Microsoft Purview Information Protection program approach for Australian Government compliance with PSPF
This article is provided as part of the Australian Government Information Protection Guide and is intended to help organizations to navigate the range of scenarios and configuration options explored in the guide. The approach detailed in this article includes multiple incremental project stages intended to help organizations to rapidly improve their Protective Security Policy Framework (PSPF) maturity as they move through program stages.
The approach listed here also includes data security controls that are key to adherence with the Information Security Manual (ISM).
Stage 1: Microsoft Purview foundations
Desired outcomes - Microsoft Purview foundations
The purpose of stage one is to establish set of initial Microsoft Purview configurations that allow your organization to meet PSPF Policy 8 Core requirements, by allowing users to assess and mark sensitive or security classified information. Stage one also implements a base set of operational controls that protects information based on sensitivity.
| Recommended inclusions | Sections |
|---|---|
| Establishment of a label taxonomy which aligns to PSPF Policy 8, including all sensitivity labels that users need to apply to items. | Sensitivity label taxonomy |
| Sensitivity label configuration and deployment of labeling capabilities to users. | Sensitivity label configuration Sensitivity label policies |
| Establishment of marking methods, including DLP policies that apply x-protective-marking x-headers and subject markings to email. | Email marking strategies |
| Implementation of an initial set of DLP policies to monitor or control the flow of security classified information (including nonpermitted classifications). | Preventing inappropriate distribution of security classified information Preventing data spill via receipt of inappropriate classifications |
| Implementation of templated DLP policies aligning with Australian data types to help identify and protect sensitive information regardless of the applied sensitivity label. | Utilizing DLP policy templates for controlling email of sensitive information |
| Implementation of Sensitive Information Types (SITs) to assist with the identification of information based on applied protective markings. | Example SIT syntax to detect protective markings |
| Implementation of auto-labeling configuration to identify protective markings applied to legacy items and recommend an appropriate label to the user. | Recommendations based on external agency markings Recommendations based on historical markings |
| Implementation of auto-labeling policies to automatically apply sensitivity labels to items received from external entities where applied protective markings align with sensitivity label. This ensures that DLP and other label-based protections apply to received items and not just those generated internally. | Labeling of email during transport |
Stage 2: Know and protect information
Desired outcomes - Know and protect information
Implementation of capabilities to better identify sensitive information and ensure that relevant protections are applied.
| Recommended inclusions | Sections |
|---|---|
| Implementation of label groups and sites configuration to allow for controls to be applied to SharePoint sites and Teams. | Sensitivity label groups & sites configuration |
| Implementation of label meeting and calendar item configuration to extend PSPF concepts and data security controls through calendars. | Sensitivity labeling for calendar items and Teams meetings |
| Identification of organizations key information assets and establishment of methods for its identification. These methods are likely to require the use of advanced classifiers, including custom sensitive information types, trainable classifiers, exact data match and/or document fingerprinting. | Custom Sensitive Information Types Exact data match sensitive information types Document fingerprinting Trainable Classifiers |
| Implementation or enhancement of DLP policies to prevent the loss of identified sensitive information via advanced classification techniques. | Controlling email of custom SITs via DLP Limiting external chat containing sensitive content Controlling sharing of sensitive information through DLP |
| Implementation of auto-labeling policies to recommend labels based on the detection of sensitive information. | Recommending labels based on sensitive content detection ecommendations based on external agency markings |
| Potential implementation of extra sensitivity labels, along with required auto-labeling configurations, to allow for classifications applied by other jurisdictions to be maintained without reclassification. | Labels for organizations with differing label taxonomies |
Stage 3: Advanced controls and legacy locations
Desired outcomes - Advanced controls and legacy locations
Advanced controls to help ensure compliance and to further prevent the loss of sensitive or security classified information. This stage could also include the extension of controls to legacy items and locations.
| Recommended inclusions | Sections |
|---|---|
| The labeling of sites, Teams, and groups that were in place before sensitivity label deployment. | SharePoint location and item sensitivity Teams location and item sensitivity |
| The labeling of pre-existing items to bring them within the scope of label-based controls. | Labeling existing items at rest Automated labeling for non-Microcoft 365 locations |
| Processes and strategies to act on potentially malicious activities surrounding labeled or otherwise sensitive items (for example, insider risk management, communication compliance, data out-of-place alerting). | Data out of place alerting Monitoring sensitive information with insider risk management Controlling sensitive information with Adaptive Protection Monitoring external chat via Communication Compliance |
| Implementation of label-based Azure Rights Management encryption and strategies to ensure highly sensitive information is protected without impact to other services. | Sensitivity label encryption |
| Extension of DLP policies and approaches to endpoints and cloud services (via EndPoint DLP and Defender for Cloud Apps). | Preventing the upload of security classified items to unmanaged locations Prevent download or printing of security classified items |