Embed Size (px)
Citation preview
Work Smart
Securing Business Information OverviewAll forms of information, including ideas and concepts, have potential business value. Whether you are exchanging emails, sharing documents, or having a phone conversation, it is your responsibility to help protect confidential information from any unauthorized disclosure. This Work Smart Guide provides an overview on how to properly classify business information and understand the technology solutions used to help protect your information before you transmit, share, store, or destroy it.
Recommended reading
This Work Smart Guide provides the foundational knowledge for securing your data. Other guides are available to teach you how to help protect your information. For detailed step-by-step guidance, review the documents listed under the Work Smart link in the For More Information section of this guide.
Topics in this guide include:
For more information
Recommended security practices
Decision tree: Securing your information
Classification and data dissemination guidelines
Protecting your information
Classifying your information
2 | Securing Business Information Overview
Classifying your information
Determining information classification
At Microsoft, all forms of information, including ideas and concepts, have potential business value. Whether you are exchanging emails, sharing documents, or having a phone conversation, it is your responsibility to help protect confidential information from any unauthorized disclosure. This Work Smart Guide details how to properly classify business information and understand the technology solutions used to help protect your information before you transmit, share, store, or destroy it.
Information is classified into three areas: High Business Impact (HBI), Moderate Business Impact (MBI), and Low Business Impact (LBI).
Table 1: Information Classification
HBI
High Business Impact
HBI applies to any information including emails, documents, messages and phone conversations that, if disclosed without authorization, could result in immediate, direct or considerable impact to Microsoft, the information owner and customers. HBI information should only be shared with those on a “need-to-know” basis. HBI includes Highly Sensitive Personally Identifiable Information (HSPII).
MBI
Medium Business Impact
MBI applies to information that, if disclosed, could cause indirect, limited impact to Microsoft, the asset’s owner and valued customers. MBI information should only be accessible to those people who have a legitimate business need to view the information. MBI includes Personally Identifiable Information (PII).
LBI
Low Business Impact
LBI classification applies to information assets that, if disclosed without authorization, could cause limited, or no material loss to Microsoft, the asset owner, or relying parties.
Important: You are responsible for classifying your information accurately. Therefore, in the following sections, be aware that the examples of HBI, MBI, and LBI data could have more restrictive classification levels, depending on how sensitive a specific asset’s owner deems the content.
Powered by Instant.ly
3 | Securing Business Information Overview
How to classify your information
Below is table of guidelines that you may use to determine your data's classification level.
Data includes the following info: HBI MBI LBI
Email Address X
Social Security Number X
Documents regarding process or procedure
X
Private cryptographic keys X
Username and Passwords X
Publicly accessible information X
Company trade secrets X
Financial information related to revenue generation
X
List of Phone Numbers X
Employee Zip Codes X
Numeric ID sequences / PINs X
Note:
• Use the most restrictive classification if data falls into more than one classification level or if you are unsure of its classification.
• Treat information as HBI if it does not have a classification, but is marked or “confidential.”
Important:
• It is your responsibility to understand the business value of your information and to apply the correct classification and protection.
• Remove HBI or MBI information from your computer before retiring it or sending it offsite for repairs.
• Remember to check your company policies as their classification levels may vary from the examples provided in the table above.
Powered by Instant.ly
4 | Securing Business Information Overview
Protecting your informationNow that you know how to classify your information, you will learn what tools are available to ensure that your data is protected when it is sent, shared, stored, backed up, or deleted.
There are four main technologies which Microsoft uses to help protect information. These services include: Information Rights Management (IRM) - an Office feature of Rights Management Services (RMS), Secure/Multipurpose Internet Mail Extensions (S/MIME), BitLocker Drive Encryption, and Encrypted File System (EFS). Thankfully, these tools are simple to use. A few clicks within Office, Outlook, or SharePoint and you can protect your data according to the appropriate classification.
Listed below are the definitions of each technology and the data it protects. For more information about each solution, click the named hyperlink.
IRM Enables you to apply specific access permissions to documents, workbooks, and presentations to prevent unauthorized forwarding, printing, or copying; and to set expiration dates after which files no longer are available.
S/MIME Enables you to encrypt and/or digitally sign your email messages. Encrypting your messages converts data with a cipher text so that only people who you specify can read it. Digitally signing an email message helps ensure that no tampering occurs while your message and its attachments are in transit.
BitLocker BitLocker Drive Encryption protects data on your computer by preventing unauthorized access to the hard disk drive or removable media by applying full disk encryption.
EFS If your computer is not BitLocker compatible, EFS can encrypt your files and folders by using a certificate that Microsoft issues after you join your computer to the corporate domain. EFS requires that other people enter the appropriate decryption key before they can access the encrypted content. EFS is not a recommended protection method for Microsoft hard drives.
The following table provides guidelines on which preferred technology that you should use to encrypt HBI or MBI information that you will transmit, share, or store on your computer:
Table 3: Protecting your information
Data includes the following info: IRM S/MIME EFS BitLocker
Transmit with internal email Preferred solution Acceptable solution
N/A N/A
Transmit with external email Works only with other federated RMS organizations
Preferred solution
N/A N/A
Share by using SharePoint Online (for tenant administrators and not site owners or users.)
