Sensitivity Labels

Summary

To ensure Loyola is in compliance with the Family Educational Rights and Privacy Act (FERPA), Payment Card Industry Data Security Standard (PCI-DSS), and Health Insurance Portability and Accountability Act (HIPAA) requirements, Technology Services is testing a tool that will secure university data, by automatically classifying documents containing sensitive information and setting sharing permissions. The classifications will serve as reminders to our campus community of what sensitive content is. Internal testing is occurring now and sensitivity labels will be deployed to the rest of campus early next year.  More information will be forthcoming.

OneDrive for Business and Microsoft Teams are Loyola’s solutions for cloud storage of data. To ensure we meet our compliance obligations, we do not recommend or support using other cloud storage options, including Dropbox, iCloud, Google Drive, Box, etc.

Security Classifications (Sensitivity Labels)

Security classifications protect individual documents by categorizing them. They are referred to as “sensitivity labels” for Microsoft Office 365 documents. Currently, sensitivity labels apply only to Office 365 documents (Excel, Word, PowerPoint, etc). Here is an example of what sensitivity labels look like in Microsoft Word:

Guidelines for Security Classifications

The guidelines for security classifications come directly from the university’s data classification policy.

Public:

  • Data that could be published or posted to a public website or otherwise made available to the entire world with no limits, even if it is not actually published.
  • Examples of public data include: departmental contact information and phone numbers, course catalogs, etc.

Internal:

  • Data that the University would prefer not to publish, perhaps for competitive or public relations reasons, but where no significant damage would be done if it were to be disseminated.
  • Examples of internal data include: many departmental memos, most meeting minutes, plans for future course offerings, etc.

Sensitive:

  • Most data covered by FERPA but not otherwise considered highly-sensitive, is likely to be deemed sensitive.
  • Examples of sensitive data include: student identification numbers, student grades, student directory information, employee home phone numbers, passwords or password hashes for accounts with access only to internal or public data.

Highly-Sensitive:

  • Data covered by HIPAA, PCI-DSS, and the Maryland Personal Information Privacy Act (PIPA), among others, is likely to be deemed Highly-Sensitive.
  • Examples of highly-sensitive data include: Social Security numbers, Driver’s License numbers, Personal Health Information, passwords or password hashes for accounts with access to sensitive or highly-sensitive data, and customer payment card numbers or payment card authentication data.

Things to be aware of:

  • Users will be unable to screenshare documents classified sensitive and highly sensitive in Microsoft Teams meetings.
  • Co-editing documents marked highly sensitive, which are encrypted, is not supported at this time.

Learn more about Microsoft 365 sensitivity labels.

 

Details

Article ID: 118118
Created
Mon 10/12/20 11:32 AM
Modified
Tue 11/17/20 3:30 PM