Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article is provided as part of the Australian Government Information Protection Guide and is intended to help organizations to navigate the range of scenarios and configuration options explored in the guide. The stages and capabilities listed in this model show best practice in terms of basic (level 1) compliance configuration, as well as showing the opportunities available to increase maturity towards levels 2 and 3.
Microsoft Purview configurations in this model align as closely as possible with requirements of the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM). As organizations move through maturity levels, their ability to protect data increases along with their conformance with these Australian Government frameworks.
Maturity Level 1
Maturity level 1 established foundational capabilities of sensitivity labeling and Data Loss Prevention (DLP). It ensures that items are marked appropriately so that classifications are consistent with those applied by other government organizations. It includes DLP controls to protect security classified and otherwise sensitive information and auto-labeling configurations to ensure that classifications placed on items received from external government organizations are maintained along with relevant data security controls.
Level 1 - Sensitivity Labels
| Capability | Sections |
|---|---|
| A sensitivity label taxonomy that includes all required classifications (for example, UNOFFICIAL, OFFICIAL, etc.) | Sensitivity label taxonomy |
| Sensitivity Label content markings | Sensitivity label content marking |
| Sensitivity label policy configuration that includes mandatory labeling and label change justification | Label policy settings |
| Sensitivity label more info URL published with learning and self-help material | Custom help page |
Level 1 - Data Loss Prevention
| Capability | Sections |
|---|---|
| DLP policies applying protective markings (subject and x-headers) to email | Email marking strategies |
| DLP policies protecting security classified items (OFFICIAL: Sensitive and above) | Preventing inappropriate distribution of security classified information |
| DLP policies protecting sensitive information (health, personal data, financial, etc.) | Preventing inappropriate distribution of sensitive information |
| Enablement of DLP Analytics | Continuous DLP policy improvement via DLP Analytics |
Level 1 - Autolabeling
| Capability | Sections |
|---|---|
| Autolabelling of email during transport based on PSPF markings (x-header and subject) | Labeling of email during transport |
| Label recommendations when protective markings are detected | Recommendations based on external agency markings |
Level 1 - Insider Risk Management
| Capability | Sections |
|---|---|
| Enablement of Insider Risk Management Analytics | [Insider Risk Management Analytics Insights](pspf-insider-risk.md#Insider Risk Management-analytics-insights) |
Maturity Level 2
Maturity level 2 builds on level 1 capabilities. It extends sensitivity label capabilities to sites, teams, and meetings. Level 2 requires some business analysis in terms of data classification as it introduces organization specific considerations to DLP and auto-labeling. It includes DLP policies to help prevent data spills and Insider Risk Management configuration to monitor for risky user activity.
Level 2 - Sensitivity Labels
| Capability | Sections |
|---|---|
| Meeting and calendar item sensitivity label scope | Sensitivity labeling for calendar items and Teams meetings |
| Groups and Sites label settings configured | Sensitivity Label Groups and sites configuration |
Level 2 - Data Classification
| Capability | Sections |
|---|---|
| Identification of organization specific sensitive information through custom Sensitive Information Types (SITs) | Custom Sensitive Information Types |
| Investigation of existing classifier success in matching organization specific info | Trainable Classifiers |
Level 2 - Data Loss Prevention
| Capability | Sections |
|---|---|
| DLP policies preventing data spill (higher than permitted classifications) | Blocking transmission of nonpermitted classifications |
| DLP policies protecting organization specific sensitive info | Controlling sharing of sensitive information through DLP |
| Inclusion of advanced classifiers in DLP policy conditions to reduce false positives | Utilizing DLP policy templates for controlling email of sensitive information Named entity sensitive information types |
Level 2 - Autolabeling
| Capability | Sections |
|---|---|
| Label recommendations provided to users when sensitive information is detected | Recommending labels based on sensitive content detection |
| Automatic labeling of files at rest in SharePoint and OneDrive locations | Labeling existing items at rest |
Level 2 - Insider Risk Management
| Capability | Sections |
|---|---|
| Enablement of policies aligning with priority DLP (for example, exfiltration of security classified items) | [Insider Risk Management Scenario 1: Attempted exfiltration](pspf-insider-risk.md#Insider Risk Management-scenario-1-attempted-exfiltration) |
| Enablement of policies prioritizing classified items | [Insider Risk Management Scenario 2: Malicious label downgrade](pspf-insider-risk.md#Insider Risk Management-scenario-2-malicious-label-downgrade) |
Maturity Level 3
Level 3 expands sensitivity labeling coverage to legacy items and introduces label-based encryption to boost data protection. It also introduces several more advanced data classification techniques and works towards application of security classifications to the entire data estate. It includes automatic mitigation of malicious insider activities via Adaptive Protection.
Level 3 - Sensitivity Labels
| Capability | Sections |
|---|---|
| Application of labels to legacy locations | View and manage sensitivity labels in the SharePoint admin center |
| Enablement of item encryption to protect unauthorized access to classified items | Sensitivity label encryption for Australian Government |
Level 3 - Data Classification
| Capability | Sections |
|---|---|
| Enablement of Exact Data Match and/or document fingerprinting | Exact data match sensitive information types Document fingerprinting |
| Enablement of OCR capabilities to enable DLP for images and scanned items | Optical Character Recognition |
Level 3 - Data Loss Prevention
| Capability | Sections |
|---|---|
| DLP policies to identify and protect email with lowered classifications | Protecting items with lowered classifications |
| Extension of DLP capabilities to EndPoint and Defender for cloud apps | Preventing the upload of security classified items to unmanaged locations Prevent copying or printing of security classified items |
Level 3 - Autolabeling
| Capability | Sections |
|---|---|
| Automatic labeling of items with legacy classifications | Recommendations based on historical markings Autolabeling items with historical classifications |
| Automatic labeling of items marked via document properties | Identifying sensitive information via document property |
| Automatic labeling of cold data | On-demand classification (preview) |
| Automatic labeling of email generated via calendar items via paragraph markings | Recommending labels based on paragraph markings |
Level 3 - Insider Risk Management
| Capability | Sections |
|---|---|
| Configuration of adaptive protection to automatically restrict high risk users | Adaptive Protection |