Edit

Share via

Automated labeling for non-Microcoft 365 locations for Australian Government compliance with PSPF

  • Article

This article provides guidance for Australian Government organizations on sensitivity auto-labeling for non-Microsoft 365 locations, such as on-premises file shares. It's intended to help government organizations to increase their security and compliance maturity while adhering with requirements outlined in the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM).

Government organizations sometimes encounter situations where items that are outside of Microsoft 365 locations need to be labeled. Examples are when Government organizations:

  • Inherit data residing in non-Microsoft 365 storage platforms as part of Machinery of Government (MoG) changes.
  • Seek to transition from an on-premises platform to a SharePoint-based solution and need to move data as part of the migration.
  • Need to maintain items outside of Microsoft 365 locations but still want ensure that they're protected by label-based protections.

The preferred and recommended approach is for data moved into Microsoft 365 locations is to utilize service-based auto-labeling to label items at rest, as discussed in Labeling existing items at rest.

Australian Government organizations sometimes encounter situations where items need to remain outside of Microsoft 365, such as when they need to remain offline or within an online storage platform (for example, blob storage). This article covers capabilities available to address these requirements.

The capabilities mentioned in this article can be used to identify Sensitive Information Types (SITs) within files. SITs demonstrated in example SIT syntax to detect protective markings could be used to identify classifications applied to items via protective markings. Once identified, these solutions could apply matching labels to the items, ensuring that they're protected by label-based controls including Data Loss Prevention (DLP) policies preventing inappropriate distribution of security classified information.

Note

When used to detect and honour existing markings, capabilities that automatically apply sensitivity labels should not be considered at odds with PSPF Policy 8 Requirement 2 as a classification has already been applied by a user.

Requirement Detail
PSPF Policy 8 Requirement 2 a.i. – Assessing sensitive and security classified information (v2018.6) To decide which security classification to apply, the originator must assess the value, importance, or sensitivity of official information by considering the potential damage to government, the national interest, organizations, or individuals, that would arise if the information’s confidentiality was compromised.

Prebuilt Sensitive Information Types designed to identify Australian data types and Custom Sensitive Information Types constructed to identify organization specific information can also be utilized.

Microsoft Purview Data Map

Microsoft Purview Data Map can be used to scan for sensitive content within files residing on supported data sources.

Microsoft Purview Information Protection Scanner

Microsoft Purview Information Protection Scanner is a capability that can be set up on an on-premises server. It allows organizations to scan and label items on network shares and within on-premises SharePoint document libraries.