Tuesday, March 8, 2022

Part 2e – Using Multiple Sensitivity Labels

paint_by_numbers_splash_picture.jpg

 

Disclaimer

This document is not meant to replace any official documentation, including those found at docs.microsoft.com.  Those documents are continually updated and maintained by Microsoft Corporation.  If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed.  Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.

All of the following steps should be done with test data, and where possible, testing should be performed in a test environment.  Testing should never be performed against production data.

 

Target Audience

The Information Protection section of this blog series is aimed at Security and Compliance officers who need to properly label data, encrypt it where needed.

 

Document Scope

This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through.

We will be discussing multiple Sensitivity Labels and how they work.

  • How multiple Sensitivity labels work together
  • Examples of how to multiple Sensitivity labels can be laid out.

It is presumed that you already have a Sensitive Information Type that you want to use in your Information Protection policy.  For the purposes of this document, I will use a copy of the U.S. Social Security Number (SSN) called “U.S. SSN – Numbers Only” that I created in Part 1 of this blog series. 

It is presumed that you already have multiple Sensitivity labels created for your testing.

This document is only meant to be an introduction to the topic of multiple Sensitivity labels.  Always refer back to official Microsoft documentation or your Microsoft account team for the latest information.

 

Out-of-Scope

This document does not cover any other aspect of Microsoft E5 Compliance, including:

  • Sensitive Information Types
  • Exact Data Matching
  • Data Protection Loss (DLP) for Exchange, OneDrive, Devices
  • Microsoft Cloud App Security (MCAS)
  • Records Management (retention and disposal)
  • Overview of Advanced eDiscovery (AeD)
  • Reports and Analytics available in of Advanced eDiscovery (AeD)
  • Insider Risk Management
  • Privacy Management

It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI).

It is also presumed you are using an existing Information Types (SIT) or an Exact Data Match (EDM) that you have created for your testing.

We will not be covering the auto-labeling of data at rest.  That will be covered in another blog post and those auto-labeling policies should not be done until after you have locked down your Sensitivity labeling of all “net new” data.

 

 

 

Overview of Document

  1. How multiple Sensitivity labels work together
  2. Examples of how to multiple Sensitivity labels can be laid out.

 

Use Case

  • Using multiple Sensitivity labels in a single tenant

 

 

Definitions

  • Sensitivity Label – a metadata tag
  • Publish Label – making the metadata tag available to your tenant
  • Policy – The monitoring and applying of Sensitivity labels through the Microsoft tenant

 

Notes

  • How are conflicts resolved when it comes to Sensitivity labels?
    • The best way to understand this is the official chart and link below

 

James_Havens_0-1646269289587.png

 

 

 

Pre-requisites

  • You have read Part 2 of this blog series
  • You have created multiple Sensitivity labels for your testing.

 

Overview of Prioritization of Multiple Sensitivity Labels

  • Once you have published your Sensitivity label you will prioritize the policies based on what is the least restrictive label versus the most restrictive label.
  • What to know – In the Policies tab, the policy with the lowest “Order” number is listed at the top and the highest at the bottom.   Here is a screenshot from the Compliance Portal that explains this in a different way.

 

James_Havens_1-1646269289592.png

 

 

  • How to apply this –
    • You should place your lowest priority Sensitivity label policy at the top of the list of Sensitivity labels policies.  This will create a baseline of label.
    • You should then place your highest priority Sensitivity label policy at the bottom of the list. 

 

  • Tip #1 – The trick is to remember that the higher the number in the “Order” column the stricter the label.  This is a challenge because the order starts with 0 at the top and then as you go down, the “order” becomes greater.

 

  • Tip #2 – Place your Labels in the same order as your Policies so that no matter which tab you are on, you will know the priority of your labels

 

  • Example, the Sensitivity label policy positioned at Order #2 will be a more restrictive label than the Sensitivity label policy with positioned at Order #1

 

  • The following 3 examples will attempt to flesh this out.

 

Example #1 – 4 Sensitivity labels

 

Here is an example of how you might lay out 4 Sensitivity labels from the least restrictive to the most restrictive Sensitivity label.

 

Note – These applications labels will be based on which Sensitive Information Types (SITs) are associated with each.  We will not be covering these at this time because we are presuming you have configured your labels previously. 

 

Look at the following screenshot of 4 Sensitivity label policies and their order

 

James_Havens_2-1646269289598.png

 

 

  • The chart below lays out how the order of these will affect the docuement

 

Order

Label name

Priority of Sensitivity Label policy

0

Public Document Policy

Least Restrictive

1

Internal Document Policy

Second Least Restrictive

2

Secret Document Policy

Second Most Restrictive

3

Top Secret Document Policy

Most Restrictive

 

 

Example #2 – 3 labels with a one being a “Default” Sensitivity label

 

Here is an example of how you might lay out a “default” Sensitivity label policy and then layer on stricter Sensitivity labels policies based on the amount of Sensitive Information Types (SITs) found in a file/email.

 

Regard the following screenshot of 3 Sensitivity label policies and their order

 

 

 

James_Havens_3-1646269289601.png

 

 

  • The Default Label policy above will be applied to all new files/emails by default.
  • If the end user adds 1 piece of PHI data (ex. a social security number) to the file/email, then the “Sensitive” label will be applied.
  • If the user adds 2 piece of PHI data (ex. a social security number and a credit card number) to the file/email, then the “Highly Confidential” label will be applied.

 

  • The chart below shows how the Order column will map to both the label and the quantity of Sensitive Information Type (SIT) information in a file/email.

 

Order

Label

Numbers pieces of PHI data

0

Default

0

1

Sensitive

1

2

Highly Confidential

2

 

 

 

 

  • Tip – you should never have more than 1 “default” Sensitivity label and it should always be set at an “Order” of 0 in your policy list.  This is to avoid possible labeling conflicts of this particular type of label.  See blog Part 2a tk for more information on “default” Sensitivity labels.  Link is in the Appendix and Links below

 

 

Appendix and Links

 

 

 

 

 

 

 

 

Posted at https://sl.advdat.com/3HW8q4yhttps://sl.advdat.com/3HW8q4y