How to Troubleshoot Apps for the Modern Connected Worker
Securing Business-Information from Microsoft -Presented by Atidan
1. Work Smart
Securing Business Information
Overview
All forms of information, including ideas and concepts, have potential business value.
Whether you are exchanging emails, sharing documents, or having a phone conversation, it
is your responsibility to help protect confidential information from any unauthorized
disclosure. This Work Smart Guide provides an overview on how to properly classify
business information and understand the technology solutions used to help protect your
information before you transmit, share, store, or destroy it.
Recommended reading
This Work Smart Guide provides the foundational knowledge for securing your data. Other
guides are available to teach you how to help protect your information. For detailed step-
by-step guidance, review the documents listed under the Work Smart link in the For More
Information section of this guide.
Topics in this guide include:
Classifying your
information
Protecting your
information
Classification and
data dissemination
guidelines
Decision tree:
Securing your
information
Recommended
security practices
For more information
2. Powered by Instant.ly
2 | Securing Business Information Overview
Classifying your information
Determining information classification
At Microsoft, all forms of information, including ideas and concepts, have potential business
value. Whether you are exchanging emails, sharing documents, or having a phone
conversation, it is your responsibility to help protect confidential information from any
unauthorized disclosure. This Work Smart Guide details how to properly classify business
information and understand the technology solutions used to help protect your
information before you transmit, share, store, or destroy it.
Information is classified into three areas:HighBusinessImpact(HBI),
ModerateBusinessImpact(MBI),andLowBusinessImpact (LBI).
Table 1: Information Classification
HBI
High Business Impact
HBI applies to any information including emails, documents, messages and
phone conversations that, if disclosed without authorization, could result in
immediate, direct or considerable impact to Microsoft, the information
owner and customers. HBI information should only be shared with those on
a “need-to-know” basis. HBI includes Highly Sensitive Personally Identifiable
Information (HSPII).
MBI
Medium Business Impact
MBI applies to information that, if disclosed, could cause indirect, limited
impact to Microsoft, the asset’s owner and valued customers. MBI
information should only be accessible to those people who have a
legitimate business need to view the information. MBI includes Personally
Identifiable Information (PII).
LBI
Low Business Impact
LBI classification applies to information assets that, if disclosed without
authorization, could cause limited, or no material loss to Microsoft, the asset
owner, or relying parties.
Important:Youare responsible for classifying your information accurately. Therefore, in the
following sections, be aware that the examples of HBI, MBI, and LBI data could have more
restrictive classification levels, depending on how sensitive a specific asset’s owner deems the
content.
3. Powered by Instant.ly
3 | Securing Business Information Overview
How to classify your information
Below is table of guidelines that you may use to determine your data's classification level.
Data includes the following info: HBI MBI LBI
Email Address
X
Social Security Number
X
Documents regarding process or procedure
X
Private cryptographic keys
X
Username and Passwords
X
Publicly accessible information X
Company trade secrets
X
Financial information related to revenue
generation
X
List of Phone Numbers
X
Employee Zip Codes X
Numeric ID sequences / PINs
X
Note:
• Use the most restrictive classification if data falls into more than one classification level or if you are unsure
of its classification.
• Treat information as HBI if it does not have a classification, but is marked or “confidential.”
Important:
• It is your responsibility to understand the business value of your information and to apply the correct
classification and protection.
• Remove HBI or MBI information from your computer before retiring it or sending it offsite for repairs.
• Remember to check your company policies as their classification levels may vary from the examples
provided in the table above.
4. Powered by Instant.ly
4 | Securing Business Information Overview
Protecting your information
Now that you know how to classify your information, you will learn what tools are available
to ensure that your data is protected when it is sent, shared, stored, backed up, or deleted.
There are four main technologies which Microsoft uses to help protect information. These
services include: Information Rights Management (IRM) - an Office feature of Rights
Management Services (RMS), Secure/Multipurpose Internet Mail Extensions (S/MIME),
BitLocker Drive Encryption, and Encrypted File System (EFS). Thankfully, these tools are
simple to use. A few clicks within Office, Outlook, or SharePoint and you can protect your
data according to the appropriate classification.
Listed below are the definitions of each technology and the data it protects. For more
information about each solution, click the named hyperlink.
IRM Enables you to apply specific access permissions to documents, workbooks, and
presentations to prevent unauthorized forwarding, printing, or copying; and to set expiration
dates after which files no longer are available.
S/MIMEEnables you to encrypt and/or digitally sign your email messages. Encrypting your
messages converts data with a cipher text so that only people who you specify can read it.
Digitally signing an email message helps ensure that no tampering occurs while your message
and its attachments are in transit.
