1.0 Purpose

The purpose of this plan is to establish guidelines for how documents should be labelled in accordance with WPI’s Data Classification Policy (linked in Actions), where those documents should be stored, and with whom they can be shared. The labels are to be chosen based on classification.

Why we use labels:

Labels are mechanisms to flag documents that contain sensitive information, and to ensure that information is protected from unsanctioned exfiltration.

2.0 Applicability

This plan applies to all faculty, staff, and third-party agents of the University as well as any other University affiliate who is authorized to access Institutional Data.

The document owner(s) is responsible for applying the correct label to their document(s). The document owner will have the option to apply and manage the label within the Microsoft Office 365 software suite (includes Office Online).

WPI Information Security (InfoSec) can upon request perform discovery and provide a list of documents containing sensitive information by using the Azure AIP scanner. However, it ultimately remains the responsibility of the document owner(s) to apply the labels.

The following filetypes support labelling: .pdf, .doc, .docm, .docx, .dot, .dotm, .dotx, .potm, .potx, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .vsdm, .vsdx, .vssm, .vssx, .vstm, .vstx, .xls, .xlsb, .xlt, .xlsm, .xlsx, .xltm, .xltx, .xps, .bmp, .gif, .jfif, .jpe, .jpeg, .jpg, .jt, .png, .tif, .tiff, .txt, .xla, .xlam, .xml

3.0 Introduction to Labels

Labels are assigned based on the level of sensitivity, and the impact to the University should that data be disclosed, shared, or disseminated without authorization or protection. The label determines a baseline set of technical & security controls which protect documents by applying encryption and creating an audit trail of how those documents were shared and with whom.

Per the Data Classification Policy, the following labels should be used to properly classify documents: Restricted Use, Confidential, Unrestricted.

All documents that contain sensitive information at WPI across all approved storage locations should be labelled. Documents that contain sensitive information should retain their label throughout their entire lifecycle unless the sensitive information is removed from the document.

4.0 Label Definitions

Restricted Use label:

Content is encrypted and can only be viewed by the document owner(s), unless shared, and then only with the intended recipient. For documents with this label applied:

  • When shared within WPI by e-mail will have Message Encryption automatically applied a process which is transparent to the end user.
  • When shared within WPI by SharePoint or Teams is permitted without restriction. Note: Teams sharing is only available internally per the current system configuration.
  • When shared outside of WPI by e-mail or SharePoint link will have Message Encryption automatically applied, a process which requires the recipient to authenticate using a one time code to view the document.
    • Sharing externally is not permitted by default unless a business justification is provided.
    • Documentation on how to provide a business justification and enable sharing will be maintained by the IT Service Desk.
  • An audit trail is created that records the following:  where the document is stored, when the label was applied, with whom it was shared, if a business justification was provided and the content of that justification. This audit trail can be made available upon request such as during an incident response or by Human Resources.
  • An alert is created per the same criteria as the audit trail and sent to InfoSec which is for informational purposes only. InfoSec does not take action on these alerts.

Confidential label:

Content is encrypted and can only be viewed by the document owner(s), unless shared, and only with the intended recipient. For documents with this label applied:

  • When shared within WPI by e-mail will have Message Encryption automatically applied, a process which is transparent to the end user.
  • When shared within WPI by SharePoint, OneDrive, or Teams is permitted without restriction. Note: Teams sharing only available internally.
  • When shared outside of WPI by e-mail, SharePoint Link, or OneDrive link will have Message Encryption automatically applied, a process which requires the recipient to authenticate using a one time code to view the document.
    • Sharing externally is not permitted by default unless a business justification is provided.
    • Documentation on how to provide a business justification and enable sharing will be maintained by the IT Service Desk.
  • An audit trail is created that records the following: where the document is stored, when the label was applied, with whom it was shared, if a business justification was provided and the content of that justification. This audit trail can be made available upon request such as during an incident response or by Talent & Inclusion.
  • An alert is created per the same criteria as the audit trail, and sent to InfoSec, which is for informational purposes only. InfoSec does not take action on these alerts.

Unrestricted label:

No protection is applied.

5.0 Storage, Backup & Deletion

The only approved storage locations for documents that have a sensitivity label applied are SharePoint and OneDrive.

Restricted Use label: the only approved storage location for documents with this label is SharePoint.

Confidential label: the approved storage locations for documents with this label are SharePoint and OneDrive.

Unrestricted: the approved storage locations for documents with this label are SharePoint and OneDrive.

  • Backups & archiving: WPI Information Technology (IT) does not currently perform backups or retain an archive of historical data in SharePoint nor in OneDrive.
  • Deletion: no special consideration need be taken to delete or dispose of these files. They can be deleted via the Recycle Bin on Windows, macOS, and within SharePoint/OneDrive.

6.0 Enforcement

Any person that violates any of the policies found in this policy will be subject to the same disciplinary actions as outlined in WPI’s Confidentiality Agreement.

7.0 Approval and Revisions

Plan written by: Christian Sorgi,  Information Security Engineer

Plan reviewed annually by: Lawrence Wilson, Chief Information Security Officer (CISO)

Related University Policies: Data Classification and Usage Policy

Last Modified: 2/28/2022