Categories
Enterprise Mobility Information Protection

Getting Started with Sensitivity Labels for Files and Emails

Read Time: 3 minutes

All information is not equal.

Some documents or emails have private financial or health information and others have plans for lunch.

Sensitivity Labels within Microsoft 365 provides end-users the ability to classify their documents and emails to ensure a certain level of information protection to both their and the organization’s content.

Sensitivity Labels for files and emails allow staff to identify specific documents as more or less sensitive than others.

For example, a briefing note to senior leadership could be tagged as ‘confidential’, which would then add a “confidential” watermark added to the document and restrict it from being shared externally. Compliance officers would also be able to filter reports on documents marked as confidential.

Applying labels is easy.

Once Sensitivity Labels are created and published, individuals can choose to tag content directly within the application, providing them a seamless and low friction experience.

Emails can be tagged with their “sensitivity” when being drafted, and documents anytime they are opened. These features are available in both the installed applications and online browser based versions.

Sensitivity Labels allow individuals to mark files and emails with both different controls (e.g. allow internal access only) or using an existing information classification adopted or published by the organization (e.g. Protected A).

Options for controls are:

  • restrict/provide access to appropriate roles (and individuals)
  • create a watermarks, header, and/or footer on the document to communicate the document’s sensitivity.

Planning Sensitivity Labels

When planning Sensitivity Labels, it is important to consider certain key factors to ensure successful implementation and adoption.

  • Align to existing information security classification schemas where available
  • Leverage a cross-functional team to build the label business and technical requirements
  • A clear and concise set of details will ensure labels are used correctly, rather than providing too many options with language requiring a reference guide or training course
  • Ensure alignment, approval from all key stakeholders (not just IT or Cybersecurity), Sensitivity Labels can mark documents (potentially impacting existing templates) and more importantly can effect the ability to collaborate (restricting documents to internal only or subsets of internal users).

Implementation

  • Pilot the labels with a small group and collect feedback prior to implementation
  • If introduced into an active environment, consider a phased approach – avoid restricting access in bulk to focus on training and adoption, to build a cultural practice within the organization without impacting day-to-day activities

Resources

Learn about Sensitivity labels (Microsoft Docs)

Thank you for Reading

Questions? Comments? Feel free to reach out.

    Categories
    Governance

    Stay on top of Change in Microsoft 365

    Read Time: 4 minutes

    Change is Constant

    M365 apps and services are constantly being updated with new functionality and changes to our end-user experience. We may not need to worry about system downtime, but we do need to consider how we are going to lead our organization through frequent and impactful change.

    Whether we are change practitioners, M365 service owners, or simply advocates for cultural development within an enterprise, we need to:

    • Understand how changes will impact our organization, people, and their processes
    • Proactively planning to lead through the change rather than follow it
    • Communicate changes effectively to support our clients (e.g. users) and have them understand what is changing, why it is changing, and how they will be affected
    • Have a framework for measuring success based on the impact (e.g was there an increase in support calls due to a significant user experience update).

    Stay Ahead of Changes

    Microsoft provides multiple resources for us stay informed and understand upcoming changes to M365 services. We can access different information sources to collect, organize, and inform our required activities to manage change.

    Imminent Change: The M365 Weekly Digest (more info) provides summarized but critical information related to changes which should be planned for or communicated. This is typically only available to accounts with access to the Office 365 admin centre, but it can always be configured to email other users (or ideally a Microsoft Team for governing M365 without your organization).

    Future Change: The M365 Roadmap (link) provides a regularly updated list of features on the M365 Roadmap by application. Not only can we see what new features or tools which are in development (or rolling out) we can see the frequency of changes which are going to be implemented. For example, at the time of writing this, MS Teams has 22 features rolling out and 143 in development. The M365 Roadmap can also be used as a planning tool to identify and help prioritize (or de-prioritize) requests for custom development (when an out of the box tool may be available soon).

    Long Term Potential Change: Microsoft Office 365 User Voice (link) provides not only an opportunity to give feedback for consideration, but to see what activities have been added to the product backlog or are under consideration. It is not uncommon to have a capability requested by staff be an existing feature request in User Voice.

    Plan for Change

    Most organizations will establish a Microsoft 365 governance committee or steering committee to manage enhancements and updates to existing software or addition of new software and features. There is significant benefit to creating this group prior to M365 being implemented to ensure members are informed and aligned with decisions once operationalized.

    It is important upcoming changes and user impacts be reviewed and discussed with non-IT subject matter experts to ensure a well rounded understanding of the change and how it will affect the organization. Non-IT groups which can assist in planning can include cross-functional representation from teams such as Human Resources, Privacy, Information Management and Legal.

    Governance of M365 applications reaches far beyond technology needs and should have not only alignment, but cross-functional support. Cross-functional support is important not only to provide a unified front and incorporate business needs from different role groups within the organization, but also to incorporate organizational requirements not necessarily within the purview of IT staff. For example, some organizations disable recording of MS Teams meetings either due to internal privacy policies or information management retention requirements.

    Summary

    M365 services are regularly updated and added to. Microsoft provides us the tools to under the changes, but we need to engage our organization’s experts to appreciate their impact and plan accordingly to ensure good adoption of tools with practices aligned to our organizational needs.

    Resources

    Microsoft 365 change guide (Microsoft Docs)

    Becoming a Service Adoption Specialist (Microsoft Course)

    M365 Weekly Digest (Microsoft Docs)

    M365 Roadmap

    Office 365 User Voice

    Thank you for Reading

    Questions? Comments? Feel free to reach out.