Protect your Data – Stop losing control over it – Data Classification

In this blog post I will explain and start the journey with the Classify and Label Steps of our Information Protection Process. The process is explained in my previous blog post. The first thing if you would like to protect your documents, is to define which classification you need for your documents. In my experience, it is easier to start with a few default classifications, than to start with a big list and confusing your end users.

 

Well Known Classifications

As an example, we can use the well known classification systems of the military or other big organizations. We can see, that they rely on only five classifications:

Classification Description
Top Secret Disclosure of top secret data would cause severe damage to national security.
Secret Disclosure of secret data would cause serious damage to national security. This data is considered less sensitive than data classified as top secret.
Confidential Confidential data is usually data that is exempt from disclosure under laws such as the Freedom of Information Act but is not classified as national security data.
Sensitive but Unclassified (SBU) SBU data is data that is not considered vital to national security, but its disclosure would do some harm. Many agencies classify data they collect from citizens as SBU.
Unclassified Unclassified is data that has no classification or is not sensitive.

Or for example the business version:

Classification Description
Sensitive Data that is to have the most limited access and requires a high degree of integrity. This is typically data that will do the most damage to the organization should it be disclosed.
Confidential Data that might be less restrictive within the company but might cause damage if disclosed.
Private Private data is usually compartmental data that might not do the company damage but must be keep private for other reasons. Human resources data is one example of data that can be classified as private.
Proprietary Proprietary data is data that is disclosed outside the company on a limited basis or contains information that could reduce the company’s competitive advantage, such as the technical specifications of a new product.
Public Public data is the least sensitive data used by the company and would cause the least harm if disclosed. This could be anything from data used for marketing to the number of employees in the company.

Let us start smart, and don’t plan for more classifications at the beginning. Only if you would like to protect a specific workflow with special permissions, then you can define a special classification for this type of documents.

The most important part is to define the rules for the different classification and that your employees are aware of them. Otherwise, they don’t classify the documents correctly. If you own the Azure Information Protection P2 Subscription, then you have also the possibility to automate the classification based on the content. For example, you can detect if a specific pattern like a credit card number was found and automatically classify the document with the Private Label.

 

Labels / Classification

A label defines, if the content should be:

  • protected/encrypted by Azure RMS.
  • a visual marking should be added.
  • conditions and rules for automatic labeling with Azure Information Protection P2.

The configuration of a label looks like that:

AIP Label and Classification

Side note, classifications are called label in Azure Information Protection.

The classifications, which are available per default in Azure Information Protection are a good starting point and are displayed in the following table.

Label Tooltip
Personal Non-business data, for personal use only.
Public Business data that is specifically prepared and approved for public consumption.
General Business data that is not intended for public consumption. However, this can be shared with external partners, as required. Examples include a company internal telephone directory, organizational charts, internal standards, and most internal communication.
Confidential Sensitive business data that could cause damage to the business if shared with unauthorized people. Examples include contracts, security reports, forecast summaries, and sales account data.
Highly Confidential Very sensitive business data that would cause damage to the business if it was shared with unauthorized people. Examples include employee and customer information, passwords, source code, and pre-announced financial reports.

 

Scoped Labels

You have the possibility to create scoped labels, which are only available to specific users. This will not block access to the documents by other users. They are only not able to classify documents with these labels.

 

End User Experience

In Word you will then see the following information, when the label was selected:

If you would like to read more about how to define the Azure RMS Protection, then read my next blog post and follow me on twitter @ThomasKurth_CH.

Thomas Kurth
Follow me

Thomas Kurth

Principal Workplace Consultant at baseVISION AG
I work for workplace management and enterprise mobility projects with Microsoft Technologies since seven years. Important for me is to simplify and automate the operational processes, because there are the heighest costs.

MCSEMCTCMCE
Thomas Kurth
Follow me