Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides guidance for Australian Government organizations on sensitivity auto-labeling. Its purpose is to help government organizations to increase their security and compliance maturity while adhering with requirements outlined in the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM).
Auto-labeling uses capabilities such as Sensitive Information Types (SITs) and trainable classifiers to identify markings or sensitive information within items. Following identification the service recommends or automatically applies a label to the item where the information was detected. The label helps to ensure that the contained information is adequately protected. Microsoft Purview has two types of sensitivity auto-labeling; client-based auto-labeling and service-based auto-labeling. Auto-labeling concepts can be extended to on-premises locations via the Microsoft Purview Information Protection scanner. They can also be applied to databases or and storage services via Automated labeling for non-Microcoft 365 locations.
Australian Government requirements relevant to auto-labeling are:
| Requirement | Detail |
|---|---|
| PSPF 2024 - 09. Classification & Caveats - Requirement 59 | The value, importance, or sensitivity of official information (intended for use as an official record) is assessed by the originator by considering the potential damage to the government, the national interest, organizations, or individuals that would arise if the information’s confidentiality were compromised. |
| ISM Security Control: 0271 (March 2025) | Protective marking tools don't automatically insert protective markings into emails. |
Both PSPF and ISM imply that a person should be responsible for decisions to apply security classifications to items rather than an automated service. These requirements are more likely to prohibit the use of default labeling rather than Microsoft Purview auto-labeling. When auto-labeling is used in the right way, it helps to reduce the risk of information being compromised. For example, consider the following scenarios:
- User assistance: Client-based auto-labeling detects sensitive information or security markings and recommends the most appropriate label to the user who has agency to make the decision. For more information on implementing user assistance, see client-based auto-labeling.
- Honoring external markings: Service-based auto-labeling can honor security classifications applied to items by external organizations. Honoring the external marking brings received documents and emails within the scope of your organization's data security controls. It also allows your organization to honor classifications applied by the originating organization. For more information, see recommendations based on external organization markings..
- System based labels: Service-based auto-labeling honors labels generated by systems, for example payroll emails to staff detailing their payslip from an HR system. For more information on implementation, see recommendations based on system markings and how to configure a default sensitivity label for a SharePoint document library.
- Legacy item alignment: Service-based auto-labeling detects security classifications via markings or document properties applied to legacy items and bring the items within scope of current security controls. When used in this manner, auto-labeling strengthens Data Loss Prevention (DLP) and other security configurations by ensuring that any legacy items are protected by modern controls. For more information on how to implementation in a Government organization, see recommendations based on historical classifications.
Note
When auto-labeling detects multiple matches, the match aligning with the highest sensitivity is applied or recommended for the item. For more information, see label priority.
Organizations with sensitivity auto-labeling in place are likely to have higher label accuracy than organizations not using these features. Label accuracy helps to ensure that information is within the scope of relevant controls and strengthens an organizations ability to meet PSPF 2024 Requirement 71:
| Requirement | Detail |
|---|---|
| PSPF 2024 - 10. Information Holdings - Requirement 71 | Implement operational controls for these information holdings proportional to their value, importance, and sensitivity |
Such capabilities can be considered ways of proactively integrating protective security requirements into business practices and align with the Embedded level of the PSPF maturity model. For more information about PSPF maturity, see Protective Security Policy Framework (PSPF) Assessment Report.