Content Tagging / Sensitivity Label What are Sensitivity Labels? Sensitive labels are labels that may be used to identify or reveal information about a company or an  individual's sensitive characteristics. These labels tags can be used to protect the privacy of company's data, customers and employees if handled appropriately.     Types of Sensitive Information    PII (Personally Identifiable Information)  Personally Identifiable Information (PII) is any information that can be used to identify a specific individual. Examples of PII include a person's name, address, Social Security number, driver's license number, date of birth, and biometric data (such as fingerprints or facial recognition data). PII is considered sensitive information and must be protected by organizations in accordance with data privacy laws and regulations.   PHI (Personal Health Information)  Personal health information (PHI) refers to any information related to an individual's physical or mental health condition, the provision of healthcare, or payment for healthcare that can be used to identify the individual. This can include information such as a person's medical history, lab results, treatment plans, and insurance information. PHI is protected by federal and state laws, such as the Health Insurance Portability and Accountability Act (HIPAA) in the US and Canada Personal Health Information Act (PHIA) – Manitoba, which sets standards for the protection and confidentiality of PHI. It is important to ensure that PHI is kept secure and only shared with authorized individuals or entities.   PCI DSS (Payment Card Industry Data Security Standard) PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security standards created by major credit card companies (Visa, MasterCard, American Express, Discover, and JCB) to ensure that all businesses that accept, process, store, or transmit credit card information maintain a secure environment. It includes a set of requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. Organizations that handle credit card information are required to comply with PCI DSS. Failure to comply can result in fines, penalties, and the loss of the ability to accept credit card payments.   List of Labels/Tags used at HPG Public  General  Highly Confidential  Sensitive (Sub Label: HPG Sensitive Data)   Table showing the labels, sensitivity order and scope  (For IT documentation)  Label Order of priority  Scope Public Lowest File, Email, Site, Unified Groups General 1 File, Email, Site, Unified Groups Highly Confidential 2 File, Email, Site, Unified Groups Sensitive 3 File, Email, Site, Unified Groups Sub label (HPG Sensitive Data)  4 File, Email, Site, Unified Groups       Definition of HPG Tags:  Public: Business data that is specifically prepared and approved for public consumption. General: Business data not intended for public consumption should be assigned the General label. However, this can be shared with external partners as needed. Examples include a company internal telephone directory, organizational charts, internal standards, and most internal communication. Highly Confidential: Sensitive business data that could cause damage to the business if shared with unauthorized people. Examples include contracts, security reports, financial forecasts, and sales data. Sensitive: Sensitive business data that could cause damage to the business if shared with unauthorized people. Examples include employee information, customer information, address, social security or credit card numbers, passwords, source code, and pre-announced financial data or reports.   What do we tag at HPG?  At HPG, our goal is to tag every single document and keep track of our company's data. The sensitivity label tag has been designed and configured to help users tag company's data and information with just a click in excel, word and outlook.  In addition to that we have also configured an auto-labeling/tagging policy that detects sensitive information in word, excel, OneDrive and SharePoint.  Note: Auto Sensing only works for users with Microsoft E5 License  Examples of the information/date we will be tagging includes: U.S. Social Security Number (SSN) Employees Address U.S. Individual Taxpayer Identification Number (ITIN) U.S. Driver's License Number U.S. Bank Account Number U.S. / U.K. Passport Number EU Passport Number EU Driver's License Number EU Debit Number Credit Card Number Client Secret / API Key Canada Passport Number Canada Health Service Number Canada Personal Health Identification Number (PHIN) Canada Driver License Number Canada Bank Account Number          Generic Medication names General Symmetric Key ABA Routing Number      How to use Sensitivity Labels in Microsoft Excel, Word & Outlook Microsoft Word:  Applying sensitivity labels to document is easy and straight forward. After you open work document, whether it's an existing document or a new one. The sensitivity tab can be located near the top right conner in the Home section. (See image below)   Click the drop down, it shows you the list of Sensitivity Labels mentioned earlier.(See image below)   Use your mouse and over without clicking or selecting a sensitivity label. The definition of sensitivity label you have the mouse over will be shown to the user.      Applying Labels:    Public: When a Public Label is applied, there will be a footer at the bottom left corner that indicates that the document is labeled as a public document.    General:  When a General Label is applied, there will be a footer at the bottom left corner that indicates that the document is labeled as a general document.   