BitLocker BitLocker Drive Encryption protects data on your computer by preventing
unauthorized access to the hard disk drive or removable media by applying full disk
encryption.
EFS If your computer is not BitLocker compatible, EFS can encrypt your files and folders by
using a certificate that Microsoft issues after you join your computer to the corporate domain.
EFS requires that other people enter the appropriate decryption key before they can access the
encrypted content. EFS is not a recommended protection method for Microsoft hard drives.
The following table provides guidelines on which preferred technology that you should use
to encrypt HBI or MBI information that you will transmit, share, or store on your computer:
Table 3: Protecting your information
Data includes the following info:
IRM S/MIME EFS BitLocker
Transmit with internal email
Preferred solution Acceptable
solution
N/A N/A
Transmit with external email
Works only with other
federated RMS
organizations
Preferred
solution
N/A N/A
Share by using SharePoint Online (for tenant
administrators and not site owners or users.)
Preferred solution N/A N/A N/A
Storing on computer
Acceptable solution
with BitLocker
N/A Acceptable with
BitLocker
Required
solution
Storing on computer (Vista or older OS)
Preferred solution N/A Acceptable
solution
Storing on removable mediaBitLocker to Go
Acceptable solution N/A Acceptable
solution
Preferred
solution
5. Powered by Instant.ly
5 | Securing Business Information Overview
Classification and data dissemination
guidelines
The following tables provide guidelines for how you should send, share, store, back up, and
dispose of information, depending on its classification:
Table 4. Classification and data dissemination guidelines
Subject HBI MBI LBI
Send data (via
file transfer or
email)
Requires asset owner approval to
forward, export, or copy.
Requires encryption for internal and
external delivery.
Requires encryption with S/MIME or IRM
for email.
Requires encryption for transfer
outside of organization.
Requires encryption with S/MIME for
email sent outside the corporate
network.
No special
requirements.
Share
(via O365
SharePoint
Online)
Use IRM to restrict forwarding, copying,
and printing.
Restrict permissions to those identified
by asset owner.
Requires formal agreement, which legal
approves, for third parties, such as
business partners.
Restricts permissions to those with
legitimate business needs only.
Requires formal agreement, which
legal approves, for third parties, such
as business partners.
No special
requirements.
Store
(server, PC, CD,
USB)
Requires encryption (BitLocker).
Allows storage on handheld devices only
if device supports strong encryption and
authentication security controls.
May require encryption (as determined
by the asset owner).
No special
requirements.
Back up
Performed only by authorized personnel
and stored only at a location approved
by IT Security.
Encrypt storage media.
Store in a physically secure location in
which backups are logged and access
is controlled and monitored.
No special
requirements.
Dispose of
Cross-shred or incinerate paper
documents.
Destroy tapes and other magnetic media.
Request that hard disk drives be
destroyed .
Follow your organization policies for the
appropriate disposal of retired hardware
and media.
Cross-shred or incinerate paper
documents.
Destroy tapes and other magnetic
media.
Remove data on hard disks that you
plan to reuse or retire.
Destroy inoperable hard disk drives.
No special
requirements.
6. Powered by Instant.ly
6 | Securing Business Information Overview
Decision tree: Securing your data
The decision tree below will help you understand the multiple considerations for sharing
any company information. The graphic includes the best solution to help protect your
information and the platform that should be used to share the information.
Figure 1: HBI decision tree
Figure 2: MBI decision tree
8. Powered by Instant.ly
8 | Securing Business Information Overview
Recommended security practices
Use the Microsoft Office System Document Inspector
If you plan to share an electronic copy of a Microsoft Word document with clients or
colleagues, it is a good idea to review the document for hidden data or personal
information that might be stored in the document itself or in the document properties
(metadata). Document Inspector is a built-in tool that can be used to scan your data before
sharing it with others. For more information on how to use Document Inspector, see:
Remove hidden data and personal information by inspecting documents.
Guard confidential information
Do not discuss confidential information in public places.
Beware of multiple network connections
Never concurrently connect your computer to your companies corporate network and the
Internet, or any other network that your company does not manage. This compromises
your company's network security.
Review list of group recipients
Think globally before posting any content. Before you send or reply to email, post to
Yammer, One Drive, or any another social website, or post data to SharePoint, make sure
that the information is appropriate for disclosure to everyone who has access to the email
or website.
Use Outlook Web Access
Use Outlook Web Access (OWA) to check your email from your home computer. Be careful
if you access corporate resources by using kiosks and other public locations, even though
OWA, as key strokes may be monitored if the public network does not have the correct
configuration.
Do not leave documents or presentations unattended
Remove all documents after meetings, and erase whiteboards.
Beware of posting on walls or bulletin boards
If your document is HBI, do not post it on hallway walls or bulletin boards.