When working with clients to deploy Syskit Point, we often encounter a recurring challenge: selecting the right sensitivity labels taxonomy for their Microsoft 365 environments.
Many organizations struggle to define a framework that balances security needs with ease of use for employees. Over the years and through numerous client engagements, we’ve identified the most common and effective sensitivity labels used in Microsoft 365 deployments.
In this post, I am sharing some of those real-world examples to help guide you in building your own tailored sensitivity label taxonomy.
Test | Sensitivity Level | Description | Applicable Industry | Company Size | Source |
---|---|---|---|---|---|
Public | Low | Freely shareable information (e.g., marketing materials). | General | Small/Medium | ISO 27001, NIST SP 800-53 |
Internal | Low | Internal use, not highly sensitive (e.g., meeting notes). | General | Small/Medium | ISO 27001, NIST SP 800-53 |
Confidential | Medium | Sensitive data like contracts or financial reports. | General | Small/Medium | ISO 27001, NIST SP 800-53 |
Highly Confidential | High | Critical information, e.g., legal or personal data. | General | Small/Medium | ISO 27001, NIST SP 800-53 |
Unrestricted/Public | Low | No risk data, can be shared with external parties. | General | Large | Government compliance |
Low Sensitivity | Low | General internal information (e.g., policy documents). | General | Large | ISO 27001 |
Private/Internal-Use Only | Medium | Sensitive internal data (e.g., personnel files). | General | Large | ISO 27001 |
Restricted/Confidential | High | Highly sensitive info like client or audit data. | General | Large | ISO 27001 |
Top Secret/Classified | Top Secret | Critical and classified data, risk of serious consequences if leaked. | Government/Defense | Large | Government/Defense standards |
Public Health Information (PHI) | Low | Public health statistics, open health advisories. | Healthcare | All | HIPAA |
Internal Operations | Low | General internal operations, without sensitive PHI. | Healthcare | All | HIPAA |
Confidential Medical Records | Medium | Patient health data, subject to HIPAA regulations. | Healthcare | All | HIPAA |
Regulated/Highly Confidential | High | Strictly regulated medical information or trial data. | Healthcare | All | HIPAA |
Public Financial Information | Low | Financial data available in public reports. | Financial Services | All | SOX, GDPR |
Internal Financial Data | Low | Internal operational data, e.g., budget plans. | Financial Services | All | SOX, GDPR |
Confidential Client Information | Medium | Client-sensitive data like loan applications. | Financial Services | All | SOX, GDPR |
Highly Restricted | High | Data related to internal audits, proprietary algorithms. | Financial Services | All | SOX, GDPR |
Proprietary | Medium | Company intellectual property or trade secrets like product designs or software. | Manufacturing, Tech | All | ISO 27001, Intellectual Property Law |
Client Confidential | Medium | Data shared by clients under confidentiality agreements, such as contracts. | Legal, Consulting | All | Client Contracts, GDPR |
Export Controlled | High | Information subject to export control laws (e.g., technical drawings or software). | Defense, Aerospace | Large | ITAR, Export Compliance |
Board Materials | High | Documents for the board of directors, including strategic plans and financials. | All | Medium/Large | Corporate Governance |
Legal Hold | High | Data preserved due to ongoing legal proceedings like emails and contracts. | Legal, Corporate | All | E-Discovery, Legal Compliance |
Sensitive Personal Data | High | Personally identifiable information (PII) subject to regulations like GDPR. | All | All | GDPR, CCPA |
Contractual Information | Medium | Data contained in contracts with third parties or suppliers. | Legal, Procurement | All | Contract Law |
HR Confidential | Medium | Employee data, including performance reviews and salary information. | All | All | Employment Law, GDPR |
Research & Development (R&D) | High | Sensitive data related to product or service innovation or lab results. | Pharmaceuticals, Tech | Medium/Large | Research Confidentiality Agreements |
Investor Relations | Medium | Documents shared with investors, including earnings reports and forecasts. | Finance, Public Companies | Medium/Large | SEC Regulations, Financial Reporting |
Crisis Management | High | Plans for crisis response, including communication strategies and risk assessments. | All | All | Risk Management Standards |
Restricted Intellectual Property | High | Pending patents, proprietary technologies in development. | Tech, Biotech | All | Intellectual Property Law |
Supplier Information | Medium | Confidential data about suppliers, including pricing or proprietary details. | Manufacturing, Retail | All | Contract Law |
Sensitive Financial Data | High | Sensitive financial records like loan agreements or risk assessments. | Finance, Insurance | Large | SOX, Financial Regulatory Standards |
Government Restricted | Top Secret | Government-classified information like military contracts or state secrets. | Defense, Government | Large | Government Classification Standards |