Forum Discussion
Sensitivity label
Is there only one label deployed to users at this time?
We have a SharePoint Library and there is only one label set for all the documents in this library.
Are you wanting to stop the file from being sent only if it contains sensitive data? Or stop it no matter the contents if it came from a labeled file?
We are able to setup a DLP policy if the document still has the label. The issue is that if the user copies/extracts the content to a new word file, the user can send this information out of the organization.
Did you scope the encryption permissions to the entire organization, or a select set of users/groups?
Select set of users
So, the label has already been applied to all files in that library, or you set it as a default label for the library, meaning it is getting applied to all new and existing files?
The way you're going to best achieve this is by assigning this label as the default label through a policy, meaning any new document will automatically have that label applied the moment the file is created. This will make sure any content copied from the labeled file into the new document also has the label applied. However, this introduces issues where the default label is enforcing encryption. If you're just getting started with labels, you may want to consider something like the below configuration of labels and DLP. This is a sample table I keep handy when first working through label configurations to establish a baseline of security. The default label does not enforce encryption, meaning the wrong use cannot lock the file's encryption rights by applying a default label that enforces encryption, and DLP will keep that default label from leaving the organization.
Internal access should be more controlled based on where the file is stored and the settings configured on that storage location. When external access is needed, you then leverage the labels that protect the file to ensure only the right people can access the content, with the right level of permissions.
Name | Description | Example | Scope | Visual Marking | Encryption |
Public | Data that is approved for public consumption | Marketing announcements, general public updates | Items (File, Email) | None | None |
General | Business data that is not intended for public consumption - can be shared with external partners if necessary | Customer conversations that do not include sensitive info, Org chart, internal standards, internal communication | Items (File, Email) |
|
|
General \ Unrestricted | Not intended for public consumption but can be shared with external partners if necessary |
| Items (File, Email) | None | None |
General \ All Employees | If external access is needed should change to "General \ Unrestricted" |
| Items (File, Email) | None | None |
Confidential | Sensitive information that can cause harm to the company if shared with unauthorized people | Contracts, security reports, sales account data | Items (File, Email) |
|
|
Confidential \ Unrestricted | Confidential data that is not encrypted |
| Items (File, Email) | Footer - Confidential | None |
Confidential \ All Employees | Confidential data that requires protection - full internal access - Data owners may track and revoke |
| Items (File, Email) | Footer - Confidential | All users and groups - Co-author |
Confidential \ Trusted People | Confidential data that requires protection - Set to explicitly trusted people by owner - trusted users may re-share the content |
| Items (File, Email) | Footer - Confidential | Let users assign permissions: - Outlook - Encrypt only - Prompt users in Word, Excel, and PowerPoint |
Highly Confidential | Very sensitive business data that would cause harm to the company if shared with unauthorized people | Employee / customer information, passwords, source code, unreleased financial reports | Items (File, Email) |
|
|
Highly Confidential \ All Employees | All employees have full rights, data owners may track and revoke |
| Items (File, Email) | Footer - Highly Confidential Watermark - HIGHLY CONFIDENTIAL | All users and groups - Co-author |
Highly Confidential \ Specific People | Viewable only by specific people with specific access levels - assigned by the owner |
| Items (File, Email) | Footer - Highly Confidential Watermark - HIGHLY CONFIDENTIAL | Let users assign permissions: - Outlook - Do Not Forward - Prompt users in Word, Excel, and PowerPoint |
Default Label Policy
Name | Labels to assign | Default Label | Justification? | Require a label |
Numeric Default Label Policy - All Employees | All | General \ All Employees | Yes, require a justification to lower the classification or remove the label | No |
- So, the label has already been applied to all files in that library, or you set it as a default label for the library, meaning it is getting applied to all new and existing files?
The Label is getting applied to all new and existing files in the library
Thank you very much for your guidance! Let me try this.