This document provides guidance on classifying and protecting business information. It discusses classifying information as high, moderate, or low business impact based on the potential effect of unauthorized disclosure. It also recommends tools for protecting information, such as Information Rights Management, BitLocker encryption, and Secure/Multipurpose Internet Mail Extensions. Guidelines are provided for sending, sharing, storing, backing up, and disposing of information based on its classification.

1. Work Smart by Microsoft IT
Classifying and Protecting Your
Business Information
Customization note: This document is based on the experience of Microsoft IT and contains
guidance and/or step-by-step instructions that can be reused, customized, or deleted entirely if
they do not apply to your organization’s environment or installation scenarios.
All forms of information, including ideas and concepts, have potential business value.
Whether you are exchanging emails, sharing documents, or having a phone conversation, it
is your responsibility to help protect your company’s confidential information. The greater
the information’s value, the more security controls you should put in place to protect it.
This guide provides an overview on how to properly classify business information and data
according to the potential impact of unintentional disclosure: High, Moderate, and Low
Business Impact. It also introduces some solutions that are available to help protect your
information before you transmit, share, store, or dispose of it.
Topics in this guide include:
Classifying your
information
Protecting your
information
Classification and
data dissemination
guidelines
Recommended
security practices
For more information

2. 2 | Classifying and Protecting Your Business Information
Classifying your information
Information can be classified into three areas, according to the potential impact of its
unintentional disclosure: High Business Impact (HBI), Moderate Business Impact (MBI), and
Low Business Impact (LBI).
Table 1. Information classifications
HBI HBI applies to any information including emails, documents, messages and phone
conversations that, if disclosed without authorization, could result in immediate,
direct or considerable impact to the company, the information owner and
customers. HBI information should only be shared with those on a “need-to-know”
basis. HBI includes Highly Sensitive Personally Identifiable Information (HSPII).
MBI MBI applies to information that, if disclosed, could cause indirect, limited impact
the company, the asset’s owner and valued customers. MBI information should only
be accessible to those people who have a legitimate business need to view the
information. MBI includes Personally Identifiable Information (PII).
LBI LBI classification applies to information assets that, if disclosed without
authorization, could cause limited, or no material loss to the company, the asset
owner, or relying parties.
Important: The guidance provided in this document is for example purposes and every
organization is unique. In the following sections, please be aware that your company’s HBI, MBI,
and LBI information and data could require more or less restrictive classification levels.
Classification of some common information types
Below is table of guidelines that might be helpful in determining a type of data's
classification level.
Table 2. Guidelines to help determine data classification level
Data includes the following info: HBI MBI LBI
Email Address
X
Social Security Number
X
Documents regarding process or procedure
X
Private cryptographic keys
X
Username and Passwords
X
Publicly accessible information X
Company trade secrets
X
Financial information related to revenue
generation
X
List of Phone Numbers
X
Employee Zip Codes X
Numeric ID sequences / PINs
X

