Hello, first of all thank you for this "quickstart guide", however as someone who also has lots of experience with Purview and its integration, I have found some issues that I would recommend fixing. These are referring to the Secure by Default Workbook.
- Sensitivity labels priority - on the Sensitivity Labels card, this is the recommended label priority for the Confidential and Highly Confidential sublabels:
- All Employees
- Specific People
- Internal exception
Based on my best practice, the revised label prio should be:
- Internal exception
- All Employees
- Specific People
This is because the Internal exception label does not apply any encryption. In the setup you recommend we would run into the risk of a user taking an encrypted file, for example Confidential - All Employees, and upgrading the label to Confidential - Internal exception. In this case, no alert would be fired, even though the employee would remove encryption from the file. The Internal exception label needs to have the lowest priority among the sublabels, so that if people wanted to change the label to this label, an alert would be fired, since most probably the encryption from the file would be removed.
- Bad DLP setup - on the Data Loss Prevention (DLP) card, I recommend changing the first DLP policy.
In the current setup, the All Employee sublabel applies encryption in such a way that even if our employees sent out a document labeled as All Employees outside the organization the external recipients wouldn't be able to decrypt and open the files. I cannot find any way in which way this DLP policy would be useful (if there is a reason to have the policy, please let me know).
I suggest rescoping this policy from the All Employees label to the Specific People label. The reason is that for the Specific People label, users can choose exactly who can decrypt the document, this is including external people. This DLP policy will directly block that, and employees will be able to give access only to specific internal people.
Hello, first of all thank you for this "quickstart guide", however as someone who also has lots of experience with Purview and its integration, I have found some issues that I would recommend fixing. These are referring to the Secure by Default Workbook.
Based on my best practice, the revised label prio should be:
This is because the Internal exception label does not apply any encryption. In the setup you recommend we would run into the risk of a user taking an encrypted file, for example Confidential - All Employees, and upgrading the label to Confidential - Internal exception. In this case, no alert would be fired, even though the employee would remove encryption from the file. The Internal exception label needs to have the lowest priority among the sublabels, so that if people wanted to change the label to this label, an alert would be fired, since most probably the encryption from the file would be removed.
In the current setup, the All Employee sublabel applies encryption in such a way that even if our employees sent out a document labeled as All Employees outside the organization the external recipients wouldn't be able to decrypt and open the files. I cannot find any way in which way this DLP policy would be useful (if there is a reason to have the policy, please let me know).
I suggest rescoping this policy from the All Employees label to the Specific People label. The reason is that for the Specific People label, users can choose exactly who can decrypt the document, this is including external people. This DLP policy will directly block that, and employees will be able to give access only to specific internal people.