Microsoft 365: DLP, Content Tagging, Information Protection

Content Tagging / Sensitivity Label

What are Sensitivity Labels?

Sensitive labels are labels that may be used to identify or reveal information about a company or an individual's sensitive characteristics. These labels tags can be used to protect the privacy of company's data, customers and employees if handled appropriately.

Types of Sensitive Information

PII (Personally Identifiable Information)

Personally Identifiable Information (PII) is any information that can be used to identify a specific individual. Examples of PII include a person's name, address, Social Security number, driver's license number, date of birth, and biometric data (such as fingerprints or facial recognition data). PII is considered sensitive information and must be protected by organizations in accordance with data privacy laws and regulations.

PHI (Personal Health Information)

Personal health information (PHI) refers to any information related to an individual's physical or mental health condition, the provision of healthcare, or payment for healthcare that can be used to identify the individual. This can include information such as a person's medical history, lab results, treatment plans, and insurance information. PHI is protected by federal and state laws, such as the Health Insurance Portability and Accountability Act (HIPAA) in the US and Canada Personal Health Information Act (PHIA) – Manitoba, which sets standards for the protection and confidentiality of PHI. It is important to ensure that PHI is kept secure and only shared with authorized individuals or entities.

PCI DSS (Payment Card Industry Data Security Standard)

PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security standards created by major credit card companies (Visa, MasterCard, American Express, Discover, and JCB) to ensure that all businesses that accept, process, store, or transmit credit card information maintain a secure environment. It includes a set of requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. Organizations that handle credit card information are required to comply with PCI DSS. Failure to comply can result in fines, penalties, and the loss of the ability to accept credit card payments.

List of Labels/Tags used at HPG

Public
General
Highly Confidential
Sensitive (Sub Label: HPG Sensitive Data)

Table showing the labels, sensitivity order and scope (For IT documentation)

Label

Order of priority

Scope

Public

Lowest

File, Email, Site, Unified Groups

General

1

File, Email, Site, Unified Groups

Highly Confidential

2

File, Email, Site, Unified Groups

Sensitive

3

File, Email, Site, Unified Groups

Sub label (HPG Sensitive Data)

4

File, Email, Site, Unified Groups

Definition of HPG Tags:

Public: Business data that is specifically prepared and approved for public consumption.

General: Business data not intended for public consumption should be assigned the General label. However, this can be shared with external partners as needed. Examples include a company internal telephone directory, organizational charts, internal standards, and most internal communication.

Highly Confidential: Sensitive business data that could cause damage to the business if shared with unauthorized people. Examples include contracts, security reports, financial forecasts, and sales data.

Sensitive: Sensitive business data that could cause damage to the business if shared with unauthorized people. Examples include employee information, customer information, address, social security or credit card numbers, passwords, source code, and pre-announced financial data or reports.

What do we tag at HPG?

At HPG, our goal is to tag every single document and keep track of our company's data. The sensitivity label tag has been designed and configured to help users tag company's data and information with just a click in excel, word and outlook. In addition to that we have also configured an auto-labeling/tagging policy that detects sensitive information in word, excel, OneDrive and SharePoint.

Note: Auto Sensing only works for users with Microsoft E5 License

Examples of the information/date we will be tagging includes:

U.S. Social Security Number (SSN)
Employees Address
U.S. Individual Taxpayer Identification Number (ITIN)
U.S. Driver's License Number
U.S. Bank Account Number
U.S. / U.K. Passport Number
EU Passport Number
EU Driver's License Number
EU Debit Number
Credit Card Number
Client Secret / API Key
Canada Passport Number
Canada Health Service Number
Canada Personal Health Identification Number (PHIN)
Canada Driver License Number
Canada Bank Account Number
Generic Medication names
General Symmetric Key
ABA Routing Number

How to use Sensitivity Labels in Microsoft Excel, Word & Outlook

Microsoft Word:

Applying sensitivity labels to document is easy and straight forward. After you open work document, whether it's an existing document or a new one. The sensitivity tab can be located near the top right conner in the Home section. (See image below)

Click the drop down, it shows you the list of Sensitivity Labels mentioned earlier.(See image below)

Use your mouse and over without clicking or selecting a sensitivity label. The definition of sensitivity label you have the mouse over will be shown to the user.

Graphical user interface, applicationDescription automatically generated

Applying Labels:

Public:

When a Public Label is applied, there will be a footer at the bottom left corner that indicates that the document is labeled as a public document.

A picture containing shapeDescription automatically generated

General:

When a General Label is applied, there will be a footer at the bottom left corner that indicates that the document is labeled as a general document.

Highly Confidential:

When a Highly Confidential Label has been applied to a word document, it will prompt the owner of the document to assigned permission/access to other users that might need access to that document. If access is not given to a user, the user will be unable to view the document. Files that are labeled as Highly Confidential cannot be printed or screenshared over a Teams/ Zoom meeting because they are highly encrypted.

Note: This also applies to Microsoft Excel

When the Highly Confidential Label is clicked, the permission or access tab will pop up on the screen: (See image below)

This pop-up screen will enable the owner to assign Read/Write Permission:

- Click on Restrict permission to this document and enter the email of the user you want to give access in the Read/Change box. Access could also be given to only people with the organization.

Graphical user interface, text, application, emailDescription automatically generated

Clicking on More Options allows you to set more restriction on the document.

Graphical user interface, text, applicationDescription automatically generated

When the Highly Sensitive label is applied to a document it will add a watermark similar to the below image.

TextDescription automatically generated with medium confidence

Sensitive Labels: HPG Sensitive Data (It’s the same thing)

When a Sensitive Label is applied, there will be watermark across the page and a header at the top left corner that indicates that the document is labeled as Sensitive. The Sensitivity Label will auto detect information such as credit cards, driver license, health information and will auto suggest to the user to apply this Sensitive label. (Auto detection only works for Users with Microsoft E5 License).

Note: This also applies to Microsoft Excel

When a Sensitive Label is applied it will look like the below image:

Graphical user interface, text, applicationDescription automatically generated

When auto-detect picks up a sensitive information:

Microsoft Excel:

Applying sensitivity labels in Microsoft Excel is like applying labels in Microsoft Word. Sensitivity tab appears close the top right corner of the home tab. Click the drop down and apply labels. The labels are the same as in work document with the same definition.

In Excel, applying General, Highly Confidential and Sensitive labels will prevent the user to auto save the document. The user will get this warning message when one of these labels are applied.

Note: Auto save will work on document with the Public Label applied.

Excel documents with Highly Confidential Label applied to it will have two warning at the top.

Sensitive labels in Microsoft excel doesn’t support the watermark, header or footer. If a user wants to know the label being applied to a document, it will be show on the bottom right corner of the page.

Graphical user interface, text, applicationDescription automatically generated

Graphical user interface, text, application, chat or text messageDescription automatically generated

Graphical user interface, application, TeamsDescription automatically generated

Microsoft Outlook

Labels can also be applied to emails before they are sent. In Outlook the Sensitivity Label tab is located close the right side in the message tab.

Click on New Emails > Select the Label before sending out the email.

Graphical user interface, applicationDescription automatically generated

Graphical user interface, applicationDescription automatically generated

When a label is selected, the definition of the labeled applied to the email will be shown at the top of the outlook page.

Emails with General, Highly Confidential and Sensitive Label applied can only be sent within the organization. Emails labeled a Highly Confidential cannot be forwarded, printed or screen shared over a call/meeting.

Sensitivity Labels will also label files in OneDrive for those with sufficient licensing.