Sensitivity Labels

Summary

To ensure Loyola is in compliance with the Family Educational Rights and Privacy Act (FERPA), Payment Card Industry Data Security Standard (PCI-DSS), and Health Insurance Portability and Accountability Act (HIPAA) requirements, Technology Services is testing a tool that is part of a multi-faceted approach to secure university data, by automatically classifying documents containing sensitive information. The classifications will serve as reminders to our campus community of what sensitive content is. Internal testing is occurring now and sensitivity labels will be deployed to the rest of campus in 2021.  More information will be forthcoming.

Another way to ensure Loyola meets its compliance obligations is for everyone to use OneDrive for Business and Microsoft Teams for cloud storage of data. We do not recommend or support using other cloud storage options, including Dropbox, iCloud, Google Drive, Box, etc.

Security Classifications (Sensitivity Labels)

Security classifications protect individual documents by categorizing them. They are referred to as “sensitivity labels” for Microsoft Office 365 documents. Currently, sensitivity labels apply only to Office 365 documents (Excel, Word, PowerPoint, etc). The default label for all documents and emails is 'Internal.'

Here is an example of what sensitivity labels look like in Microsoft Word:

Guidelines for Security Classifications

The guidelines for security classifications come directly from the university’s data classification policy.

Public:

  • Data that could be published or posted to a public website or otherwise made available to the entire world with no limits, even if the data is not actually published.
  • Examples of public data include: departmental contact information and phone numbers, course catalogs, etc.

Internal:

  • Data that the University would prefer not to publish, perhaps for competitive or public relations reasons, but where no significant damage would be done if the data were to be disseminated.
  • Examples of internal data include: many departmental memos, most meeting minutes, plans for future course offerings, etc.

Sensitive:

  • Most data covered by FERPA but not otherwise considered highly-sensitive is likely to be deemed sensitive.
  • Examples of sensitive data include: student identification numbers, student grades, student directory information, employee home phone numbers, passwords or password hashes for accounts with access only to internal or public data.

Highly-Sensitive:

  • Data covered by HIPAA, PCI-DSS, and the Maryland Personal Information Privacy Act (P.IPA), among others, is likely to be deemed Highly-Sensitive.
  • Examples of highly-sensitive data include: Social Security numbers, Driver’s License numbers, Personal Health Information, passwords or password hashes for accounts with access to sensitive or highly-sensitive data, and customer payment card numbers or payment card authentication data.

Things to be aware of:

  • If you feel that the nature of a document is different from the default ‘Loyola University Maryland Internal Use Only,’ then you should apply the appropriate label at that time. 

Learn more about Microsoft 365 sensitivity labels.

Sensitivity Labels Video

Details

Article ID: 118118
Created
Mon 10/12/20 11:32 AM
Modified
Wed 2/24/21 10:13 AM