Best Praticies for Implementing Permissions

%3CLINGO-SUB%20id%3D%22lingo-sub-1604005%22%20slang%3D%22en-US%22%3EBest%20Praticies%20for%20Implementing%20Permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1604005%22%20slang%3D%22en-US%22%3E%3CP%3EGreetings%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20looking%20for%20best%20practices%20in%20implementing%20Permissions%20in%20SharePoint%20that%20allows%20us%20to%20ensure%20we%20have%20protocols%20in%20place%20to%20secure%20PII%20and%20other%20confidential%20information.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1604511%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20Praticies%20for%20Implementing%20Permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1604511%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F767044%22%20target%3D%22_blank%22%3E%40voneil%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%2C%20I%20would%20suggest%20beginning%20with%20DLP%20policies%20in%20the%20Security%20and%20Compliance%20Center%20at%20%3CA%20href%3D%22https%3A%2F%2Fprotection.office%2Ccom%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fprotection.office%2Ccom%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20configure%20based%20on%20built%20in%20sensitive%20information%20types%20including%20PII.%26nbsp%3B%20I'd%20recommend%20starting%20with%20a%20small%20pilot%20groups%20of%20users%20and%20also%20set%20some%20policies%20in%20test%20mode%20with%20notifications%20to%20get%20going.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1604706%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20Praticies%20for%20Implementing%20Permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1604706%22%20slang%3D%22en-US%22%3EDLP%20policies%20are%20good%20for%20catching%20data%20in%20documents%20or%20preventing%20data%20from%20being%20shared%20with%20PII%20with%20others%20in%20the%20company%20or%20outside%20your%20company%20etc.%20but%20not%20really%20prevent%20people%20from%20seeing%20the%20data%20in%20documents%20etc.%20%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20want%20to%20keep%20documents%20secured%20to%20certain%20groups%20at%20rest%20etc.%20you%20will%20want%20to%20look%20into%20the%20direction%20of%20sensitivity%20labels.%20You%20can%20apply%20labels%20to%20to%20documents%20and%20if%20you%20have%20the%20proper%20licensing%20can%20also%20apply%20these%20labels%20automatically%20based%20on%20logic.%20But%20these%20labels%20can%20have%20policies%20applied%20to%20them%20to%20prevent%20access%20etc.%20to%20these%20documents.%20%3CBR%20%2F%3E%3CBR%20%2F%3EMore%20about%20labels%20can%20be%20found%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fget-started-with-sensitivity-labels%3Fview%3Do365-worldwide%23%3A~%3Atext%3DCommon%2520scenarios%2520for%2520sensitivity%2520labels%2520%2520%2520%2COffice%2520fil%2520...%2520%25207%2520more%2520rows%2520%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fget-started-with-sensitivity-labels%3Fview%3Do365-worldwide%23%3A~%3Atext%3DCommon%2520scenarios%2520for%2520sensitivity%2520labels%2520%2520%2520%2COffice%2520fil%2520...%2520%25207%2520more%2520rows%2520%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1605222%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20Praticies%20for%20Implementing%20Permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1605222%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F869%22%20target%3D%22_blank%22%3E%40Chris%20Webb%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20absolutely%20agree%20on%20Sensitivity%20Labels.%26nbsp%3B%20I%20always%20begin%20with%20DLP%2C%20then%20look%20at%20Sensitivity%20labels%20next.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F767044%22%20target%3D%22_blank%22%3E%40voneil%3C%2FA%3E%26nbsp%3B-%20if%20you%20want%20to%20look%20into%20Sensitivity%20Labels%20in%20addition%20to%20DLP%2C%20you%20will%20need%20to%20ensure%20that%20you%20have%20additional%20licensing%20for%20it.%26nbsp%3B%20You%20will%20need%20either%20AIP%20P1%2C%20EM%2BS%20E3%2C%20or%20M365%20E3%20to%20implement%20Sensitivity%20labelling%2C%20or%20if%20you%20wanted%20the%20more%20advanced%20features%20-%20which%20include%20auto%20labelling%2C%20and%20the%20availability%20of%20the%20AIP%20scanner%20to%20protect%20on-premises%20content%2C%20then%20you%20will%20need%20EM%2BS%20E5%20or%20M365%20E5.%26nbsp%3B%20There%20was%20previously%20a%20separate%20AIP%20P2%20subscription%20for%20this%2C%20but%20Microsoft%20have%20recently%20discontinued%20this%20one.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Visitor

Greetings,

 

I'm looking for best practices in implementing Permissions in SharePoint that allows us to ensure we have protocols in place to secure PII and other confidential information. 

3 Replies
Highlighted

@voneil 

 

Hi, I would suggest beginning with DLP policies in the Security and Compliance Center at https://protection.office,com 

 

You can configure based on built in sensitive information types including PII.  I'd recommend starting with a small pilot groups of users and also set some policies in test mode with notifications to get going.

Highlighted
DLP policies are good for catching data in documents or preventing data from being shared with PII with others in the company or outside your company etc. but not really prevent people from seeing the data in documents etc.

If you want to keep documents secured to certain groups at rest etc. you will want to look into the direction of sensitivity labels. You can apply labels to to documents and if you have the proper licensing can also apply these labels automatically based on logic. But these labels can have policies applied to them to prevent access etc. to these documents.

More about labels can be found here: https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-with-sensitivity-labels?view=o...
Highlighted

@Chris Webb 

 

Yes, absolutely agree on Sensitivity Labels.  I always begin with DLP, then look at Sensitivity labels next.

 

@voneil - if you want to look into Sensitivity Labels in addition to DLP, you will need to ensure that you have additional licensing for it.  You will need either AIP P1, EM+S E3, or M365 E3 to implement Sensitivity labelling, or if you wanted the more advanced features - which include auto labelling, and the availability of the AIP scanner to protect on-premises content, then you will need EM+S E5 or M365 E5.  There was previously a separate AIP P2 subscription for this, but Microsoft have recently discontinued this one.