Automatic application of sensitivity labels for Australian Government compliance with PSPF
This article provides guidance for Australian Government organizations on sensitivity auto-labeling. Its purpose is to help government organizations to increase their security and compliance maturity while adhering with requirements outlined in the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM).
Auto-labeling uses capabilities such as Sensitive Information Types (SITs) and trainable classifiers to identify markings or sensitive information within items. Following identification the service recommends or automatically applies a label to the item where the information was detected. The label helps to ensure that the contained information is adequately protected. Microsoft Purview has two types of sensitivity auto-labeling; client-based auto-labeling and service-based auto-labeling. Auto-labeling concepts can be extended to on-premises locations via the Microsoft Purview Information Protection scanner. They can also be applied to databases or and storage services via Azure Data Map.
Australian Government requirements relevant to auto-labeling are:
| Requirement | Detail |
|---|---|
| PSPF Policy 8 Requirement 2 a.i. – Assessing sensitive and security classified information (v2018.6) | To decide which security classification to apply, the originator must assess the value, importance, or sensitivity of official information by considering the potential damage to government, the national interest, organizations, or individuals, that would arise if the information’s confidentiality was compromised. |
| ISM Security Control: 0271 (June 2024) | Protective marking tools don't automatically insert protective markings into emails. |
Both PSPF and ISM state that a person should be responsible for decisions to apply labels to items, rather than an automated service. However, in a modern work environment, both service and client-based auto-labeling combined benefits Government organizations, and reduce risks in the following circumstances:
- User assistance: Client-based auto-labeling detects sensitive information or security markings and recommends the most appropriate label to the user who has agency to make the decision. For more information on implementing user assistance, see client-based auto-labeling.
- Honoring external markings: Service-based auto-labeling can honor security classifications applied to items by external organizations. Honoring the external marking brings received documents and emails within the scope of your organization's data security controls. It also allows your organization to honor classifications applied by the originating organization. For more information, see recommendations based on external organization markings..
- System based labels: Service-based auto-labeling honors labels generated by systems, for example payroll emails to staff detailing their payslip from an HR system. For more information on implementation, see recommendations based on system markings and how to configure a default sensitivity label for a SharePoint document library.
- Legacy item alignment: Service-based auto-labeling detects security classifications via markings or document properties applied to legacy items and bring the items within scope of current security controls. When used in this manner, auto-labeling strengthens Data Loss Prevention (DLP) and other security configurations by ensuring that any legacy items are protected by modern controls. For more information on how to implementation in a Government organization, see recommendations based on historical classifications.
Note
When auto-labeling detects multiple matches, the match that aligns with the highest sensitivity content is the one that is applied or recommended for the item, ensuring items aren't under-classified. For more information, see label priority.
Organizations with sensitivity auto-labeling in place have increased label accuracy. Label accuracy helps to ensure that information is within the scope of relevant controls and strengthens an organizations ability to meet PSPF Policy 8 Core Requirement C:
| Requirement | Detail |
|---|---|
| PSPF Policy 8 Core Requirement C | Implement operational controls for these information holdings proportional to their value, importance, and sensitivity |
Such capabilities are considered to be proactively integrating protective security requirements into business practices, which aligns with the Embedded level of the PSPF maturity model (discussed in Protective Security Policy Framework (PSPF) Assessment Report).