Getting Started: Microsoft Sensitivity Labels
Sensitivity Labels are a part of Microsoft Unified Labeling, which is a cloud-based solution that enables our organization to discover, classify, and protect Microsoft documents and emails by applying labels to content. This document will be a guide towards understanding how you can use Sensitivity Labels to protect your documents and emails and get you up to speed on how to use it.
The simplest way to get started is to look for the Sensitivity button in any Office App ribbon (Word, Excel, Powerpoint, Online, Etc.). The Button is located on the Home tab, and typically in the upper right-hand corner of the ribbon. From the dropdown you can choose the appropriate classification; “Confidential”, “Sensitive”, “Internal,” or “Public”, as defined in our Data Classification Policy.
Sensitivity Labels
Sensitivity labels are aligned with DMU data classifications. Below are the labels, definitions, how data and information are handled when the label is applied, and a few examples for each label. See the Data Classification Policy and Information Security and Privacy Overview Policy for more examples.
Label
Definition
Handling
Examples
Confidential Email (Encrypted)
Confidential data pose a high risk of significant financial loss, legal liability, public distrust, or harm if this data is disclosed. Confidential data include any information developed, maintained or managed by or on behalf of the University, or within the scope of university activities that are subject to specific protections under federal or state law or regulations or industry standards, such as HIPAA, HITECH, FERPA, the Iowa Personal Information Security Breach Protection Act, similar state laws and PCI-DSS.
Email: Encrypts email and attachments. Label shows at top of email.
Document: Label not available for documents.
SSN
Student Grades
Patient Information
See Information Security and Privacy Overview Policy for more examples
Sensitive Email (Encrypted)
Sensitive data pose a moderate risk of significant financial loss, legal liability, public distrust, or harm if this data are disclosed. Sensitive data include any information that are not deemed Confidential but are contractually protected by contract or law and any other information that is considered by the University appropriate for sensitive treatment.
Email: Encrypts email and attachments. Label shows at top of email.
Document: Label not available for documents.
- Salary and employee benefit information
- Financial data about donors
- Unpublished research data
- University financial information
See Data Classification Policy for more examples
Confidential Document (Unencrypted)
Confidential data pose a high risk of significant financial loss, legal liability, public distrust, or harm if this data is disclosed. Confidential data include any information developed, maintained or managed by or on behalf of the University, or within the scope of university activities that are subject to specific protections under federal or state law or regulations or industry standards, such as HIPAA, HITECH, FERPA, the Iowa Personal Information Security Breach Protection Act, similar state laws and PCI-DSS.
Email: NOT recommended for emails. Use “Sensitive email (Encrypted): instead.
Document: Label shows at bottom ribbon of document. Document not encrypted, but protected if stored on DMU network, Office 365 or DMU-issued laptop
- SSN
- Student Grades
- Patient Information
See Information Security and Privacy Overview Policy for more examples
Sensitive Document (Unencrypted)
Sensitive data pose a moderate risk of significant financial loss, legal liability, public distrust, or harm if this data are disclosed. Sensitive data include any information that are not deemed Confidential but are contractually protected by contract or law and any other information that is considered by the University appropriate for sensitive treatment.
Email: NOT recommended for emails. Use “Sensitive email (Encrypted): instead. Label shows at top of email. Email NOT encrypted. Document: Label shows at bottom ribbon of document. Document not encrypted, but protected if stored on DMU network, Office 365 or DMU-issued laptop.
- HR Employee Benefit Information
- Unpublished Research Data
- Strategy Documents
- Non-Public Intellectual Property
See Information Security and Privacy Overview Policy for more examples
Internal
Internal data pose a low risk of significant financial loss, legal liability, public distrust, or harm if this data is disclosed. Internal data are intended for internal University business use only, do not rise to the level of Confidential or Sensitive, but should not be made available to the general public.
Email: Label shows at top of email.
Document: Label shows in bottom ribbon of document.
Memos
Correspondence
Meeting Minutes
See Data Classification Policy for more examples
Public
Public data does not fall into any of the other data classifications and poses no risk to the organization. This data and information may be made generally available without specific Data Steward's designee or delegate approval.
This is the default
Email: Label shows at top of email.
Document: Label shows in bottom ribbon of document.
- Advertisements
- Job Opening Announcements
- University Catalogs
Getting Started
Microsoft has created some simple documentation that will quickly get you up to speed on how to apply labels. This online documentation will walk you through applying labels for any platform including; Office 365, Online, IOS, Android, and Mac.
How do I apply sensitivity labels?
Known issues when you apply sensitivity labels to your Office files.
How to remove hidden data and personal information by inspecting documents, presentations or workbooks?
Frequently Asked Questions
How do I classify a file or an email?
Use the sensitivity button in any Office app (Word, Excel, Powerpoint, Online, Etc.) ribbon. The Button is located on the Home tab and typically in the upper right hand corner of the ribbon. From the dropdown you can choose the appropriate classification.
Email
Document
How do I send an encrypted email?
Using Sensitivity Labels, you can encrypt a message by using the “Confidential Email (Encrypted)” or "Sensitive Email (Encrypted)" label. All you need to do is select the label and hit send. Users receiving the encrypted message will either use a one-time passcode or log in with Microsoft credentials. Encrypted email can also be accomplished by using “dmusecureemail” in the subject line of an email.
Can confidential or sensitive emails be forwarded?
Messages that are labeled "Confidential" or "Sensitive" can be forwarded once opened.
Since documents, such as Word documents and Spreadsheets cannot be encrypted with Sensitivity labels, are they at risk?
The DMU network, Office 365 (including OneDrive and Sharepoint) and your DMU-issued laptop are all highly secure and protect our Confidential and Sensitive information. Do not move such documents to other media or cloud solutions, such as box, dropbox, or unencrypted external drives.
Can I change a label once applied?
Yes, when you change the classification of a label you will be required to select a justification. Simply choose a justification radio button that is appropriate for the required change.
Do sensitivity labels apply to calendar invites and items?
No, calendar items and invites are not applicable and cannot have a label applied.
What is the difference between using dmusecureemail in the subject line of an email and using the “Confidential” or “Sensitive” Labels?
-
“dmusecureemail” in subject line: Encrypts the email and sends an initial message with an attachment. In order to open the message, the recipient saves and opens the attachment. They can authenticate with a Microsoft work or school account or a one time passcode. Once opened, the message can be copied, printed, or forwarded as an encrypted email.
-
“Confidential Email (Encrypted)”/”Sensitive Email (Encrypted)” Label: Encrypts your message and sends a message with a link to allow the user to authenticate with a one-time passcode or their Microsoft work or school account.
Are documents with “Confidential” and “Sensitive” information secure on Sharepoint and OneDrive?
Yes. The DMU Information Security teams has completed a thorough security review of Microsoft 365 online and approved it for storing all DMU data, including “Confidential” and “Sensitive” data.
Can Sensitivity Labels be used in the Microsoft 365 online as well as the desktop client?
Yes. Sensitivity Labels are available in Microsoft 365 online apps as well as Microsoft Office desktop apps.