Highly Confidential:  When a Highly Confidential Label has been applied to a word document, it will prompt the owner of the document to assigned permission/access to other users that might need access to that document. If access is not given to a user, the user will be unable to view the document. Files that are labeled as Highly Confidential cannot be printed or screenshared over a Teams/ Zoom meeting because they are highly encrypted.    Note: This also applies to Microsoft Excel   When the Highly Confidential Label is clicked, the permission or access tab will pop up on the screen: (See image below)    This pop-up screen will enable the owner to assign Read/Write Permission:      - Click on Restrict permission to this document and enter the email of the user you want to give access in the Read/Change box. Access could also be given to only people with the organization.      Clicking on More Options allows you to set more restriction on the document.    When the Highly Sensitive label is applied to a document it will add a watermark similar to the below image.    Sensitive Labels: HPG Sensitive Data  (It’s the same thing)  When a Sensitive Label is applied, there will be watermark across the page and a header at the top left corner that indicates that the document is labeled as Sensitive.   The Sensitivity Label  will auto detect information such as credit cards, driver license, health information and will auto suggest to the user to apply this Sensitive label. (Auto detection only works for Users with Microsoft E5 License).   Note: This also applies to Microsoft Excel   When a Sensitive Label is applied it will look like the below image:      When auto-detect picks up a sensitive information:        Microsoft Excel:   Applying sensitivity labels in Microsoft Excel is like applying labels in Microsoft Word. Sensitivity tab appears close the top right corner of the home tab. Click the drop down and apply labels. The labels are the same as in work document with the same definition.      In Excel, applying General, Highly Confidential and Sensitive labels will prevent the user to auto save the document. The user will get this warning message when one of these labels are applied.     Note: Auto save will work on document with the Public Label applied.    Excel documents with Highly Confidential Label applied to it will have two warning at the top.    Sensitive labels in Microsoft excel doesn’t support the watermark, header or footer. If a user wants to know the label being applied to a document, it will be show on the bottom right corner of the page.            Microsoft Outlook   Labels can also be applied to emails before they are sent. In Outlook the Sensitivity Label tab is located close the right side in the message tab.    Click on New Emails > Select the Label before sending out the email.      When a label is selected, the definition of the labeled applied to the email will be shown at the top of the outlook page.    Emails with General, Highly Confidential and Sensitive Label applied can only be sent within the organization. Emails labeled a Highly Confidential cannot be forwarded, printed or screen shared over a call/meeting.    Sensitivity Labels will also label files in OneDrive for those with sufficient licensing.   

When you need to send or request information of sensitive nature via email, it is important that you enable encryption on your message. When you enable encryption on the message this will enforce additional security policies that will require all participants of the message chain to verify that they are who they say they are and that they are permitted to access the message chain along with any of its content. This guide will show you how to Encrypt an email message within the Microsoft Outlook Desktop application. This process can also be done using the Microsoft Outlook Web application. Before you begin: Before sending encrypted messages, it is a good idea to inform your intended recipients that they should expect an encrypted message that will require additional authentication to access than a normal email.  How To:  Start by Creating a new message or replying to an existing message.  Click the Options Tab on the Ribbon of Outlook.  Note: If you are replying, you may need to click "Pop Out" to edit your reply in a dedicated window. Under Options > Encrypt, select Encrypt Only or Do Not Forward Encrypt-Only: This is the default option, but it allows messages to be forwarded to others and is not as secure as Do No Forward. This option is acceptable for most situations. Do Not Forward: This option is more secure and disables the ability for participants to forward the message chain to another person. Use this to ensure confidentiality when the situation requires it. Compose your message as you normally would for any other email.  Send the message to the intended recipients.  Warning: Encrypted email cannot be recalled. Verify recipients before clicking send. Your recipients will receive the encrypted message and depending on their own email system will need to perform a verification process to confirm they are the intended recipient. There are certain circumstances where a recipient is not able to open the encrypted email. In all cases this is caused by the recipient's environment. One example may be that they are forwarding email from one mailbox to another. Or, they are receiving an email message in a non-Microsoft 365 mailbox, but their web browser is logged into a Microsoft 365 account that is not associated with the mailbox where the message is received.  If the customer is not able to open the encrypted message, ask if there is an alternative email the encrypted email can be sent to. Utilizing Phone or eFax is an alternative that should be used when encrypted emailing is not working.