Getting started with sensitivity labels in Microsoft 365

Protecting information is a process that requires analysis, planning and stakeholder engagement. It can feel like a daunting task, especially when sensitive information is stored across different repositories. However, the current cybersecurity environment is forcing the hand of businesses.

This blog gives you a quick summary of some key considerations and tools that can be used to protect your information in Microsoft 365.

Classification

The classification process starts by understanding your information. To make this task more manageable, start by focusing your efforts on high risk/high value information.

Assessing your information for sensitivity labels in Microsoft 365

Discovery

There are various tools that you can use to assist in the discovery of information in your Microsoft 365 environment. Sensitive information types and trainable classifiers are examples of tools that can help you automate the process of information discovery. But before you can use them you need to understand the characteristics of your information.

Tip: do you have an information asset register? An information asset register will take you through the analytical process of identifying information assets and their characteristics. From here you can flag high risk/high value assets and target discovery efforts where they are needed.

Labelling

Labels can be an easy and non-invasive first step in your journey to protect information in Microsoft 365. Think of labels as a stamp that will travel with content across repositories. Labels can automatically apply watermarks, headers and footers to alert users that the content is sensitive. However, labels alone will not apply controls to the information.

Labels can be applied manually by users or automatically based on the characteristics of the information. Regardless of how labels are applied, for a successful label implementation you will need to engage with information owners and end users. Input from business stakeholders will provide business context and insight into the usage requirements of the information, ensuring fit-for-purpose configuration of labels.

Tip: do you have an information security classification framework? A good information security classification framework ensures consistent classification of all information across the organisation and identifies broad control requirements, guiding the configuration and application of labels. See QGISCF for an example of an information security framework.

Controls

Controls can be set by encrypting files. Encryption can be configured for each label. There are three steps to work through:

  1. Information. Clearly defined information assets are the key to successfully implementing controls. Too broad and controls will not be fit-for-purpose. Too much granularity will require a lot of labels, causing confusion for users and complicating the implementation.
  2. People. Identify clearly who needs to access the information.
  3. Usage. Identify the actions that need to be performed by the users.

The steps to working out controls for sensitivity labels in Microsoft 365

Where to start

The key to effectively applying information protection is to find a balance between business needs and risk mitigation.

Start with the basics. Identify what information poses the biggest risk to your organisation and start there.

An information asset register and information security classification framework will help you start your journey.

Consultation and collaboration with business stakeholders is key!

Regardless of what stage of your information protection journey you are, Breadcrumb Digital can help!