Forum Discussion

kpsingh69's avatar
kpsingh69
Copper Contributor
Jun 13, 2023

Sensitivity label

We have setup Sensitivity label on SharePoint. Label policy allow users View content, Copy, and extract content. If a user copy and pastes the content to a new document, we want the user not be able to send this new document outside the organization. Is there a way to control the newly created document?  

  • Hello, kpsingh69 

     

    Thank you for posting your question!

     

    To get a little more info to best help with this, can you help by answering the below?

     

    • Is there only one label deployed to users at this time?
    • Are you wanting to stop the file from being sent only if it contains sensitive data? Or stop it no matter the contents if it came from a labeled file?
    • Did you scope the encryption permissions to the entire organization, or a select set of users/groups?
    • kpsingh69's avatar
      kpsingh69
      Copper Contributor
      Thank you for your response!
      Is there only one label deployed to users at this time?
      We have a SharePoint Library and there is only one label set for all the documents in this library.
      Are you wanting to stop the file from being sent only if it contains sensitive data? Or stop it no matter the contents if it came from a labeled file?
      We are able to setup a DLP policy if the document still has the label. The issue is that if the user copies/extracts the content to a new word file, the user can send this information out of the organization.
      Did you scope the encryption permissions to the entire organization, or a select set of users/groups?
      Select set of users
      • miller34mike's avatar
        miller34mike
        Icon for Microsoft rankMicrosoft

        kpsingh69 

         

        So, the label has already been applied to all files in that library, or you set it as a default label for the library, meaning it is getting applied to all new and existing files?

         

        The way you're going to best achieve this is by assigning this label as the default label through a policy, meaning any new document will automatically have that label applied the moment the file is created. This will make sure any content copied from the labeled file into the new document also has the label applied. However, this introduces issues where the default label is enforcing encryption. If you're just getting started with labels, you may want to consider something like the below configuration of labels and DLP. This is a sample table I keep handy when first working through label configurations to establish a baseline of security. The default label does not enforce encryption, meaning the wrong use cannot lock the file's encryption rights by applying a default label that enforces encryption, and DLP will keep that default label from leaving the organization.

         

        Internal access should be more controlled based on where the file is stored and the settings configured on that storage location. When external access is needed, you then leverage the labels that protect the file to ensure only the right people can access the content, with the right level of permissions.

         

         

         

        Name

        Description

        Example

        Scope

        Visual Marking

        Encryption

        Public

        Data that is approved for public consumption

        Marketing announcements, general public updates

        Items (File, Email)

        None

        None

        General

        Business data that is not intended for public consumption - can be shared with external partners if necessary

        Customer conversations that do not include sensitive info, Org chart, internal standards, internal communication

        Items (File, Email)

         

         

        General \ Unrestricted

        Not intended for public consumption but can be shared with external partners if necessary

         

        Items (File, Email)

        None

        None

        General \ All Employees

        If external access is needed should change to "General \ Unrestricted"

         

        Items (File, Email)

        None

        None

        Confidential

        Sensitive information that can cause harm to the company if shared with unauthorized people

        Contracts, security reports, sales account data

        Items (File, Email)

         

         

        Confidential \ Unrestricted

        Confidential data that is not encrypted

         

        Items (File, Email)

        Footer - Confidential

        None

        Confidential \ All Employees

        Confidential data that requires protection - full internal access - Data owners may track and revoke

         

        Items (File, Email)

        Footer - Confidential

        All users and groups - Co-author

        Confidential \ Trusted People

        Confidential data that requires protection - Set to explicitly trusted people by owner - trusted users may re-share the content

         

        Items (File, Email)

        Footer - Confidential

        Let users assign permissions:

        - Outlook - Encrypt only

        - Prompt users in Word, Excel, and PowerPoint

        Highly Confidential

        Very sensitive business data that would cause harm to the company if shared with unauthorized people

        Employee / customer information, passwords, source code, unreleased financial reports

        Items (File, Email)

         

         

        Highly Confidential \ All Employees

        All employees have full rights, data owners may track and revoke

         

        Items (File, Email)

        Footer - Highly Confidential

        Watermark - HIGHLY CONFIDENTIAL

        All users and groups - Co-author

        Highly Confidential \ Specific People

        Viewable only by specific people with specific access levels -  assigned by the owner

         

        Items (File, Email)

        Footer - Highly Confidential

        Watermark - HIGHLY CONFIDENTIAL

        Let users assign permissions:

        - Outlook - Do Not Forward

        - Prompt users in Word, Excel, and PowerPoint

         

        Default Label Policy

         

        Name

        Labels to assign

        Default Label

        Justification?

        Require a label

        Numeric Default Label Policy - All Employees

        All

        General \ All Employees

        Yes, require a justification to lower the classification or remove the label

        No

         
         
        DLP
         

         

         

Resources