Common questions I hear from customers are whether they should configure a default sensitivity label and if they should make sensitivity labels required for all emails and documents when rolling out Microsoft Information Protection (MIP). My own firm even debated this before deciding on a strategy when we were rolling out MIP.
The concepts of default classification and required classification go hand in hand so let’s look at both. I’d like to also share an opinion here based on my experience in the Data Classification space and in helping customers roll out MIP. The short answer is that I typically recommend…
- YES, configure a default sensitivity label for all users when first rolling out MIP
- YES, make sensitivity labels required on all emails and documents when first rolling out MIP
Remember, this is one opinion, but I’d like to think its an informed one. 😊
Let me break it down a little.
Default Sensitivity Label
I usually recommend customers select a default label for their organization, and that they do so when first rolling out MIP. There are 2 reasons:
- MIP is primarily a user-based data classification tool, which means it allow users to select the classification that is applied to emails and documents. As such, sometimes you have content that is misclassified – this can happen due to:
- People sometimes cannot be bothered to select the right classification for their content
- People can sometimes be over-protective and always select the highest classification, “just in case”
- People can sometimes select the lowest classification, just to ensure their content can be shared with anyone they wish
- People can remove the classification, to remove protections that they may feel are not needed or desired (note: if required sensitivity labels are enabled this will not be possible)
Despite this, I believe most employees come to work and want to do the right thing. You’ll always get some that try to get around the rules, but I feel those are a very small minority.
With this in mind, having a default classification on all emails and documents means that, for new content, if that content has no classification, then it was likely removed by someone. If you have no default configured, then you have no idea whether it was simply never classified, or if someone removed the classification. Being able to tell the difference can be important over time, as you assess the effectiveness of your data classification program.
- This next point will depend on your organization, but in most, I find the vast majority of content is not sensitive. The majority of content are typically be every day emails or documents, exchanged with coworkers, as a matter of “regular business” or “business as usual”. You don’t necessarily want it to leave the organization, but you also won’t lose any sleep if it does. You typically don’t want it protected either because that makes working with it or sharing it harder.
With this in mind, by configuring a default sensitivity label, MIP will automatically classify the majority of content in your organization for you. This will then lessen the overall impact of rolling out MIP to your users because the majority of their content will automatically have a classification.
- If you are using Sublabels, you can select a Sublabel as your default. However, you should not select a parent label, because it will not get applied.
- Do not select a Sensitivity label that applies encryption as your default. There is nothing stopping you from doing so, however, doing so will very likely encrypt far more content than you are expecting and inadvertently make it harder for users to legitimately share content.
Overall, to me, configuring a default sensitivity label is like pulling off a Band-Aid. When rolling out a solution like MIP, you ultimately want the majority, if not all, of your content to be classified. To effectively do this, you need that majority of content I mentioned to also be classified – all that not-really-sensitive/day-to-day stuff (I know… depends on the org). This tends to be most effectively applied through a default label. I find its least impactful to users if you select a default when first rolling it out, as opposed to selecting a default later, if you find users are not selecting sensitivity labels in many cases.
Configuring a Default Sensitivity Label
Administrators configure a default label when they configure a sensitivity label policy. Remember, rolling out sensitivity labels is a 2-step process:
- Configure ‘sensitivity labels’ with the appropriate settings
- Configure a ‘sensitivity label policy’ to publish a set of sensitivity labels to your users
A default label is selected in Step 2, when a label policy is configured to publish labels – one of those labels you are publishing gets selected as the default. That default then applies to all documents and emails a user creates.
You can select a different default for different users or group by configuring multiple sensitivity label policies. However, each user gets 1 default for both their emails and documents; they cannot have a default for emails and a different default for documents.
Required Sensitivity Label
I do recommend that sensitivity labels are required for all emails and documents, and that they include this as part of the initial MIP roll out. In combination, I also recommend that organizations makes a firm policy decision and announcement that going forward all emails and documents must be classified with a sensitivity label, as part of a robust Organizational Change Management (OCM) program.
My point here is that this policy decision needs to be firm, and the statement from management to users needs to be clear and decisive.
Tell them what the MIP policy is, tell them why, tell them the policy again, and…
then tell them again! Tell them often and make the message clear!
The primary reason is that if you want to enable all your staff to be a key part of your organization’s security strategy, you need them:
- All classifying all of their content all the time
- All understanding why this is important
- All being advocates for how the organization protects its information
To effectively move users to be strong advocates, they need to classify their content as part of their regular work day. Over time, it should feel uncomfortable if they send or share content that is not classified. By making sensitivity labels required, you are helping them to either see or select that classification in their emails and documents every day.
If there is confusion about whether classification is required or not, or if a clear message is not shared with users as part of an OCM program, then users will be confused, many will not classify their content, they will not become advocates and adoption of the solution will be negatively impacted.
Configuring Required Sensitivity Labels are Required
As with default labels, selecting whether a sensitivity label is required or not for end users is configured as part of a sensitivity label policy: it’s a single checkbox that’s selected as part of the policy, and published to users along with a set of sensitivity labels.
Key Messages in Organizational Change Management
There are a lot more settings to consider when rolling out MIP, which I’ll cover in a future post.
However, a key point to leave you with is that a successful MIP deployment requires a robust OCM program, with communications, training and champions to help users understand why the organization is rolling out MIP and how its people are an important part of its security strategy. Understanding the selected sensitivity default and why it is required needs to be a key part of that messaging.