Events
Take the Microsoft Learn Challenge
Nov 19, 11 PM - Jan 10, 11 PM
Ignite Edition - Build skills in Microsoft security products and earn a digital badge by January 10!
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
This Microsoft Purview Information Protection Guide has been prepared by Microsoft for use by Australian Government and other interested organizations. Its intent is to assist Australian Government customers to improve their data security posture while meeting information classification and protection requirements. Advice in this guide closely aligns with requirements set out in the the Protected Security Policy Framework (PSPF) and Information Security Manual (ISM).
This guide is aimed at Australian Government Chief Data Officers (CDO), Chief Technology Officers (CTO), Chief Security Officers (CSO), Chief Information Security Officers(CISO), risk or compliance officers, information privacy or other information management roles.
Suggested program approach helps organizations establish a program and work rapidly improve information protection maturity.
The guide is written for a boilerplate Government organization, with examples written applicable to this effect. However, every Government organization needs to tailor the guidance to their unique requirements. An example is specific legislative nuance applicable to an organization. The examples also help in such nuances.
The section of the guide titled Australian Government requirement to capability mapping includes a full listing of PSPF Policy 8 and Policy 9 requirements, along with an explanation of how Microsoft Purview capabilities can be configured to meet each requirement, and a link to the corresponding guide sections. Relevant Information Security Manual (ISM) and Australian Government Recordkeeping Metadata Standard (AGRkMS) requirements are also discussed.
This guide makes use of three key capabilities to meet government information protection and classification requirements, namely:
The following diagram provides a conceptual overview of the interaction between these three Microsoft 365 capabilities along with examples of use.
Microsoft Purview Information Protection includes a capability called sensitivity labeling. Sensitivity labeling allows for users to apply labels to items such as files and email. These labels can be aligned with data security controls to protect the enclosed information. Sensitivity labeling can also be extended to other services such as SharePoint sites and Teams and meetings.
Sensitivity labels, when aligned with an organizations classification requirements, such as those defined in Protective Security Policy Framework (PSPF) Policy 8, allow us to treat labels as classifications. They provide us with visual markings via the user interface and other marking options. For example:
Data security controls that can be applied via sensitivity labels, include:
These capabilities align with Australian Government requirements for the marking and protection of sensitive or security classified information.
As discussed in Microsoft Office client support, users typically interact with labeled items via a Microsoft 365 Apps Office client, web based client, or a mobile device equivalent. These clients allow users to apply labels to items.
If a user forgets to apply a label to an item, the client prompts the user to apply a label before saving the item or, if an email, before sending it.
While a user is working on an item, if a label is yet to be applied and information is detected that aligns with a classification, then a label recommendation can be provided to the user. If sensitive content is then detected that aligns with a higher classification than the applied sensitivity label, a recommendation can be provided to the user that they increase the item's sensitivity.
Such recommendations help to ensure label accuracy. Label accuracy is important as many controls governing the flow of information are based on item sensitivity.
Microsoft 365 Copilot inherits Microsoft 365's multiple forms of protection against compromise and unauthorized access. The permission model within Microsoft 365 helps to ensure that information can't be intentionally leaked between users and groups.
Important
Microsoft Purview configuration is not a prerequisite for Copilot for Microsoft 365. However, deployment of Microsoft Purview configurations strengthens your overall information security posture in your organization's entire environment, including Copilot.
The information risk mitigations that Microsoft Purview provides is complementary to Copilot for Microsoft 365. The most straightforward example of this is through label inheritance. If Copilot is used to generate an item based on a source item, for example, to generate a summary of a source Word document, then any sensitivity labels that were applied to the source item are inherited by the generated item. This helps to ensure protections applied to information are maintained as the information changes form.
When evaluating potential security concerns that could eventuate as a result of Copilot for Microsoft 365 enablement, risks can be grouped into three categories:
The following capabilities, which are discussed in this guide, are able to help mitigate data leak out of Copilot and data oversharing risks:
For more Copilot for Microsoft 365 specific information on these controls, see Information protection considerations for Copilot.
Regarding risks concerned with data leak into AI tools, sensitivity label encryption is relevant to this. Other controls aren't Microsoft Purview specific and aren't addressed as part of this guide. However, the following links provide relevant information:
If you'd like to reach out to the creators of this guide to discuss the advice provided then feel free to do so via AUGovMPIPGuide@microsoft.com.
Events
Take the Microsoft Learn Challenge
Nov 19, 11 PM - Jan 10, 11 PM
Ignite Edition - Build skills in Microsoft security products and earn a digital badge by January 10!
Register now