OIT Office of Information Technology
| Menu
A laptop is displaying a collage of Microsoft 365 app icons.

Protect Your Files Using Microsoft Sensitivity Labels

Submitted by crei1741
on

Starting today, CU Boulder faculty, staff and students can easily protect their Microsoft files and emails from unauthorized access and data leakage using Microsoft sensitivity labels.

CU Boulder's sensitivity labels were developed in collaboration with key campus partners to ensure the labels would be flexible enough to accommodate existing business practices without compromising the protections stipulated by CU's data classification types.

What they look like

Labeled files and emails are typically marked by a brightly colored shield icon. In some applications, the name of the sensitivity label also appears (view screenshots).

If you're sharing a labeled file with a non-CU Boulder account, the recipient will typically see a shield icon when viewing the item in a Microsoft web application and will see a banner listing the applied protections when using a Microsoft desktop application.

If you're emailing an encrypted message to a non-CU Boulder account, see the Classifications & Protections section of the sensitivity labels FAQs to understand what the recipient will see.

How they work

To apply a sensitivity label, simply open the Microsoft file or email and click on the Sensitivity button (located on the Home tab for files and the Message tab for emails) or title/subject bar.

Select the label that best reflects the sensitivity of the content based on CU's data classification table (when in doubt, choose the higher sensitivity level):

  • Public (not protected) – This content is specifically prepared for public consumption. Use this label for items like press releases, posters and user-facing support documentation.
  • University Data (not protected) – This content isn't intended for public consumption, but wouldn't have an adverse impact if disclosed to the public. This label would be appropriate for internal organizational charts, planning documents for routine business processes, etc.
  • Confidential (protections determined by sublabels) – This content is sensitive, isn't typically disclosed to the public, and requires a legitimate business purpose to access. This would apply to files or emails that contain employee ID numbers, fundraising data, level 2 or 3 student data, etc.
  • Highly Confidential (protections determined by sublabels) – This content is extremely sensitive; is protected from disclosure by law, regulations, contracts or legal agreements; and/or requires reporting of unauthorized disclosure. This would apply to files containing Social Security numbers, disciplinary records, level 4 or 5 student data, etc.

The Confidential and Highly Confidential labels also have sublabels that refine the protections.

  • The External and Internal sublabels apply a standard set of protections that differ based on whether users with non-CU email addresses can get access.
  • The Custom sublabel allows you to set different permissions for different users, including setting an expiration date for access.
  • The No Protection sublabel should be used rarely and only when a trusted user can't access the file any other way.

What they don't do

Applying a Confidential or Highly Confidential label to a file or email does not shield it from disclosure under the Colorado Open Records Act (CORA) if it is otherwise a public record subject to disclosure.

To learn more, see the Classifications & Protections section of the sensitivity labels FAQs.

Get Support

It can take up to 24 hours for your account to receive this update. If you still don't see the Sensitivity button in your Microsoft 365 apps, try restarting your computer.

To learn more about sensitivity labels, see Microsoft 365 - Sensitivity Labels and Sensitivity Labels - FAQ. For technical support, contact the IT Service Center at 303-735-4357 or oithelp@colorado.edu.