Preferred solution N/A N/A N/A
Storing on computer Acceptable solution with BitLocker
N/A Acceptable with BitLocker
Required solution
Storing on computer (Vista or older OS) Preferred solution N/A Acceptable solution
Powered by Instant.ly
5 | Securing Business Information Overview
Storing on removable media BitLocker to Go
Acceptable solution N/A Acceptable solution
Preferred solution
Classification and data dissemination guidelinesThe following tables provide guidelines for how you should send, share, store, back up, and dispose of information, depending on its classification:
Table 4. Classification and data dissemination guidelines
Subject HBI MBI LBI
Send data (via file transfer or email)
Requires asset owner approval to forward, export, or copy.
Requires encryption for internal and external delivery.
Requires encryption with S/MIME or IRM for email.
Requires encryption for transfer outside of organization.
Requires encryption with S/MIME for email sent outside the corporate network.
No special requirements.
Share(via O365 SharePoint Online)
Use IRM to restrict forwarding, copying, and printing.
Restrict permissions to those identified by asset owner.
Requires formal agreement, which legal approves, for third parties, such as business partners.
Restricts permissions to those with legitimate business needs only.
Requires formal agreement, which legal approves, for third parties, such as business partners.
No special requirements.
Store (server, PC, CD, USB)
Requires encryption (BitLocker). Allows storage on handheld devices
only if device supports strong encryption and authentication security controls.
May require encryption (as determined by the asset owner).
No special requirements.
Back up
Performed only by authorized personnel and stored only at a location approved by IT Security.
Encrypt storage media.
Store in a physically secure location in which backups are logged and access is controlled and monitored.
No special requirements.
Dispose of
Cross-shred or incinerate paper documents.
Destroy tapes and other magnetic media. Request that hard disk drives be destroyed .
Follow your organization policies for the appropriate disposal of retired hardware and media.
Cross-shred or incinerate paper documents.
Destroy tapes and other magnetic media.
Remove data on hard disks that you plan to reuse or retire.
Destroy inoperable hard disk drives.
No special requirements.
Powered by Instant.ly
6 | Securing Business Information Overview
Decision tree: Securing your dataThe decision tree below will help you understand the multiple considerations for sharing any company information. The graphic includes the best solution to help protect your information and the platform that should be used to share the information.
Figure 1: HBI decision tree
Figure 2: MBI decision tree
Powered by Instant.ly
7 | Securing Business Information Overview
Figure 1: LBI decision tree
Powered by Instant.ly
8 | Securing Business Information Overview
Recommended security practicesUse the Microsoft Office System Document InspectorIf you plan to share an electronic copy of a Microsoft Word document with clients or colleagues, it is a good idea to review the document for hidden data or personal information that might be stored in the document itself or in the document properties (metadata). Document Inspector is a built-in tool that can be used to scan your data before sharing it with others. For more information on how to use Document Inspector, see: Remove hidden data and personal information by inspecting documents.
Guard confidential informationDo not discuss confidential information in public places.
Beware of multiple network connectionsNever concurrently connect your computer to your companies corporate network and the Internet, or any other network that your company does not manage. This compromises your company's network security.
Review list of group recipients Think globally before posting any content. Before you send or reply to email, post to Yammer, One Drive, or any another social website, or post data to SharePoint, make sure that the information is appropriate for disclosure to everyone who has access to the email or website.
Use Outlook Web AccessUse Outlook Web Access (OWA) to check your email from your home computer. Be careful if you access corporate resources by using kiosks and other public locations, even though OWA, as key strokes may be monitored if the public network does not have the correct configuration.
Do not leave documents or presentations unattendedRemove all documents after meetings, and erase whiteboards.
Beware of posting on walls or bulletin boardsIf your document is HBI, do not post it on hallway walls or bulletin boards.
Powered by Instant.ly
9 | Securing Business Information Overview
For more informationWork Smart GuidesOn the Work Smart productivity guides page, search for the following titles: http://technet.microsoft.com/en-us/library/bb687781.aspx.
Securing your business information
Secure collaboration using SharePoint Online
Securing your computer
Protecting data with Windows 8 BitLocker
Information Rights Management (IRM)http://technet.microsoft.com/en-us/library/cc179103.aspx
Introduction to IRM for email messageshttp://office.microsoft.com/en-us/outlook-help/introduction-to-irm-for-email-messages-HA102749366.aspx
Secure/Multipurpose Internet Mail Extensions (S/MIME) http://technet.microsoft.com/en-us/library/jj891023.aspx
BitLockerhttp://technet.microsoft.com/en-us/library/hh831713.aspx
Encrypted File System (EFS)http://technet.microsoft.com/en-us/library/bb457116.aspx
Video: Getting Started with Encrypting File System in Windows 7http://technet.microsoft.com/en-us/windows/how-do-i-get-started-with-the-encrypting-file-system-in-windows-7.aspx
International Data Protection Standardshttp://download.microsoft.com/download/B/8/2/B8282D75-433C-4B7E-B0A0-FFA413E20060/international_privacy_standards.pdf
Modern IT Experience featuring IT Showcasehttp://microsoft.com/microsoft-IT
This guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. © 2013 Microsoft Corporation. All rights reserved.
More Work Smart content: http://technet.microsoft.com/en-us/library/bb687781.aspx
Powered by Instant.ly
