Wikier

Classification of files and documents

Detaljer Skriv ut

This page contains information on how to classify files and information according to confidentiality requirements, using sensitivity labels in Word, Excel, PowerPoint and Outlook.

Norsk versjon - Klassifisering av filer og informasjon

Topic page about Information security | Pages labeled with classification

Innholdsfortegnelse [-]

  1. Information classification
  2. Sensitivity labels in Word, PowerPoint, Excel and Outlook
    1. Public
    2. Internal
    3. Confidential
    4. Exclude from Copilot
    5. In Outlook
  3. Changing og deleting a label
  4. Use on different devices
  5. Encryption and external recipients
  6. Can data be decrypted by others?
  7. On archiving
    1. Email
  8. More information
  9. Contact

Information classification

All information processed at NTNU must be classified according to confidentiality requirements, so that it is clear where and how the information can be handled. You can find more information about information classification in the Policy for Classification of Information Assets - Kunnskapsbasen - NTNU

The following classes are defined: Public (green), Internal (yellow), Confidential (red), Highly Confidential (black).
Classes of information and their colour codes

Note: Strictly confidential information must not be stored or processed in Microsoft 365. Such information must only be processed in systems specifically approved for this purpose. Contact the Section for Digital Security for guidance.

Sensitivity labels in Word, PowerPoint, Excel and Outlook

In Microsoft 365, it is possible to indicate the classification of files and documents through the use of sensitivity labels that mark the documents and can trigger technical measures such as encryption.

When logged in with your NTNU account, you will find the sensitivity labels in the desktop version of Microsoft 365 under the Home menu and the Sensitivity button.

Screen shoot of the Sensitivtiy button in Word

Public

This label is used for information that can be available to everyone, without special access rights.

Examples: websites, course overviews, or printed materials distributed freely.

Internal

Information that should only be shared within the organisation, and optionally with selected external partners. Choose one of the sub-labels below:

Internal (Allow externals): Can be shared with both internal and external users. No encryption or sharing restrictions. Examples: exam papers, grades, research data.

Internal (Block externals)(recommended default for internal information): Cannot be shared with external users – they will not be able to open the document even if it is forwarded. Examples: internal reports, tender documents, career plans, technical documentation.

Internal (Encrypted): Internal information with encryption and extra access control. Only specified users can access the document, even if it is shared further. Use this when you want encryption and access control on non-confidential information.

Internal (Archive): Used exclusively to remove encryption before a document is to be archived.

Screenshot of the Sensitivity button and the different options for "Internal"

Confidential

Documents containing confidential information must be classified using the Confidential label. This covers information that requires strict access control. Used when disclosure to unauthorised persons could cause harm to public interests, the institution, individuals, or partners.

Examples: certain strategy documents, special categories of personal data, health information, exam questions before they are issued, certain types of research data.

Confidential (Encrypted): The document is automatically encrypted, and printing and copying are disabled. Only specified users can access the document.

This label can only be used for information classified as "Confidential". Microsoft 365 is not approved for "Strictly confidential" information.

Confidential (Archive): Used exclusively to remove encryption before a document is to be archived.

Screenshot of the Sensitivity button and the different options for "Confidential"

Exclude from Copilot

Items with this label will not be processed by Microsoft 365 Copilot. Use this when the content should not be included in Copilot's data foundation.

Screenshot of the Sensitivity button and the option "Exclude from Copilot"

In Outlook

When using the label Confidential (Encrypted) or Internal (Encrypted), the email message will be encrypted. Access rights are granted to the recipients of the email.

Note: Avoid adding email lists and groups as recipients of emails that involve encryption. Content is only decrypted when the recipient is authenticated with their personal account, and the use of groups may therefore make the content unreadable for recipients.

Changing og deleting a label

If a sensitivity label has already been set on a document and you want to change it, you can select a different label. To delete a sensitivity label, click on the already selected label.

Use on different devices

Windows and Mac: Sensitivity labels are supported in Microsoft 365 desktop applications on both Windows and Mac. No separate installation is required. The labels can be found under the Home menu and the Sensitivity button.

Android and iOS: With the Word, Excel and PowerPoint apps, you can read and edit classified documents from your phone or tablet. However, you cannot classify documents with sensitivity labels that involve encryption in these apps. Outlook on mobile allows you to read the content of encrypted email messages, but you cannot send encrypted messages from your mobile device.

Program Farm: The service can also be used from Program Farm with Windows – Knowledge Base – NTNU for users with machines that do not support the service directly.

Encryption and external recipients

It is possible to encrypt emails and documents for external recipients as well. Recipients with a Microsoft account (work, school or personal) can open encrypted content directly. Recipients without a Microsoft account will receive a one-time passcode by email to verify their identity and open the content.

Can data be decrypted by others?

The solution uses an encryption key issued by Microsoft. This means there is a theoretical possibility that Microsoft could decrypt content. A limited group of NTNU's own administrators can also grant themselves temporary access to decrypt content – for example if a file has been encrypted and archived by a former employee. Such activity is logged at all times. If you are interested in more technical information, you can read about it at Manage the root key for your tenant's Azure Rights Management service | Microsoft Learn

On archiving

Documents: Elements has its own access control, and documents stored there should not be classified using sensitivity labels. Encrypted documents must be decrypted before archiving in Elements. Use Internal (Archive) or Confidential (Archive) to remove encryption before archiving. If you wish to retain the original file after archiving, the correct label must be reapplied.

Email

To import email, click on the Outlook plugin for Elements.

Screenshot of button for Outlook plugin for Elements

More information

Contact

Orakel Support Services - Kunnskapsbasen - NTNU (Orakeltjenesten) can help you if you have questions or experience any issues.

28230 Visninger
IT-info: brukerstøtte digital sikkerhet Målgruppe: Medarbeidere Tema: Dokumentasjon IT-hjelp Informasjonssikkerhet Personvern
Tagger
encryption classification encrypt aip information classification
Vedlegg
PNG
Elements-plugin.png
PNG
klassen_fortrolig_630_eng.png
PNG
klassen_intern_630_eng.png
PNG
klasser_i_word_630_eng.png
JPE
Label-confidential.jpeg
JPE
Label-exclude-Copilot.jpeg
JPE
Label-internal.jpeg
JPE
Label-sensitivity.jpeg
PNG
Plugin-Elements (1).png
PNG
Plugin-Elements.png
PNG
sette_rettigheter_eng.png
PNG
sikkerhetklasser_eng_enkel_600.png
PNG
sikkerhetklasser_580_eng.png