to justify changes one time after opening a document or replying to forwarding an email message. After justifying once, subsequent changes will not require justification until that document or email message is closed and opened again.
5. What is Content Marking:
Content markings include headers and footers as well as watermarks, and encryption can also restrict what actions authorized people can take on the content.
Mark the content when you use Office apps, by adding watermarks, headers, or footers to email, meeting invites, or documents that have the label applied. Watermarks can be applied to documents but not email or meeting invites. Example header and watermark:
6. How to label information correctly?
Labelling information correctly requires the recipient of the information to follow these steps:
- Identify the source, origin and owner of the information, and verify its authenticity and accuracy.
- Assess the context, purpose and value of the information, and determine its level of sensitivity, confidentiality and classification.
- Apply the appropriate information security label to the information, according to the security policies and procedures of your organization, and the legal, regulatory and contractual obligations that apply to the information.
- Handle, store, transmit and dispose of the information in a secure and appropriate manner, according to the information security label and the security policies and procedures of your organization.
- Review and update the information security label as needed, based on the changes in the context, purpose and value of the information, or the security policies and procedures of your organization.
Test Cases
- Test for restricting permission by sending emails and files with “Confidential\ Limited Access” or “"Highly Confidential\ Limited Access”
- Apply any of the confidential labels to the document and test for content marking
- Validate if emails or files with “Confidential\ Sea Consortium Data” or “Highly Confidential\ Sea Consortium Data” when shared outside the organization can it be accessed and can it be forwarded to other accounts.
- Validate if by default the files are labelled with general label.
- Validate if Policy tip recommendation is presented when updating Singapore NRIC number on a document.