Detections
Analytics

3.3.1 (L1) Ensure Information Protection sensitivity label policies are published

Information

Sensitivity labels enable organizations to classify and label content across Microsoft 365 based on its sensitivity and business impact. These labels can be applied manually by users or automatically based on the content. When applied, labels can automatically encrypt content, provide "Confidential" watermarks, restrict access, and offer various data protection features.

Labels can be scoped to data assets and containers:

 - Files & other data assets in Microsoft 365, Fabric, Azure, AWS and other platforms
 - Email messages sent from all versions of Outlook
 - Meeting calendar events and schedules in Outlook and Teams
 - Teams, Microsoft 365 Groups and SharePoint sites

Consistent usage of sensitivity labels can help reduce the risk of data loss or exposure and enable more effective incident response if a breach does occur. They can also help organizations comply with regulatory requirements and provide visibility and control over sensitive information.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To remediate using the UI:

 - Navigate to Microsoft Purview compliance portal

https://purview.microsoft.com/

 - Select Information protection > Sensitivity labels
 - Click Create a label to create a label.
 - Click Publish labels and select any newly created labels to publish according to the organization's information protection needs.

Impact:

Encryption configurations (control access, DKE, BYOK) in the individual labels may impact users' ability to access site documents and information. Careful consideration of the individual sensitivity label configurations should be exercised prior to applying an auto labeling policy, publishing policy, sensitivity label configuration, or PowerShell based label settings to SharePoint sites.

Additionally, when updating or deleting Sensitivity Labels, an assessment of the potential impacts should be conducted to avoid unintended consequences. If tenants are configured for sharing with guests or external domains and Sensitivity Labels have encryption applied, this can affect the ability to share documents via email stored in SharePoint. Some recipients may be unable to open the document depending on their email client, which could trigger Purview Advanced Encryptions and OME flows based on the recipient type and the cloud license from which the email is sent (e.g., government clouds vs. commercial clouds).

See Also

https://workbench.cisecurity.org/benchmarks/20006

Item Details

Category: RISK ASSESSMENT

References: 800-53|RA-2, CSCv7|13.1, CSCv7|14.6

Plugin: microsoft_azure

Control ID: d476977ea3306ddc03b035b89785b40ed4142d9238920daefd3d94dd30212620