Forum Discussion
Sensitivity label
We have setup Sensitivity label on SharePoint. Label policy allow users View content, Copy, and extract content. If a user copy and pastes the content to a new document, we want the user not be able to send this new document outside the organization. Is there a way to control the newly created document?
- miller34mikeMicrosoft
Hello, kpsingh69
Thank you for posting your question!
To get a little more info to best help with this, can you help by answering the below?
- Is there only one label deployed to users at this time?
- Are you wanting to stop the file from being sent only if it contains sensitive data? Or stop it no matter the contents if it came from a labeled file?
- Did you scope the encryption permissions to the entire organization, or a select set of users/groups?
- kpsingh69Copper ContributorThank you for your response!
Is there only one label deployed to users at this time?
We have a SharePoint Library and there is only one label set for all the documents in this library.
Are you wanting to stop the file from being sent only if it contains sensitive data? Or stop it no matter the contents if it came from a labeled file?
We are able to setup a DLP policy if the document still has the label. The issue is that if the user copies/extracts the content to a new word file, the user can send this information out of the organization.
Did you scope the encryption permissions to the entire organization, or a select set of users/groups?
Select set of users- miller34mikeMicrosoft
So, the label has already been applied to all files in that library, or you set it as a default label for the library, meaning it is getting applied to all new and existing files?
The way you're going to best achieve this is by assigning this label as the default label through a policy, meaning any new document will automatically have that label applied the moment the file is created. This will make sure any content copied from the labeled file into the new document also has the label applied. However, this introduces issues where the default label is enforcing encryption. If you're just getting started with labels, you may want to consider something like the below configuration of labels and DLP. This is a sample table I keep handy when first working through label configurations to establish a baseline of security. The default label does not enforce encryption, meaning the wrong use cannot lock the file's encryption rights by applying a default label that enforces encryption, and DLP will keep that default label from leaving the organization.
Internal access should be more controlled based on where the file is stored and the settings configured on that storage location. When external access is needed, you then leverage the labels that protect the file to ensure only the right people can access the content, with the right level of permissions.
Name
Description
Example
Scope
Visual Marking
Encryption
Public
Data that is approved for public consumption
Marketing announcements, general public updates
Items (File, Email)
None
None
General
Business data that is not intended for public consumption - can be shared with external partners if necessary
Customer conversations that do not include sensitive info, Org chart, internal standards, internal communication
Items (File, Email)
General \ Unrestricted
Not intended for public consumption but can be shared with external partners if necessary
Items (File, Email)
None
None
General \ All Employees
If external access is needed should change to "General \ Unrestricted"
Items (File, Email)
None
None
Confidential
Sensitive information that can cause harm to the company if shared with unauthorized people
Contracts, security reports, sales account data
Items (File, Email)
Confidential \ Unrestricted
Confidential data that is not encrypted
Items (File, Email)
Footer - Confidential
None
Confidential \ All Employees
Confidential data that requires protection - full internal access - Data owners may track and revoke
Items (File, Email)
Footer - Confidential
All users and groups - Co-author
Confidential \ Trusted People
Confidential data that requires protection - Set to explicitly trusted people by owner - trusted users may re-share the content
Items (File, Email)
Footer - Confidential
Let users assign permissions:
- Outlook - Encrypt only
- Prompt users in Word, Excel, and PowerPoint
Highly Confidential
Very sensitive business data that would cause harm to the company if shared with unauthorized people
Employee / customer information, passwords, source code, unreleased financial reports
Items (File, Email)
Highly Confidential \ All Employees
All employees have full rights, data owners may track and revoke
Items (File, Email)
Footer - Highly Confidential
Watermark - HIGHLY CONFIDENTIAL
All users and groups - Co-author
Highly Confidential \ Specific People
Viewable only by specific people with specific access levels - assigned by the owner
Items (File, Email)
Footer - Highly Confidential
Watermark - HIGHLY CONFIDENTIAL
Let users assign permissions:
- Outlook - Do Not Forward
- Prompt users in Word, Excel, and PowerPoint
Default Label Policy
Name
Labels to assign
Default Label
Justification?
Require a label
Numeric Default Label Policy - All Employees
All
General \ All Employees
Yes, require a justification to lower the classification or remove the label
No
DLP