Classification of files and documents
This page contains information on how to classify files and information according to confidentiality requirements, using labels in Word, Excel, PowerPoint and Outlook.
Norsk versjon - Klassifisering av filer og informasjon
Table of Contents [-]
- Information classification
- Labels in Word, PowerPoint, Excel and Outlook
- Grant permissions
- Change or delete label
- Installation and use on various devices
- Encryption and external users
- Concerning filing in ePhorte
- More information
Information classification #
All information processed at NTNU must be classified according to confidentiality requirements, so that you know where and how the information can be processed. You can find more information about information classification on the page Informasjonsklassifisering - informasjonssikkerhet. (Norwegian only)
The following classes are defined:
Labels in Word, PowerPoint, Excel and Outlook #
In Office 365, it is possible to determine the classification of files and documents, through the use of "labels" that mark the documents and which can trigger technical measures such as encryption. We use Azure Information Protection (AIP) to enable this feature. Once AIP is installed, you will find the classes as labels in the desktop version of Microsoft Office 365.
This label applies to information that may be accessible to anyone, without special access rights.
Examples of such information may be web pages, course listings or printed material that is freely distributed.
Information which requires some protection and where accessibility should be restricted to selected internal and / or external users, with controlled access rights, can be classified as Internal. Can be used if it could cause some damage to the institution, or partners if the information becomes known to unauthorized persons.
Examples of such information are some working documents, information that is kept from public access, personal information, grades, large student papers, exam answers, research data and research work.
- Internal information must be categorized into one of three subcategories. When using the Internal information category, no technical restrictions are imposed on the document. This means that anyone who has access to where the file is stored will have access to the document.
- Using the Social Security number or Protected information categories, the document is encrypted and access control is logged. The category Social Security number should be used on documents that contain a social security number. The cateroty Protected information can be used on documents when you want encryption and access control, even if it does not contain a social security number or can be classified as confidential.
- The category Internal information - Archive is used exclusively to remove encryption before a document is archived in ePhorte.
Documents containing confidential information should be classified using the label Confidential. This includes information that requires strict access control. Must be used if it may cause harm to public interests, the institution, individuals or partners if the information becomes known to unauthorized persons.
Examples of such information are some strategy documents, sensitive personal information, health information, exam papers before they are given, some types of research data and work.
When the Confidential label is used, several technical restrictions are applied on the document:
- The document is encrypted and access control with log is activated.
- It will not be possible to print or take a screenshot of the document.
- The label Confidential - Archive is used exclusively to remove encryption before a document is archived in ePhorte.
Note that it is not yet possible to open documents with access control in Office 365 Online (browser version).
Highly Confidential #
The label Highly Confidential should not be used. Documents with information in this class must be processed in systems that are approved for this.
Any private documents can be labeled Private.
Grant permissions #
In Word, Excel and PowerPoint #
When using the label Confidential and when using the categories Social Security number or Protected information under the label Internal, you must grant permissions on the document.
In the Select permissions field, specify the permission you want to grant:
- Viewer - View only
- Reviewer - View, Edit
- Co-Author - View, Edit, Copy, Print
- Co-Owner - All permissions
- Only for me
Then point out who gets the appropriate permit, by entering their email adress(es). Do not use groups when granting permissions. In the bottom field, you can specify an expiration date if desired.
In Outlook #
When using the label Confidential and when using the categories Social Security number or Protected information under the label Internal, the email is encrypted. Permissions are granted to recipients of the email.
Note: Avoid using email lists and groups as recipients in email when encryption is used. The reason is that access is linked to individuals through the recipient's email address. Content is only decrypted when the recipient is authenticated with their personal user. The use of groups will therefore make the content unreadable to recipients.
Change or delete label #
If a label is already used on a document and you want to change it, you can just select another label. If the labels do not appear on the label bar, first click the Edit Label icon next to the current label value, and the labels will appear. To delete a label from a document, first click Edit Label, and then click the Delete Label icon on the far right of the label bar.
Installation and use on various devices #
AIP is automatically installed on managed NTNU machines with Windows operating system. If you have a standalone Windows machine (unmanaged) you can install the AIP client yourself from software.ntnu.no.
Classification by using labels is supported only on machines with Windows operating system. Users with Mac can still read and edit classified documents and protected documents from Office desktop applications. No installation is required.
Android and iOS #
With the Word, Excel and PowerPoint apps, you can read and edit classified documents and protected documents, from mobile phones and tablets. You cannot classify documents with these apps.
If you try to open an encrypted email from mobile or tablet, you can be told to open the message using the Microsoft Outlook app. The Outlook app will not work against NTNU's email system. This is because we have local email for employees, and the app requires email to be synchronized in the cloud.
To read the contents of protected emails (.rpmsg files) from a mobile phone or tablet you can use the Azure Information Protection app. This app also allows you to open other file types with access control, such as PDFs or image files.
Software Farm #
Users with machines that do not directly support classification can use the service from Software Farm.
Encryption and external users #
AIP is initially intended as a service for classification of information internally at NTNU, but it is possible to encrypt e-mails and documents to external recipients as well. However, this requires that the recipient's email address can be authenticated to Microsoft (Azure AD or MS account). The reason is that the sender's and recipient's email address is their key to decrypt documents and emails that are encrypted using NTNU's certificate.
Concerning filing in ePhorte #
- ePhorte has its own access control system and documents there should not be classified using labels.
- Encrypted documents must be decrypted before filing in ePhorte. The person who encrypts the document (the document owner) must consider whether it should be archived in ePhorte.
- Use the label caterories Internal information - Archive or Confidential information - Archive to remove encryption before archiving. If you want to keep the original file after archiving, the correct label must be re-inserted. Alternatively, the file can be deleted.
- To import encrypted email into ePhorte, the EphorteOutlook program must be used. It is not possible to import encrypted email using "Importsentral" in ePhorte.
- Any attachments in encrypted email must be decrypted before filing in ePhorte.
More information #
You can find more information about AIP on Microsoft's website.
Orakel Support Services can help if you have questions or if you encounter difficulties.