In one of the previous posts, we discussed some sample taxonomies for implementing sensitivity labels in Microsoft 365. In this post, I wanted to shed some light on the process I recommend for implementing sensitivity labels in the company.
Sensitivity Labels are often one of the overlooked components, but they are vital for information protection and data classification. The beauty of them is they are omnipresent across different workloads, most notably files (in Microsoft Office), email, SharePoint, OneDrive, Teams, Power BI, and much more.
Labels
The first internal discussion you need to have is about defining a proper taxonomy. There are a couple of rules you should consider when thinking about your labels:
- Label name must be short (2-3 words): Labels are used in several apps, so it has to be something catchy and distinguishable.
- Group similar labels under the same parent label: This will allow for some labels that are similar and share some settings. It will also allow end-users to more easily narrow and choose the right label.
- Limit the deployment to 3-5 labels per scope: End users will struggle to memorize and fully understand more than five labels, so try to limit the number of labels you will use.
General Best Practices
Here are some general best practices to consider:
- Update your compliance policies (e.g., ISO, SOC2, HIPAA) with new information about sensitivity labels.
- Publish tooltips along with your label names to help guide users in choosing the right label.
- Publish a more detailed guide on sensitivity labels and data classification in your internal knowledge base.
- Leverage label colors to distinguish between labels.
- Think about how labels will impact:
- Whether teams are private or public.
- External sharing.
- Sharing content with non-members (sharing links).
- Access reviews.
- Watermarks in documents.
- Label restrictions and encryption.
- Automatic classification.
Sample Sensitivity Labels Taxonomy
Here is a sensitivity labels taxonomy we decided to deploy:
Label | Description (Usage) | Private Team | Sharing to Non-Members | Sharing to External Users | Access Review Cadence |
---|---|---|---|---|---|
Highly Confidential | Content is visible only to members of the container/team; files cannot be shared externally or beyond members. | YES | NO | NO | 30 days |
Confidential | |||||
\ Confidential (Internal) | Internal Sharing: Content visible to members of the container/team, with the ability to invite other company employees and share files internally. | YES | YES | NO | 90 days |
\ Confidential (External) | Internal and External Sharing: Marked sensitive, but files can be shared with both internal and external users. | YES | YES | YES | 90 days |
General Access | No restrictions on content sharing. | NO | YES | YES | 180 days |
Tired of managing Sensitivity Labels manually?
With Syskit Point, you can stop wasting time. Automate management of Sensitivity Labels.
This guide should help streamline the rollout of sensitivity labels in your organization, making it easier to classify, protect, and manage your data across Microsoft 365 workloads.