Microsoft Information Protection Best Practices

Most companies have now started to realize that they need to improve how important and sensitive information is protected in Microsoft 365 and beyond. This could be sensitive market information, commercial information, information about customers and staff, and other information that should not leave the organization.

Why information protection:

The first step in improving information protection is to identify the type of information that should be protected (know your data). Many companies have therefore implemented a policy that all information should have a security / confidentiality classification, e.g. OPEN, INTERNAL, RESTRICTED, CONFIDENTIAL.

Common security classification problems we often see:

Start therefore by evaluating if your security classification model should be simplified and improved.

Best practices for security classification

Here are some emerging best practices for security classification models:

  1. Establish only a few top-level classification levels – The fewer the options, the easier it will be for users and machines to pick the correct security classification, e.g. OPEN, INTERNAL, RESTRICTED, CONFIDENTIAL.
  2. Only have sub-levels when this is justified – Security classification models may have sub-classes, e.g. CONFIDENTIAL – EXECUTIVES. Only implement this when this require a separate protection or permission, e.g. only accessible to executives.
  3. Consider linking access to security classification levels – It may be easier for users to select the correct classification level if they understand who will have access, e.g. INTERNAL is available for all staff, RESTRICTED is only available for some staff, CONFIDENTIAL is only available for named users.
  4. Ensure the naming makes sense for users – Ensure users really understand what the different labels means, e.g. OPEN is information that can shared outside your organization, vs INTERNAL is information that can be shared widely inside your organization
  5. Identify key words and phrases for each classification level – This will make it easier for users and machines to classify information correctly.
  6. Ensure users only see relevant security classification levels – Users should only see relevant security classification levels for them. If OPEN means that it may be shared with everybody outside your organization, then only some users will have this mandate. If CONFIDENTIAL is highly sensitive, then only users with the appropriate background check should be able to use this level
  7. Decide if users should classify all information, or only exceptions – Requiring users to classify all files will improve the maturity of the organization, but it will require more work by users. An option is to set default security classifications on systems and workspaces, and then get users to only take action when the security classification level is different per file. The latter is more difficult to implement, and the impact is often that sensitive information is not classified correctly.
  8. Establish increased protection levels per classification level – Start by defining how information with the lowest security level classification will be protected, then what additional protection will be for next level, and so on.
  9. Find the correct balance between openness and control – Ensure staff have access to relevant information while that sensitive information is protected.
  10. Define use cases for external sharing of sensitive information External users can access protected information when you want this to happen

Ensure also that all users are well aware of whom to contact when not sure of security classification/identify a risk for a document/workspace

Case study: UK government

The UK government used to classify information into UNCLASSIFIED, PROTECT, RESTRICTED, CONFIDENTIAL, SECRET, and TOP SECRET. They realized that the system was designed for paper-based records, and not easily adapted to modern government work and not widely understood. The UK government therefore changed their security classification model to three classification levels: OFFICIAL, SECRET, and TOP SECRET. This is simpler than the old model, and there is no direct relationship between the old and new classifications. “Unclassified” is deliberately omitted from the new model. Government agencies are not expected to automatically note existing data, so there may be cases when organizations working under the new system still handle some data labeled according to the old system. Aggregation does not automatically trigger an increase in protection marking. For example, a database with thousands of records that are individually OFFICIAL should not be marked as a SECRET database. Instead, information owners are expected to make controls decisions based on a risk assessment, and should consider what the aggregated information is, who needs access to it, and how.

 

The OFFICIAL classification covers up to 90% of public enterprises, including most policy development, service delivery, legal advice, personal data, contracts, statistics, case files and administrative data. Particularly sensitive OFFICIAL information will be checked through local handling schemes that reinforce the principle of “need to know”. The SECRET classification concentrates security resources on particularly sensitive defense, diplomatic and other assets requiring protection against increased threats. The TOP SECRET classification will continue to provide extremely high levels of protection for exceptionally sensitive assets. Very little change is expected to be applicable top-secret standards and procedures.

 

Almost all personal information/data will be handled within OFFICIAL without reservation or description. Personal data/data shall only be managed in the SECRET classification where the context guarantees defense against an increased threat profile, e.g. In most cases (except where other special sensitivity considerations apply) personal data and sensitive data, as defined by the DPA, will be handled within official without reservation or description. All information must be subject to appropriate protection. There is no assumption of unfettered access at any level in the classification policy, although the principles of openness, transparency and reuse of information must be considered. All personal data/information is subject to the “need to know‟ principle and it is the responsibility of information owners (IAOs) to ensure that this is enforced with respect to personal data/information for which they are responsible.

An OFFICIAL-SENSITIVE classification level warning should be used where the “need to know” must be enforced most strictly, especially where information may be shared outside of a routine or well-understood business process. For example, where loss or compromise of information can have seriously harmful consequences for an individual or group of individuals – it is a clear and justifiable requirement to reinforce the “need to know principle” particularly strictly across the organization. Only under very specific circumstances to identify certain categories of information already considered OFFICIAL-SENSITIVE. The description should be used in the format : ‘OFFICIAL-SENSITIVE [DESCRIPTOR]’

Microsoft Information Protection Best Practices

Microsoft Information Protection (MIP) is a Digital Rights Management (DRM) solution from Microsoft. DRM solutions embed protection directly into digital files, protecting the file regardless of where it’s stored or with whom it’s shared. This is different and complementary to more traditional security measures, like document management access controls.

MIP components:

MIP primary benefits:

Data Loss Prevention

Discover user and application behavior to prevent accidental sharing of sensitive data

 

Please note that in areas with privacy regulations, you can only start monitoring user behaviour until you have an approved reason for doing so. As part of establishing an DLP program, you need to define with Legal and Data Privacy Officers the process for when this can be enabled.

Impact Reduction

 

Scenario 1 – without MIP

Scenario 2 – with MIP

Automation is key to success

We can leverage Microsoft Sensitive Information Types, Trainable Classifiers, Syntex, and Metadata to automate the identification of sensitive data.

For users, it means the following options:

At Infotechtion, we recommend the following journey to improve the protection of information in Microsoft 365 and beyond leveraging all available E3 and E5 features.

 

Contact us to learn more about this.