Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
As you develop, revamp, or refine your data classification framework, consider the following leading practices:
- Don't expect to go from 0-100 on day 1: Microsoft recommends a crawl-walk-run approach, prioritizing features critical to the organization and mapping them against a timeline. Complete the first step, ensure it was successful, and then move on to the next phase applying lessons learned. Remember that your organization might still be exposed to risk while you design your data classification framework, so it's okay to start small with just a few classification levels and expand later as needed. 
- You're not just writing for cybersecurity professionals: Data classification frameworks are meant for a broad audience, including your average staff member, your legal and compliance teams, and your IT team. Write clear, easy-to-understand definitions for your data classification levels, providing real-world examples wherever possible. Try to avoid jargon and consider a glossary for acronyms and highly technical terms. For example, use 'Personally Identifiable Information' and provide a definition instead of simply saying 'PII'. 
- Data classification frameworks are meant to be implemented: For data classification frameworks to be successful, they must be implemented. This point is especially relevant when crafting the control requirements for each data classification level. Make sure requirements are clearly defined and that they anticipate and address any ambiguity that might arise during implementation. For example, if you have a control around Personally Identifiable Information, make sure to spell out exactly what that control means, such as Social Security or passport number. 
- Only go granular if you need to: Data classification frameworks typically contain anywhere from three to five data classification levels. But just because you can include five levels doesn't mean you should. Consider the following criteria when deciding on the number of classification levels you need: - Your industry and your associated regulatory obligations (highly regulated industries tend to need more classification levels)
- The operational overhead required to maintain a more complex framework
- Your users and their ability to comply with the increased complexity and nuance associated with more classification levels
- User experience and accessibility when seeking to apply manual classification across multiple device types
 
- Get the right people involved: Having a senior stakeholder is critical for success, as many projects struggle to start or take longer without senior management backing. Information technology teams typically own data classification frameworks, but these frameworks might have legal, compliance, privacy, and change management implications. To ensure you're creating a framework that helps protect your business, include privacy and legal stakeholders such as your Chief Privacy Officer and the Office of General Counsel in the development of your policy. If your organization has a Compliance division, information governance professionals, or a records management team, they might also have valuable input. As your framework rolls out to the business, your Communications department also has a key role to play for internal messaging and adoption. 
- Balance security against convenience: A common mistake is to draft a secure but overly restrictive data classification framework. This framework might be designed with security in mind but is often difficult to implement in practice. If users need to follow complex, rigid, and time-consuming procedures to apply the framework in their daily lives, there's always a risk that they might stop following procedures because they no longer believe in its value. This risk exists at all levels of the organization, including executive-level (C-suite) managers within the organization. A good balance of security against convenience alongside easy-to-use tools usually leads to wider user adoption and use. If there are gaps in your framework, don't wait until everything is perfect to start implementation. Instead, assess the risk or gap, create a plan to mitigate it, and continue moving forward. Remember that information protection is a journey, it's not something that is activated overnight and then done. Plan, implement some capabilities, confirm success, and iterate to the next milestone as tools evolve and users gain maturity and experience. 
Also keep in mind that a data classification framework only addresses what your organization should do to protect sensitive data. Data classification frameworks are often accompanied by data handling rules or guidelines that define how to put these policies in place from a technical and technology perspective. In the following sections, we turn to some practical guidance on how to take your data classification framework from a policy document to a fully implemented and actionable initiative.
Pain points in creating a data classification framework
Data classification efforts touch nearly every business function within an enterprise. Because of this broad scope and the complexity of managing content in modern digital environments, companies often face challenges in knowing where to start, how to manage a successful implementation, and how to measure their progress. Common pain points often include:
- Designing a robust and easy-to-understand data classification framework, including determining classification levels and associated security controls.
- Developing an implementation plan that includes confirming the appropriate technology solution, aligning the plan to existing business processes, and identifying impact to the workforce.
- Setting up a data classification framework within the chosen technology solution and addressing any gaps between the technology capabilities of the tool and the framework itself.
- Establishing a governance structure that oversees the ongoing maintenance and health of data classification efforts.
- Identifying specific key performance indicators (KPIs) to monitor and measure progress.
- Increasing awareness and understanding of data classification policies, why they're important, and how to comply with them.
- Complying with internal audit reviews that target data loss and cybersecurity controls.
- Training and engaging users so that they become mindful of the need for correct classification in their daily work and apply the right classification measures.
