Blog post: 2 minute read
To implement a data classification scheme in your organization to be leveraged in either Azure Information Protection (AIP) or Sensitivity labels, there are several teams that need to come together to complete the required setup. For the technical team to configure AIP labels in the Azure Portal or Sensitivity labels in the Compliance Center, they need some key pieces of information from the Information Management team.
I’ve prepared a OneNote notebook as a template for the two teams to collaborate on while they gather these key pieces of information. I’ve made it editable so feel free to not only download it (export to a .onepkg file format), but to also contribute to its content for anything you think is missing. My advice for your copy of the OneNote is to make it a living notebook where you not only document the original configuration for your own organization, but ongoing changes as they occur in your environment.
The OneNote includes 2 sections. The first is for an organization’s Global Policy and the second is for an organization’s Scoped Policies (an organization can have several of these). I’ll describe each section in sequence below.
[Update February 2020] The content of the Notebook can be used whether you’re rolling out Sensitivity labels or AIP labels in your organization.
Global Policy AIP Labels
A Global Policy is the default policy for all users in your tenant. Your default label classification scheme will be published thru this policy.
Below are the questions I’ve included in the OneNote within the Global Policy section using Microsoft’s own Sensitivity Classification label names as examples: Public, General, Confidential, Highly Confidential. Each label is a separate page in the OneNote:
- What is your organization’s default label scheme? Provide the label names.
- For each label in the Global Policy:
- Label name and color (not applicable for Sensitivity labels)
- Label description (short) – shows in Office clients. Make it good! 🙂
- Label description (long) – used for more in-depth documentation
- Examples of content that would have this label
- Is there a footer, header, or watermark you want to apply for the label?
- Is this a default label?
- Are there any security controls for this label? Example: will the label restrict to specific users/groups? Will access expire after ‘x’ days?
- Should this label be automatically applied based on certain sensitive content?
- If yes, will you allow end-users to override the label classification?
- If yes, who will monitor the label overrides?
Scoped Policies AIP Labels
A Scoped Policy is targeted to specific users/groups in your organization ensuring only they can see the labels you’ve published in the policy. These are optional and would only be used if there is a requirement in your organization to restrict labels in this way. An example would be for a Secret Merger project where only specific people in your organization would be allowed to see and use them. If your organization has chosen to implement scoped policies, the Information Management team must answer some questions for each label within one. (A scoped policy can contain multiple scoped labels, but all labels within the policy must be scoped to the same set of users/group)
Below are the questions I’ve included in the OneNote within the Scoped Policies section (one page per scoped policy):
- What is the scoped policy name and description?
- What is the scoped label name and description?
- Is it a “sub-label” of another label? Example: will it show under the Confidential label?
- Who is it scoped to? It can be a user or AD group.
- When should it be removed (unpublished) so it is no longer visible for end-users to select?
- Who in the organization “owns” this label from a governance perspective? This might be the person who can review these settings from the business.
Documentation is a good thing!
This OneNote notebook will help bridge the gap between the Information Management team and the Azure Technical team when configuring AIP labels. Whether you’re using the new unified labels (Sensitivity labels) or the classic AIP labels, having your current AIP configuration documented will certainly help with the transition.
If you have any additional questions you ask your Information Management teams, please update the OneNote.
Thanks for reading.
-JCK
Credit: Photo by Dose Media on Unsplash
Thank you for sharing this! I am struggling a little bit to actually save or copy your pages / sections / notebook and then make it my own. Are the permissions set in some way to prevent that on purpose? The post implies you want to allow that to happen, right?
Yes, I want you to be able to edit my OneNote directly(can you do that?) but you should also be able to download it from there (I think). It could be that I need to create a .onepkg file for you to download, but I’d rather you download the “live” copy so you get all the changes. Let me work with it a bit.
When you have it open in the OneNote client, you can go to File…Export… select Notebook and the OneNote Package format. That should do the trick for you. Let me know if that works.
Hi JCK
Getting error accessing the onenote:
This link has been removed.
Sorry, access to this document has been removed. Please contact the person who shared it with you.
Hi taenkeren,
Sorry about that. Can you try it again please? Kindly reply back either way. Thanks!!
Hi, can you re-enable the link to the onenote?
HI Jonas – I’ve updated the link. Can you please confirm you have access? Thanks.
Hi – It looks like the link timing has expired, and you cannot download the OneNote resource now. Can you re-enable it so I might gain access? Thanks for all that you do – much appreciated!
Hi Mike,
I’ve updated the link – sorry about the delay in doing so. Please give me a shout if the link still isn’t working for you!
-JCK
Do you know if Microsoft will offer an option in the near furture for users to classify and label their OneNote data or if I can setup auto labels or classifiers for One note data?
Hi! I don’t know. Great question for the public AIP Public yammer group. The product group can respond to questions on there. Link: https://www.yammer.com/askipteam
-JCK