Changes to security classification and records retention in Office 365

In May 2016, I wrote about the creation of security classification labels in the Azure Information Protection (AIP) portal (old post here). Quite a bit has changed since that post, in particular the naming of policies, away from ‘High’ to ‘Low’ Business Impact (e.g., HBI – LBI) to real-world words such as ‘General’ and ‘Highly Confidential’.

In October 2017, I wrote about the new retention policies that could be applied to all Exchange, SharePoint and OneDrive content in Office 365.

Changes to the Security and Compliance admin portal – Classifications section

On 23 February 2018, Microsoft’s Adam Jung posted a new article to the Microsoft Tech Community titled ‘Consistent labeling and protection policies coming to Office 365 and Azure Information Protection’.

The main outcome of this change is that information security protection and records retention policies, linked with Data Loss Prevention (DLP policies) are created from a single interface in the Security and Compliance admin centre > Classifications section (Labels). These policies are set in Office 365 are then synced to Azure (and vice versa).

To quote the Microsoft blog: ‘The upcoming experience means that the same default labels can be used in both Office 365 and Azure Information Protection, and the labels you create in either of these services will automatically be synchronized across the other service – no need to create labels in two different places!’

This post looks at the changes and some potential issues that may arise.

Security and Compliance Admin Portal – Classifications

Records retention policies for Office 365 content are set as labels in the Security & Compliance Admin portal of Office 365 under Classifications – Labels.

The Classifications area also includes a section for ‘Sensitive Information Types’, which simply lists a range of information types that are also used for DLP policies.

Note: Access to that Admin portal is restricted by default to Global Admins and anyone assigned to a specific security role. Records managers in organisations that have or are deploying Office 365 should have access to this feature.

Setting (Records Retention) Classification Labels

The options for setting a records retention label were described in detail in my post above, but for reference again, they are:

  • Name
  • Label settings
    • Disabled or enabled (off/on)
    • When enabled, the ability to set (a) a retention period, and (b) an action when the period expires.
    • Alternatively, it is possible to just delete content when it’s older than a given time.
    • An option also allows the content be to be classified as a ‘record’ when the label was applied, providing further protection against deletion, for example.
  • Review your settings

Merging of label options – Retention and Security together in a single label

The primary change to classifications is the inclusion of new options when you choose to ‘Create a Label’.

These options are now:

  • Label name
  • Protection settings (e.g., information security)
  • Retention settings
  • Advanced options settings
  • Review your settings

These options are described below.

O365ClassificationLabelsMar2018.JPG

The ‘Protection settings’ section includes the following options:

  • Enabled or disabled. (If disabled the next check box options do not appear)
  • Block users from sending email messages or sharing documents with this label
  • Show policy tip to users if they send or share labeled content (The text of the policy tip is editable)
  • Send incident reports in email
  • Advanced protection for content with this label (Customise settings option)

The ‘Retention settings’ are identical with the options already described above:

  • Disabled or enabled
  • Various settings when enabled.

The ‘Advanced options settings’ section includes the following options:

  • Enabled or disabled. (If disabled the next check box options do not appear)
  • Add a watermark (text can be customised)
  • Add a header (text can be customised)
  •  Add a footer (text can be customised)

The Microsoft article notes: ‘We are building labeling capabilities natively into the core Office apps – including Word, PowerPoint, Excel, and Outlook, and soon there will be no need to download or install any additional plug-ins.’ This comment references the problem of having to download a plug-in for the classification options to appear in installed versions of Office.

Does it make sense to merge security classifications and records retention?

In my opinion, putting information security and records retention policies in the same label doesn’t make sense.

Retention is almost never linked with the confidentiality (or otherwise) of the records but based on government or legislative requirements or business needs.

But that was probably not Microsoft’s intention; it was probably to make it as simple as possible to create and apply these policies.

It would have made more sense to have separate label options for ‘Retention policies’ and ‘Security policies’. This would potentially mean, however, having two labels (if a label is in fact required for retention purposes).

Organisations with complex retention policies might find that the mixing of both policies in the one view makes it harder to find the individual security related policies, and have the potential to cause some confusion.

For example, it is could be hard to spot the Highly Confidential label in this listing if there were more than (say) 50 retention classes:

  • Client records – 7 years
  • Confidential
  • Financial Records – 7 years
  • Highly Confidential
  • Internal Use Only
  • Meeting Records – 3 years
  • Working Paper – 1 year

It also raises the question (which I have asked and will update this post if I receive a response) as to whether two policies can (or should) be applied on a document.

If two labels cannot be applied, this could mean that organisations have to have even more labels to take account of the various combinations. For example:

  • General Financial Records – 7 years
  • Confidential Financial Records – 7 years
  • Highly Confidential Financial Records – 7 years

Not to mention the link to DLP policies, although that doesn’t appear as a label.

In my opinion, combining these two options, while perhaps making it easier at the ‘front end’, has the potential to create confusion for users, let alone complicate the administration of retention management.

Read the full Microsoft blog article in the link below

https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Consistent-labeling-and-protection-policies-coming-to-Office-365/ba-p/161553

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: