Skip to main content

014: Restrict and monitor sharing by employees

Overview

Based on the identified scenarios of sharing data among internal users of the organization (Document / Approve all Data Sharing means), add restrictions to the sensitivity labels you defined in previous steps in a way that aligns with those scenarios. E.g. limit access to "confidential / internal" content to internal users (employees) only. Further restrict Highly Confidential data so it can't be copied or printed, and add a watermark to it to discourage other forms of sharing. Also add restrictions to labels used for external sharing with partners or customers, e.g. by limiting access to only the domains for those companies and by limiting usage rights such as the ability to copy, forward or print the content.

Monitor the manual application of labels by users after implementing these restrictions. Ideally, application patterns should not change as a result of the restrictions, if you see significant changes in user behavior work with different stakeholders to understand whether these changes are the result of overly restrictive policies which prevent users from doing their jobs with the data if they label it correctly, or it is due to poor user awareness, training or other factors. Adjust the policies accordingly.

At the same time, you should consider the option to enforce mandatory labeling of all emails and documents (recommended for Zero Trust), and use of a default label for emails and documents. Given the usually large number of emails a user may generate each day, a common practice is to define a default label for emails, and use one that's mildly restrictive (e.g. "internal", associated with DLP rules that block sending such emails externally but without internal sharing or usage restrictions) so users are able to change this label as needed for external sharing or for using a more restrictive label.

Also consider the use of Information Barriers to prevent sharing of data between parts of the organization which should be isolated from each other (e.g. account teams working for competing companies, tented projects, highly confidential R&D labs, roles in highly regulated businesses that are in potential conflict with others in the organization if they exchanged content).

Reference