Information approved for public distribution. No access restrictions. No encryption required. May be shared externally without restriction. Examples: press releases, public website content, published annual reports, marketing collateral.
Default label for general internal business information. Not intended for external distribution. No encryption by default but DLP monitors for external sharing. Examples: internal memos, operational procedures, team communications, internal meeting notes.
Sensitive regulated data requiring restricted access. Encryption applied. External sharing blocked by DLP. Applies to PHI, PII, financial data, and other regulated content. Examples: patient records, HR files, financial projections, audit findings, vendor contracts with NDA.
The most sensitive classification. Maximum protection controls applied. External sharing blocked under all normal circumstances. Endpoint restrictions active. Requires compliance review to share. Examples: regulatory examination materials, board-level strategic plans, critical system credentials, attorney-client privileged content, M&A target information.
| Label | Auto-Label (Service) | Client-Side | Encryption | DLP Action | Endpoint |
|---|---|---|---|---|---|
| Public | Keyword / SIT match | Manual / recommended | None | Audit only | No restrictions |
| Internal | Default / trainable classifier | Auto-suggested | None by default | Notify on external share | Audit |
| Confidential | SIT match + classifier (PHI, PII, financial) | Recommended + mandatory | Encrypt + Rights | Block external share | Warn print/USB |
| Restricted | SIT + Classifier + DSPM signal | Required | Encrypt + Do Not Copy | Block all sharing | Block all activities |
Deploy Public and Internal labels. Enable auto-suggestion (no mandatory). Monitor adoption rate. Establish Activity Explorer baseline. No DLP enforcement yet.
Add Confidential label. Enable mandatory labeling for new documents. Configure SIT auto-apply for PHI and PII. Turn on DLP Notify mode for Confidential. Review false positives weekly.
Deploy Restricted label (Legal, Compliance, Executive use). Enable DLP Block for Confidential+. Activate endpoint restrictions. Begin existing-content auto-labeling simulation.
- Labels must reflect content sensitivity β not business unit or project type
- Email inherits the highest label from any attachment β configure this in label policy
- Container labels (Teams, SharePoint sites) set default but can be overridden per item
- Do not create sub-labels without governance approval β keep the taxonomy flat and clear
- Run auto-labeling policies in simulation first β review the "what would be labeled" report
- Use trainable classifiers for document types that don't have clear regex patterns
- Prioritize auto-labeling for SharePoint and OneDrive repositories first (easier to audit)
- Exchange auto-labeling runs on messages in transit β test with pilot mailboxes before broad deployment
- Any label rename, merge, or removal requires formal governance review and change control
- Restricted label access must be scoped to Legal, Compliance, and named executive groups β review quarterly
- Document all label definitions and access rules in the organization's data classification policy
- Review label usage reports monthly β watch for over-labeling (everything Restricted) and under-labeling