Blog post: 2 minute read
To implement a data classification scheme in your organization to be leveraged in either Azure Information Protection (AIP) or Sensitivity labels, there are several teams that need to come together to complete the required setup. For the technical team to configure AIP labels in the Azure Portal or Sensitivity labels in the Compliance Center, they need some key pieces of information from the Information Management team.
I’ve prepared a OneNote notebook as a template for the two teams to collaborate on while they gather these key pieces of information. I’ve made it editable so feel free to not only download it (export to a .onepkg file format), but to also contribute to its content for anything you think is missing. My advice for your copy of the OneNote is to make it a living notebook where you not only document the original configuration for your own organization, but ongoing changes as they occur in your environment.
The OneNote includes 2 sections. The first is for an organization’s Global Policy and the second is for an organization’s Scoped Policies (an organization can have several of these). I’ll describe each section in sequence below.
[Update February 2020] The content of the Notebook can be used whether you’re rolling out Sensitivity labels or AIP labels in your organization.
Global Policy AIP Labels
A Global Policy is the default policy for all users in your tenant. Your default label classification scheme will be published thru this policy.
Below are the questions I’ve included in the OneNote within the Global Policy section using Microsoft’s own Sensitivity Classification label names as examples: Public, General, Confidential, Highly Confidential. Each label is a separate page in the OneNote:
- What is your organization’s default label scheme? Provide the label names.
- For each label in the Global Policy:
- Label name and color (not applicable for Sensitivity labels)
- Label description (short) – shows in Office clients. Make it good! 🙂
- Label description (long) – used for more in-depth documentation
- Examples of content that would have this label
- Is there a footer, header, or watermark you want to apply for the label?
- Is this a default label?
- Are there any security controls for this label? Example: will the label restrict to specific users/groups? Will access expire after ‘x’ days?
- Should this label be automatically applied based on certain sensitive content?
- If yes, will you allow end-users to override the label classification?
- If yes, who will monitor the label overrides?
Scoped Policies AIP Labels
A Scoped Policy is targeted to specific users/groups in your organization ensuring only they can see the labels you’ve published in the policy. These are optional and would only be used if there is a requirement in your organization to restrict labels in this way. An example would be for a Secret Merger project where only specific people in your organization would be allowed to see and use them. If your organization has chosen to implement scoped policies, the Information Management team must answer some questions for each label within one. (A scoped policy can contain multiple scoped labels, but all labels within the policy must be scoped to the same set of users/group)
Below are the questions I’ve included in the OneNote within the Scoped Policies section (one page per scoped policy):
- What is the scoped policy name and description?
- What is the scoped label name and description?
- Is it a “sub-label” of another label? Example: will it show under the Confidential label?
- Who is it scoped to? It can be a user or AD group.
- When should it be removed (unpublished) so it is no longer visible for end-users to select?
- Who in the organization “owns” this label from a governance perspective? This might be the person who can review these settings from the business.
Documentation is a good thing!
This OneNote notebook will help bridge the gap between the Information Management team and the Azure Technical team when configuring AIP labels. Whether you’re using the new unified labels (Sensitivity labels) or the classic AIP labels, having your current AIP configuration documented will certainly help with the transition.
If you have any additional questions you ask your Information Management teams, please update the OneNote.
Thanks for reading.