I regularly get the question if I have a baseline for Sensitivity labels. Although this is very much depending on your needs and requirements, I’m using a set for demo purpose which can help you kick start your content classification.
Important to keep in mind with Sensitivity labels is, it is key to have proper naming and descriptions for the labels. The label and description is used by the end users to determine which classification they need to choose. So, choose wisely when implementing this!
A couple of recommendations on naming the labels and description, ensure the label reflects a clear naming which is part of the organizational terminology. The description can be separated into an explanation and examples of content which reflect the classification.
The following list highlights examples of a Sensitivity classification:
- Internal, General, Business Use Only
- Secret, Highly Confidential
Adding some more context to the classification explains what a classification means and where to apply this.
The public classification label applies to information that is available to the general public and intended for distribution outside an organization. This information may be freely distributed without risk of harm. Any information that is produced for public consumption — such as news releases, job announcements, and sales brochures — are good examples.
The “business use only” classification label applies to information that is used in business processes, and the unauthorized disclosure, modification or destruction of which is not expected to seriously affect the organization, customers, employees or business partners. Any information that is used in routine business matters — such as internal policy manuals and company phone lists — are good examples.
The confidential classification label applies to information that is used in sensitive business processes, the unauthorized disclosure, modification or destruction of which will adversely affect an organization, its customers, employees or business partners. Examples of sensitive information include intellectual property, contract negotiations, most personnel matters, personally identifiable information, protected health data, bank account numbers and payment card information of customers and employees.
The “Leadership Team” can be used as a subset of “Confidential” , see image above.
The leadership team classification labels applies to information that is used for the leadership team only. Examples of sensitive information include management reports, strategic plans, litigation and more.
The confidential classification label applies to information that is used in extremely sensitive information business processes, which the unauthorized disclosure, modification or destruction of would seriously harm the organization, its customers, employees or business partners. Examples for health organizations include medical records relating to mental health, sexually transmitted diseases, HIV testing and substance abuse. Examples for other organizations include documents used in mergers, strategic plans and litigation.