Information security and data loss prevention are vital to protecting your valuable business data. The team at CompanyNet are experts in best practice around Microsoft Information Protection, compliance, retention and sensitivity labelling.
Here, we’ll explain what retention policies and retention labels are, and how they can help your business. We will also describe sensitivity labels and how you can use them to reduce risk around your most valuable business data.
What are retention policies?
Retention policies are a tool to help you comply with industry regulations and internal policies that require content to be retained for a minimum period of time. They reduce risk in the event of litigation or a security breach and ensure users only work with content relevant to them.
What are sensitivity labels?
Sensitivity labels are a tool to help protect emails or documents which contain restricted content. They can add watermarks, headers or footers to content, encrypt content and enable its monitoring. In Office 365, they often appear as tags on documents and emails.
Microsoft 365 Retention Policy
Retention policies in Microsoft 365 ensure that your organisation is proactively adhering to regulations and retaining content for a required minimum period of time. This time limit may be set by an industry body or regulator within your sector, or be self-imposed by your own internal requirements.
Retention policies in Microsoft 365 help you achieve a number of goals. They reduce your legal exposure if litigation is brought against your organisation, and reduce your risk if you are involved in a security breach. They also help your organization to share knowledge more effectively and be more agile, by ensuring that your users are working only with information that’s current and relevant to their jobs.
Ultimately, retention policies in Microsoft 365 and Office 365 perform two very simple tasks in order to manage your content:
By enforcing the retention of data that you are legally required to retain, and permanently deleting old content that you’re no longer required to keep, retention policies help take the human element out of information management, automating tasks that would otherwise be very difficult for your staff to keep on top of.
Benefits of retention policies with Microsoft 365
What’s the end-state vision of an organisation protected by retention policies? Key benefits of Microsoft 365 Retention Policies include:
Retention and deletion policies help you keep on top of your data costs, too. Keeping huge amounts of ‘Redundant, Obsolete and Trivial’ information – also known as ‘ROT’ – can cost your business, in terms of storage, management, compliance, and search and discovery capabilities. By ensuring the correct deletion of information you no longer need, you will not only be protecting your organisation, but saving it money.
How to apply retention in Office 365
There are two main routes to Retention and Deletion of information in Office 365. They are not designed to be used in isolation – typically, your information protection scheme would make use of both.
Both of these perofrm the same actions: retaining content so that it can’t be permanently deleted before the end of the retention period, and deleting content permanently. One of or both actions can be performed by a single policy or a label.
How does retention work in Microsoft 365?
When content is subject to a retention policy, people can continue to edit and work with the content as if nothing has changed because the content is retained in place, in its original location. But when someone edits or deletes content that’s subject to the policy, a separate copy is automatically saved to a secure location – known as the Preservation Hold Library – where it is retained while the policy is in effect.
Shortly after the retention period comes to an end – usually about a week later – any copies of the document are automatically and permanently deleted. If no deletion policy is in place, the file will remain in place, but users can now delete it permanently without a preservation copy being made.
The precedence of retention and deletion policies in Office 365 is as follows: retention always wins over deletion; the longest retention policy wins; explicit inclusion wins over implicit inclusion, and finally the shortest deletion period wins.
In practical terms, this means if a document is in a position where two policies are applied to it – “retain for 5 years” and “delete after 3 months”, it will be retained for 5 years. If it is subject only to “delete after 3 months” and “delete after 5 years”, it will be deleted after 3 months.
Creating retention policies in Office 365
Until recently, there was a combined ‘Office 365 Security and Compliance Center’. However, this has now been split into two separate destinations: the Microsoft 365 Security Center and the Microsoft 365 Compliance Center. Retention labels are available in both; retention policies can only be found in the Compliance Center.
Retention policies and retention labels are not available to everyone in Office 365; you have to be licensed correctly. For a feature like auto-labelling, for instance, all users who can edit a file would require an Office 365 E5 enterprise licence.
Microsoft 365 Sensitivity Labels
Discover Sensitivity Labels in Microsoft 365 – a powerful way to ensure that your critical organisational information remains secure and well-managed in a world where sharing is the norm – without impacting business efficiency.
Part of the Microsoft Information Protection suite, sensitivity labels are available with certain Office 365 licenses.
