5 tips for good Azure Information Protection implementation

aip implementation tips
What to look for when implementing information classification? Which labels should you choose? Here are 5 tips that will simplify the implementation of Azure Information Protection.
aip implementation tips

When you implement information security mechanisms, in AiP implementation, for example, you need to consider many technical and human aspects. Improper planning of the implementation can cause both technical problems and improper use of new mechanisms. In both situations, the implementation will not be successful and your information will remain unsecured.

Below are five tips that will definitely help you plan the implementation process. They are a template of conduct that you must, of course, adapt to your organization, business specifics, and users.

Have the right set of initial labels

It’s very important to pick standardized and approachable labels. Business users should understand the meaning of labels and be able to use them naturally.

for example:

  1. Personal

    Non-business data, for personal use only

  2. Public

    Business data, that is specifically prepared and approved for public consumption. For example brochure for a team.

  3. General (default label)

    Business data, that is not intended for public consumption. However, this can be shared with external partners, as required. Examples include a company’s internal telephone directory, organizational charts, internal standards, and most internal communication.

  4. Confidential

    Sensitive business data that could cause damage to the business if shared with unauthorized people. Examples include contracts, security reports, forecast summaries, and sales account data

  5. Highly confidential

    Very sensitive business data that would cause damage to the business if it was shared with unauthorized people. Examples include employee and customer information, passwords, source code, and pre-announced financial reports.

Have Sub labels for key departments

For example:

for Confidential classification, sub-labels can be:

  • Extended Staff

  • Full-Time Employees

    Data classified as Confidential meant for all full-time employees. business guests are excluded from this scope

  • Human Resources

  • Legal

    Data clasified as Confidential, meant for legal related managerial roles

  • Finance

    Data classified as Confidential meant for finance-related managerial roles

and

for Highly Confidential classification, sub-labels can be:

  • Extended Staff

  • Full-Time Employees

    Data classified as Confidential meant for all full-time employees. business guests are excluded from this scope

  • Project X

    Leadership approved special project. Do not share the existence of this project name with others. Contact Jane Doe for details

  • Human Resources

  • Legal

    Data clasified as Confidential, meant for legal related managerial roles

  • Finance

    Data classified as Highly Confidential meant for finance-related managerial roles

Create scoped policies for specialized teams

The list of global labels may and should be the same for all employees. You can change and customize only the lists of sub-labels. Permissions may be different in that sub-label and the policy may be different for that team.

Encourage the right user behavior

There are four approaches to getting data classified

  • Automatic

    When you classify information and apply labels via rules. Automatic classification is good but you shouldn’t expect it to solve all our problems. It’s based on simple rules and you shouldn’t expect too much from it.

  • Recommended

    When you recommend using some information classification

  • Reclassification

    When you allow users to change the classification

  • User set

    When you expect users to classify information manually. If you trust that users will do it right, they will remember and believe that they understand well what they are doing and for what purpose

The best results are obtained by using the recommended classification along with the possibility of changing it. It’s also a good idea to ask the user for the reason for the change. This forces users to think about and consciously make a decision about the change.

Based only on manual classification can lead to a situation where it will not be used.

Automatic classification is a good mechanism to initiate the data classification process. However, the entire information security mechanism should not be based on it.

Safeguard email communication

Use information classification in email communication. You can grant access to information sent by email. You will also have control over its further forwarding and copying.

Leave a Reply

Your email address will not be published. Required fields are marked *

four − one =

You May Also Like