Data Classification & Sensitivity Label Taxonomy

Data Classification & Sensitivity Label Taxonomy

Published: March 2020

?2020 Microsoft Corporation. All Rights Reserved.

Contents

Abstract...................................................................................................................................... 3 Introduction ................................................................................................................................ 3 What is Data Classification?....................................................................................................... 3 What is a Data Classification Framework? ................................................................................. 3 Pain Points in Creating a Data Classification Framework ........................................................... 5 Creating a Well-Designed Data Classification Framework ......................................................... 6 Implementing Your Data Classification Framework in Microsoft 365 .......................................... 8 Mapping Data Classification Levels to Microsoft 365 Sensitivity Labels ..................................... 9 Determining how labels will be applied to content .....................................................................10 Change Management and Training ...........................................................................................11 Governance and Maintenance ..................................................................................................12 Industry Considerations ............................................................................................................13 See also:...................................................................................................................................13 Checklist for Success:...............................................................................................................14

2

Abstract

This white paper is designed to help business leaders guide their organization through the process of creating or updating their Data Classification framework in the context of online services, including how to secure data in Microsoft 365 using Sensitivity Labels. Best practices, common pain points, and industry considerations are discussed, as well as links to helpful technical content that will be useful during implementation.

Introduction

Sensitive data presents significant risk to a company if it is stolen, inadvertently shared, or exposed through a breach. Risk factors include reputational damage, financial impact, and loss of competitive advantage. Undoubtedly, protecting the data and information your business manages is a top priority for your organization, but you may find it difficult to know if your current efforts are truly effective, given the sheer amount of content held by your enterprise.

In addition to volume, your content ranges in importance from highly sensitive and impactful to trivial and transient, and it can be under the purview of various regulatory compliance requirements. Knowing what to prioritize and where to apply controls can be a challenge. Read on to learn about Data Classification, an important tool at your disposal for protecting your content from theft, sabotage, or inadvertent destruction, and how Microsoft 365 can help translate your information security goals into reality.

What is Data Classification?

Data Classification is a specialized term used in the fields of cybersecurity and information governance to describe the process of identifying, categorizing, and protecting content according to its sensitivity or impact level. In its most basic form, data classification is a means of protecting your data from unauthorized disclosure, alteration, or destruction based on how sensitive or impactful it is.

What is a Data Classification Framework?

Often codified in a formal, enterprise-wide policy, a Data Classification framework is typically comprised of 3-5 classification levels, each of which usually include three elements: a name, description, and real-world examples. Microsoft recommends no more than 5 top-level parent labels, each with 5 sub-labels (25 total) to keep the User Interface (UI) manageable. Levels are typically arranged from least to most sensitive such as Public, Internal, Confidential, and Highly

3

Confidential. Other level name variations you may encounter include Restricted, Unrestricted, and Consumer Protected. Microsoft recommends label names that are self-descriptive and that highlight their relative sensitivity clearly. For instance, Confidential and Restricted may leave users guessing which is appropriate, while Confidential and Highly Confidential are more clear on which is more sensitive.

Example Data Classification Framework Level

Classification Level Highly Confidential

Description

Examples

Highly Confidential data is the most sensitive type of data stored or managed by the enterprise and may require legal notifications if breached or otherwise disclosed.

Restricted Data requires the highest level of control and security, and access should be limited to "need-toknow."

Sensitive Personally Identifiable Information (Sensitive PII)

Cardholder Data Protected Health

Information (PHI) Bank Account Data

Lesson learned: Microsoft's corporate data classification framework originally used a category and label named `Internal' during pilot phase but found that there were legitimate reasons for a document to be shared externally and shifted to using `General'.

Another important component of a Data Classification framework is the controls associated with each level. It is important to note that Data Classification levels by themselves are simply labels (or tags) that indicate the value or sensitivity of the content. In order to actually protect that content, Data Classification frameworks define the controls that should be in place for each of your data classification levels. These controls may include requirements related to:

Storage Type and Location Encryption Access Control Data Destruction Data Loss Prevention Public Disclosure Logging and Tracking Access Other control objectives, as needed

4

Your security controls will vary by data classification level, such that the protective measures defined in your framework increase commensurate with the sensitivity of your content. For example, your data storage control requirements will vary depending upon the media that is being used as well as upon the classification level applied to a given piece of content.

Example of data classification controls for a specific storage type

Storage Type

Confidential

Data Classification Level

Internal

Unrestricted

Removable Storage Prohibited

Prohibited unless encrypted

No control required

Correctly applying the right level of data classification can be complex in real-life situations and may sometimes overwhelm end users. Therefore, once a policy or standard has been created that defines the required levels of data classification, it remains important to also guide end users on how to bring this framework to life in their daily work. This is where data classification handling rules or guidelines come in.

Data classification handling guidelines will help end users with specific guidance on how to handle each level of data appropriately, for different storage media throughout their lifecycle. These guidelines help end users to correctly apply rules in practice, for instance when sharing documents, sending emails, or collaborating across different platforms and organizations. Microsoft customers indicate that approximately 50% of an Information Protection project is business focused rather than technical, so end-user training and communication is critical to success.

Pain Points in Creating a Data Classification Framework

Data Classification efforts are by nature wide-reaching, touching nearly every business function within an enterprise. Because of this broad scope and the complexity of managing content in modern digital environments, companies often face challenges in knowing where to start, how to manage a successful implementation, and how to measure their progress. Common pain points include:

5

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download