Forum Discussion
Best practice basics for Labels and DLPs to protect company data
Hi Sumo83,
Bit of a post - but I will give my best advise on this.
1.
Using access control does not encrypt your data, so that is not an issue for you, unless I misunderstood your question here. Using access control will limit the access to the document based on the permissions on the label.
Yes, I would use DLP to prevent the labeled data from being shared outside your org.
Also co-author is required for "auto save" to be enabled, this also allows for collaboration as well on the item.
2.
I would use access control for that. Imagine project labels that only allow specific users / groups to access the data.
There is also the option for information barrier, but that comes with the cost of not being able to communicate or collab at all. Meaning no teams communication or anything is allowed. So for that reason I would go with access control
3.
Did you remember to publish the label as well?
4.
For permissions in outlook, it concerns the permissions "Do not forward" - "Encrypt only" options, where this is the permissions that is available for the user, creator of the mail, to manage
https://learn.microsoft.com/en-us/purview/encryption-sensitivity-labels#let-users-assign-permissions
5.
Yes, I would create a DLP policy that would manage this. Create a DLP policy, only select exchange and then start it out from this and built it. Something like this could work for you, in this picture I assume that you are abc.com.
Of course you can tie this to a label as well if you want to, but this should catch all, its very basic and leaves room for some changes.
Hi JesperRaarup
Not sure how I missed your post 🙂 ... Thanks for your input.... All info will help me to point me the right direction.
Just one thing about the Point 1 - Enabling "Access Control" and encryption - As I can read on MS official site, it should indeed enable encryption if "Access Control" is used and "Configure access control setting" is selected - see the picture below. So I understand it that - if I use/enable this option - for example for "Confidential" label that would restrict access for groups that I select, it will also automatically encrypt the content (document, email, etc)..
So as I understand - if I want to restrict access using within the Label configuration (Access control), it will restrict it to the users/groups etc that I specify, but will also encrypt it automatically?
- would like to add one more thing - I have tried to configure a DLP that will check for CONFIDENTIAL label as condition & "is sent outside organization" ... no action configured.... and enabled user notification. I would expect that when adding an external email address to "To:" in email, the message will pop up before it is sent.... However, nothing is happening. Is that maybe an E5 license requirement?
Also, is there a way to create a user tip massage that would require to click kind of "CONFIRM" button before an email is sent? I'm looking to have a label that can be sent externally, but users must confirm it so that they are 100% aware they are sending these sensitive data outside the company....
PS: I have M365 E3 + M365 E5 Security addon
I guess I saw it in the past... but can't find any good info now....sumo83 it sounds like you need the option captured in the image. Make sure you check this out to understand the requirements. https://go.microsoft.com/fwlink/?linkid=2238924.
