Office 365: Classification and Retention Labels

As part of the Advanced Data Governance (ADG) suite of tools, Office 365 labels help you keep the data that is needed in your organization and disposes of information when it is no longer needed. Classifying content across Office 365 services entails the use of Office 365 labels. These labels are used for records management and follow governance rules as laid out by the organization and by legal authorities.

Three components comprise Advanced Data Governance:

Labels: fall under two types: sensitivity labels and retention labels (both originally were called classification labels but with the updated Office 365 UI, they have been renamed). These are used to classify the information for governance purposes. A retention policy can be associated with a label.

Retention: policies to ensure that data is not prematurely deleted but rather, once the content has reached the end of its retention period, one of three actions are triggered. Actions include: no action, delete content, or initiate a process for data review.

Supervision: assigns specific individuals to review and monitor email and third-party communications for the organization.

As collaboration is not rooted to a single location or with one source, organizations are relying upon security and compliance to ensure that data remains secure, especially when it roams with collaborators. With Office 365, this can be accomplished through the use of labels.

Sensitivity labels allows sensitive content to be labelled and protected without hindering productivity and collaboration between users from different organizations. Sensitivity labels can be used to:

1. Enforce protection settings, including encryption and watermarks, on labelled content;
2. Protect Office app content across platforms and devices;
3. Prevent sensitive data from leaving your organization on devices running Windows;
4. Extend sensitivity labels to apps and services of third-parties; and
5. Classify content without using protection settings.

Sensitivity labels classify data across your organization and enforce protection settings based on that classification.

How does a sensitivity label work? It operates similarly to tags in the sense that they are customizable, are presented in clear text, and are persistent.

Being customizable, different levels of sensitive content can be defined as categories. These include Public, Personal, General, Confidential, and Highly Confidential. Third-party apps and services can read the clear text, allowing them to apply protective actions as dictated. Once applied to content, the sensitivity labels persist in the metadata of the document or email which means that the label travels or roams with the content. The label becomes the basis for applying and enforcing policies as it includes the protection settings.

Protection settings for sensitive labels include:

1. Encryption on email and/or documents whereby specific users or groups can be granted permissions to perform actions and for how long;
2. Marking content through the use of watermarks, headers, or footers to documents or emails. Watermarks are confined to 255 characters and can only be applied to documents. Headers and footers are restricted to 1024 characters, with the exception of Excel with only 255 or fewer as it depends on what the workbook contains;
3. Prevent data loss with endpoint protection which works with all Windows devices; and
4. Automatically apply labels to sensitive data content as opposed to manually applying labels. With manual application, users are prompted to apply the recommended label whereas with auto-apply, the criteria will determine the label that is automatically applied.

When creating the sensitivity labels, it is important to list them in the right priority sequence. The most restrictive sensitivity label should appear at the bottom with the least restrictive at the top. For example, the top sensitivity can be Public with the last one being Highly Confidential. This list determines what is a lower classification should a user change the sensitivity label.

Creating Office 356 labels is a two-step process. The first step is to create the actual label which includes the name, description, retention policy, and classifying the content as a record. Once this is completed, the second step requires the deployment of a label using a labelling policy which specifies the specific location to publish and applying the label automatically.

To create an Office 365 label, following these steps:

1. Open Security and Compliance Centre;
2. Click on Classifications;
3. Click on Labels;
4. The label will require configuration including: name your label (Name), add a description for the admins (Description for Admins), add a description for the users (Description for Users);
5. Click Next once the configuration is completed;
6. Click Label Settings on the left-hand side menu;
7. The Label Settings will need to be configured. On this screen, you can toggle the Retention switch to either “on” or “off”. If you choose “on”, then you can answer the question “When this label is applied to content” with one of two options. The first option is to Retain the Content. From the pick boxes, you can choose the length of retention and upon the end of the retention, the action that will take place. The three actions are to delete the data, trigger an approval flow for review, or nothing can be actioned. The second option is to not retain the data after a specified amount of time or based on the age of the data; and
8. The label has now been created.

Upon completion of creating the label, the next step is to create a label policy. Sensitivity labels are published differently than retention labels. Sensitivity labels are published to users or groups and will appear in Office apps for users and groups. Retention labels are published to locations such as Exchange mailboxes.

With label policies, you can:

1. Choose the users and groups who will see the labels, including Office 365 groups, distribution groups, and email-enabled security groups;
2. Apply a default label, which becomes the base level of protection for all content, to all new documents and emails created by the groups and users that are included in the label policy;
3. Require justification for changing a label when a user wants to either remove the label or replace it with a lower classification. The admin will be able to review these justifications;
4. Mandatory labelling can be enforced to all users to sent emails or saved documents. The label can be manually assigned by the user, assigned by default (see above), or assigned automatically based on criteria; and
5. Help Link directing to a custom help page can be added for users.

To create a label policy, follow these steps:

1. Open Security and Compliance Centre;
2. Click on Data Governance, Retention;
3. Choose Label Policies box at the top of the screen; and
4. There are now two options. The first is to Publish Labels. If your organization wants its end users to apply the label manually, then this is the option you would choose. Note that this is location based. The second option is to Auto-apply Labels. With Auto-apply, you would have the ability to automatically apply a label when it meets the specified criteria.

Sublabels can also be defined and these sublabels will be seen by the user. Sublabels are a simple way of presenting labels to users in logical groups. Sublabels do not inherit any settings from the label they are under.

What if a sensitivity label is deleted from the Security and Compliance Center? Deleting the sensitivity label from the Security and Compliance Centre will not remove it from the content. The protection settings continue to be enforced on the content.

What if a sensitivity label is edited in the Security and Compliance Center? If a sensitivity label is edited in the Security and Compliance Center, the version of the label that was applied to the content will continue to be enforced. It will not change to the new settings.

Visually, this is the basic flow process for the admin, user, and Office app for using sensitivity labels:

Creating labels is a straight forward and easy process that provides detailed and complex information for the classification and retention of data, whether this data is static or dynamically roaming with collaborators. With increased mobility of collaboration, data integrity and security continue to be a focus. With Office 365 labels, classification and retention are steps that can be taken to ensure the security of data, including its deletion upon the end of its retention.