Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides guidance for Australian Government organizations on Microsoft Purview sensitivity labeling and label metadata alignment with requirements outlined in the Protective Security Policy Framework (PSPF) and Australian Government Recordkeeping Metadata standard (AGRkMS).
AGRkMS lists optional metadata properties that are configured in systems to align with security markings. These properties are a lower priority by government organizations starting their compliance journey. However, metadata management is an important part of mature records management and includes organizations who are seeking to meet their records requirements via in-place records management in Microsoft 365.
Properties included in AGRkMS that government organizations should index are:
- Security Classification, and
- Security Caveat.
As mentioned in SharePoint Location and Item Sensitivity, sensitivity label applied to files are indexed by SharePoint in a Sensitivity column. The information present in this column includes the protective marking or security classification along with any applied Information Management Markers (IMM) or Caveats.
The Australian Government Recordkeeping Metadata Standard should be consulted when planning configurations. The stated intent of these requirements can be met natively in the Microsoft Purview solution using this guide.
Organizations wanting to implement processes to reindex classification and caveat metadata to populate fields that fully align with the AGRkMS standard can do so via a process that populates managed properties, based on existing label properties.
Configuration to index extra metadata hasn't been included in this guide due to the intent of these requirements already being met by the platform.
Rights property
PSPF Release 2024 includes a new requirement regarding the AGRkMS rights property:
| Requirement | Detail |
|---|---|
| PSPF 2024 - 09. Classifications & Caveats - Requirement 69 | Apply the Australian Government Recordkeeping Metadata Standard’s 'Rights' property where the entity wishes to categorize information content by the type of restrictions on access. |
Rights are a property defined in AGRkMS that applies to records and is used to govern or restrict nonsecurity related use. It has subproperties of Rights Statement, Rights Type, and Rights Status.
An example implementation utilizing the rights property could include a rights type of 'Freedom of Information (FOI)' with available statuses of:
- May be released under FOI
- Not for release
- Published
- Limited release
The rights property is likely to be irrelevant for organizations meeting their records management requirements via non-Microsoft 365 solutions. For those looking to achieve full compliance with an in-place Microsoft 365 records management solution, the rights property could be implemented via the use of managed metadata.
For more information on the use of managed metadata, see Introduction to managed metadata.
Compliance boundaries
AGRkMS requirements refer to one of the uses of Security Classification and Security Caveat metadata as to prevent discovery of the nature of the information or activity covered by particular security compartments. To put this into context, consider the risk of highly sensitive or security classified information being surfaced and inappropriately disclosed through a reporting process.
Compliance boundaries are established to create logical boundaries within a Microsoft 365 environment. These boundaries are based on user properties such as user department attributes or based on SharePoint site properties. Compliance boundaries limit the search activities of eDiscovery administrators to allocated scopes.
A typical use of compliance boundaries is to establish organisation-based boundaries for use within multitenant environments. This use case is useful to Australian Government organizations subject to Machinery of Government (MoG) changes.
In order to help protect security classified or caveated information from unintended disclosure, compliance boundaries are established to restrict eDiscovery manager's ability to search security classified locations. To achieve this, compliance security filters are established based on SharePoint managed properties for sensitivity label.
Note
For security classification-based compliance boundaries to be effective, sensitivity labels need to be applied to all relevant locations.