Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides guidance for Australian Government organizations on sensitivity auto-labeling for non-Microsoft 365 locations, such as on-premises file shares. It's intended to help government organizations to increase their security and compliance maturity while adhering with requirements outlined in the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM).
Government organizations sometimes encounter situations where items that are outside of Microsoft 365 locations need to be labeled. Examples are when Government organizations:
- Inherit data residing in non-Microsoft 365 storage platforms as part of Machinery of Government (MoG) changes.
- Seek to transition from an on-premises platform to a SharePoint-based solution and need to move data as part of the migration.
- Need to maintain items outside of Microsoft 365 locations but still want ensure that they're protected by label-based protections.
The preferred and recommended approach is for data moved into Microsoft 365 locations is to utilize service-based auto-labeling to label items at rest, as discussed in Labeling existing items at rest.
Australian Government organizations sometimes encounter situations where items need to remain outside of Microsoft 365, such as when they need to remain on-premises or within an online storage platform (for example, blob storage). This article covers capabilities available to address these requirements.
The capabilities mentioned in this article can be used to identify Sensitive Information Types (SITs) within files. SITs demonstrated in example SIT syntax to detect protective markings could be used to identify classifications applied to items via protective markings. Once identified, these solutions could apply matching labels to the items, ensuring that they're protected by label-based controls including Data Loss Prevention (DLP) policies preventing inappropriate distribution of security classified information.
Note
When used to detect and honor existing markings, capabilities that automatically apply sensitivity labels shouldn't be considered at odds with PSPF 2024 Requirement 59 as a classification was already applied by a user.
| Requirement | Detail |
|---|---|
| PSPF 2024 - Requirement 59 | The value, importance, or sensitivity of official information (intended for use as an official record) is assessed by the originator by considering the potential damage to the government, the national interest, organizations, or individuals that would arise if the information’s confidentiality were compromised. |
Prebuilt Sensitive Information Types designed to identify Australian data types and Custom Sensitive Information Types constructed to identify organization specific information can also be utilized.
Microsoft Purview Data Map
Microsoft Purview Data Map can be used to scan for sensitive content within files residing on supported data sources.
Microsoft Purview Information Protection Scanner
Microsoft Purview Information Protection Scanner is a capability that can be set up on an on-premises server. It allows organizations to scan and label items on network shares and within on-premises SharePoint document libraries.