Sensitivity labels are a key feature in the Microsoft 365 Information Security suite. In short, they mark up content – such as documents and emails – in a way that makes users aware of the need to protect the information. They can also be used to encrypt that content, and to monitor it once labelled.
A document or email that has had a Microsoft 365 Sensitivity Label applied may have a ‘watermark’ across it, or a header or footer stating the security level. Labels are persistent – in that they remain attached to your content – meaning you can be sure they are still working even if a document leaves your organisation.
Sensitivity labels form part of the Microsoft Information Protection toolset for Microsoft 365 and Office 365. They are distinct from retention labels – any given document can have one sensitivity label and one retention label.
Why use sensitivty labels in Office 365?
It’s a simple fact that users in your organisation need to collaborate with others, both internally and externally. Furthermore, collaboration technology has made it easier than ever to share information. But not all information should be shared.
Protecting your critical business information should be a priority, but relying on people not to share information is not the best approach. Whether by accident, through ignorance, or through malicious intent, sensitive information has a habit of getting shared. Microsoft 365 Sensitivity Labels are a software solution to this challenge which let you manage your corporate information with ease.
Best of all, sensitivity labels are designed not to get in the way of your work, ensuring you can protect your information without any impact on productivity.
Applying sensitivity labels in Office 365
When you apply a sensitivity label in Microsoft 365, your content – such as a document or email – will have that label’s security properties applied to it. This could simply be a watermark, a header or a footer, or it could be advanced file encryption.
Sensitivity labels can be applied directly from within Office 365 apps such as Word, PowerPoint, Excel and Outlook. They can also be applied automatically by Microsoft 365 – such as if you save a document in a document library in SharePoint, Microsoft Teams or OneDrive which is set up to apply a particular label. This is also the case for sites and groups across Office 365, which can have a default label applied to any files stored there.
Furthermore, Office 365 can detect sensitive content using artificial intelligence and pattern matching. For example, you could have it set up to automatically apply a label to any document containing passport numbers, UK National Insurance numbers, or credit card numbers. This proactively prevents users from accidentally sharing personal data with the outside world, or even with different units within your own organisation.
It’s important to note that a label can be created that prevents users from downgrading it to a lower sensitivity level. So if a ‘high sensitivity’ label is applied, it may require the user to provide justification for reducing the sensitivity level, or prevent them from doing so altogether.
Creating and managing sensitivity labels in Office 365
Sensitivity labels in Office 365 are created and managed from the Microsoft 365 Compliance Center or the Microsoft 365 Security Center.
Setting up sensitivity labels is simply a matter of entering a name for your label, choosing who it will apply to, what kind of content marking you wish to apply, and what restrictions the label will impose. You can then publish the label, and it will become available for use to colleagues across your organisation, or to the subset of users you specified.
If you delete a sensitivity label altogether, it will not be removed from documents where it has already been applied. Office 365 will enforce any existing sensitivity labels that have been applied to documents, even if the label is no longer available for marking new documents.
Some more advanced actions around sensitivity labels, such as implementing Microsoft Azure Information Protection (AIP) Scanner can only be done from Microsoft Azure. There are also instances where creating sensitivity labels using Microsoft Azure can result in improved performance. CompanyNet’s subject matter experts are happy to advise customers on which approach will be most effective for their organisation’s requirements.
Licensing and Microsoft 365 sensitivity labels
Whether you can use this feature is governed by your Microsoft 365 or Office 365 licensing. In order to use sensitivity labels, you must be paying for the correct licence. Note that you may be able to access the feature even if you are not licensed for it – it is up to you to ensure you are legally compliant. If you use it without licensing, and are subsequently audited, you could find yourself being billed for unexpected costs (or worse).
If you have concerns about your Office 365 or Microsoft 365 licensing, the team at CompanyNet is happy to help. We know it is one of the trickiest areas to navigate; our licensing experts have not only helped our customers understand and optimise their licensing, but have saved businesses significant amounts of money on licenses they did not need.
Get in touch
We know Information Security in Microsoft 365 is a challenging topic. That’s where CompanyNet can help your organisation. We have plenty of experience implementing information protection for organisations of all sizes – from household names and public sector organisations to small businesses.
Our subject matter experts have in-depth, up-to-date specialist knowledge of sensitivty labels and retention policies, as well as the wider Office 365 / Microsoft 365 field. We can help you master information security in Office 365.
If you’d like to discuss your requirements, drop us a line – we’d be happy to see how we can help.