Change management and training
Organizations today use tools such as Microsoft 365 to implement their data classification framework. The purpose is to try to automate the classification of data and not increase the burden on your workforce. This structure doesn't mean that your organization has no responsibility to increase awareness of the need to manage content and protect the organization from the risks discussed in this paper. The leading practice continues to be to conduct awareness training across the organization as part of the annual training schedule. Our experience shows that putting robust and comprehensive effort into training your users, who are the key audience performing this work, increases their 'buy-in' to the effort and can increase adoption and quality. Adding label recommendations and in-app tips can amplify these efforts. This training doesn't need to be an extensive standalone course. Your organization can incorporate it into other regular training such as your information security annual training and then include an overview of data classification levels and definitions. The main point is that your workforce understands that even though the tool is automating the classifying of data, that doesn't eliminate each user's overall responsibility for protecting the data in accordance with your company policy.
In addition, you should consider more in-depth training for IT and information security teams to reinforce operational readiness. The teams that manage the tool and the data classification framework must be on the same page. This coordination might require you to invest in a more robust training schedule that might be more often than annually. Investment in more frequent training represents another avenue to reduce risk to your organization. This team is responsible for the implementation and therefore could be a point of failure if not trained on the tool and the policy.
If you need to manually tag content in the tool, developing a group of super-users that receive more advanced training is appropriate. These super users engage in situations where users are required to manually tag documents with data sensitivity labels and have a deep understanding of your organization's data classification framework and regulatory requirements.
Finally, your leadership should prioritize the championing of information security behaviors to reinforce to the workforce the importance of risk management initiatives. These behaviors include developing and implementing a robust data classification framework and assigning key leaders to promote the initiative, sometimes referred to as ambassadors or champions of the change.
Governance and maintenance
After you develop and implement your data classification framework, ongoing governance and maintenance are critical to your success. In addition to tracking how sensitivity labels are used in practice, you need to update your control requirements based on changes in regulations, cybersecurity leading practices, and the nature of the content you manage. Governance and maintenance efforts might include:
- Establishing a governance body dedicated to data classification or adding a data classification responsibility to the charter of an existing information security body.
- Defining roles and responsibilities for users overseeing data classification.
- Establishing KPIs to monitor and measure progress.
- Tracking cybersecurity leading practices and regulatory changes.
- Developing standard operating procedures that support and enforce a data classification framework.
Industry considerations
While the basic principles for developing a strong data classification framework are universal, the details of your framework depend on the nature of your industry and the unique compliance and security factors your data demands.
For example, financial services firms might need to consider compliance with several regulatory frameworks depending on the scope of their business and the regions in which they operate. Securities firms in the United States must conform to account regulations like SEC Rule 17a-4(f) or FINRA Rule 4511 which address requirements around the security and retention of books and records. Similarly, firms operating in the United Kingdom need to consider FCA compliance.
Government agencies face various regulations governing their data, which vary based on territory and the nature of their work. In the United States, for instance, government agencies and their agents that access federal tax information (FTI) are subject to IRS 1075, which aims to minimize the risk of loss, breach, or misuse of federal tax information.
While financial services firms and government agencies are among the most heavily regulated organizations in the world, most businesses have industry-specific considerations that you need to consider. Some examples include:
- Health industry organizations ensuring compliance with HIPAA.
- Education institutions, from K-12 schools to universities, managing FERPA compliance.
- Drug manufacturers working to comply with GxP guidelines in their country or region around information security.
- Media, retail, and many other companies dealing with GDPR compliance.
- Delivery and storage of entertainment, software, and information content dealing with CDSA.
- Energy industry information security complying with NERC CIP standard.
Implement your data classification framework in Microsoft 365
After you develop your data classification framework, implement it. The Microsoft Purview portal enables administrators to discover, classify, review, and monitor their data according to their data classification framework. Use sensitivity labels to protect your data by enforcing protections like encryption and content marking. You can apply sensitivity labels to data manually, by default based on policy settings, or automatically when a condition such as identified PII is met.
For smaller organizations or organizations with a streamlined data classification framework, creating a single sensitivity label for each data classification level might be enough. The following example shows a one-to-one data classification level to sensitivity label mapping:
| Classification label | Sensitivity label | Label settings | Published to | 
|---|---|---|---|
| Unrestricted | Unrestricted | Apply 'Unrestricted' footer | All users | 
| General | General | Apply 'General' footer | All users | 
Tip
During a Microsoft internal information protection pilot, users had difficulty understanding and using the 'Personal' label. They were confused about whether this label referred to PII or to a personal matter. To make the label clearer, change it to 'non-business'. This example shows that taxonomy doesn't need to be perfect from the start. Start with what you think is right, pilot it, and adjust the label based on feedback if needed.
For larger organizations with a global reach or more complex information security needs, you might find this one-to-one relationship between the number of classification levels in your policy and the number of sensitivity labels in your Microsoft 365 environment to be a challenge. This challenge is especially true in global organizations where a given data classification level such as 'Restricted' might have a different definition or different set of controls depending on region.
For more information on implementation, see Understand data classification and Learn about sensitivity labels.