3. 3 | Classifying and Protecting Your Business Information
Tips:
 Use the more restrictive classification if data falls into more than one classification level
or if you are unsure of its classification.
 Treat information as HBI if it does not have a classification, but is marked “confidential.”
Important Notes:
 It is your responsibility to understand the business value of your information and to apply
the correct classification and protection.
 Remove HBI or MBI information from your computer before retiring it or sending it offsite
for repairs.
 Remember to check your company policies as their classification levels may vary from the
examples provided in the table above.
Protecting your information
Now that you know how to classify your information, you will learn what tools are available
to ensure that your data is protected when it is sent, shared, stored, backed up, or deleted.
This guide provides an overview of four technologies that can be used to help protect
information.
 Information Rights Management. An Office feature of Rights Management Services
(RMS), IRM enables you to apply specific access permissions to documents, workbooks,
and presentations to prevent unauthorized forwarding, printing, or copying; and to set
expiration dates after which files no longer are available. More information about IRM is
available at http://technet.microsoft.com/en-us/library/cc179103.aspx.
 Secure/Multipurpose Internet Mail Extensions (S/MIME). With S/MIME you can
encrypt and/or digitally sign your email messages. Encrypting your messages converts
data with a cipher text so that only people who you specify can read it. Digitally signing
an email message helps ensure that no tampering occurs while your message and its
attachments are in transit. More information about S/MIME is included in the Message
Encryption and Filtering topic at http://technet.microsoft.com/en-
us/library/jj891023.aspx.
 BitLocker Drive Encryption. BitLocker Drive Encryption is a data protection feature
available in Windows Vista, Windows 7, and Windows 8. BitLocker encrypts the hard
drives on your computer to provide enhanced protection against data theft or exposure
on computers and removable drives that are lost, stolen, or decommissioned. More
information about BitLocker is available at http://technet.microsoft.com/en-
us/library/hh831713.aspx. BitLocker To Go provides drive encryption to prevent
unauthorized access on your portable storage drives. This includes the encryption of
USB flash drives, SD cards, external hard disk drives, and other removable drives
formatted by using the NTFS, FAT, or exFAT file systems.

4. 4 | Classifying and Protecting Your Business Information
 Encrypted File System (EFS). If your computer is not BitLocker compatible, you can
use Encrypted File System (EFS) to encrypt specific files and folders by using a
certificate. EFS requires that users with whom you share information enter the
appropriate decryption key before they can access the encrypted content. More
information about EFS is available at http://windows.microsoft.com/en-
us/windows/what-is-encrypting-file-system#1TC=windows-7.
The following table provide some guidelines about which technology you should use to
protect the HBI or MBI information that you transmit, share, or store on your computer:
Table 3. Preferred technology used to transmit, share, and store business information
IRM S/MIME EFS BitLocker
Transmit with internal
email
Preferred Acceptable N/A N/A
Transmit with external
email
Works only with
other federated
RMS
organizations
Preferred N/A N/A
Share using SharePoint
Online
Preferred N/A N/A N/A
Storing on computer
Acceptable with
BitLocker
N/A Acceptable with
BitLocker
Required
Storing on removable
media
Acceptable N/A Acceptable Preferred
Notes:
 Information about applying Information Rights Management to a list or library is available at
http://office.microsoft.com/en-us/sharepoint-server-help/apply-information-rights-
management-to-a-list-or-library-HA010154148.aspx
 More information about Information Rights Management is available in “What’s New with
Information Rights Management in SharePoint and SharePoint Online?” at
http://blogs.office.com/2012/11/09/whats-new-with-information-rights-management-in-
sharepoint-and-sharepoint-online/

5. 5 | Classifying and Protecting Your Business Information
Classification and data dissemination
guidelines
The following table provides some classification-level guidelines for sending, sharing,
storing, backing up, and disposing of business information.
Table 4. Guidelines for sending, sharing, storing, backing up, and disposing of business information
Action HBI MBI LBI
Send data (via file
transfer or email)
 Requires asset owner
approval to forward,
export, or copy.
 Requires encryption for
internal and external
delivery.
 Requires encryption with
S/MIME or IRM for email.
 Requires encryption for
transfer outside of
organization.
 Requires encryption with
S/MIME for email sent
outside the corporate
network.
No special
requirements.
Share
(via O365 SharePoint
Online)
 Use IRM to restrict
forwarding, copying, and
printing.
 Restrict permissions to
those identified by asset
owner.
 Requires formal
agreement, which legal
approves, for third
parties, such as business
partners.
 Restricts permissions to
those with legitimate
business needs only.
 Requires formal
agreement, which legal
approves, for third
parties, such as business
partners.
No special
requirements.
Store
(server, PC, CD, USB)
 Requires encryption
(BitLocker).
 Allows storage on
handheld devices only if
device supports strong
encryption and
authentication security
controls.
 May require encryption
(as determined by the
asset owner).
No special
requirements.
Back up
 Performed only by
authorized personnel and
stored only at a location
approved by IT Security.
 Encrypt storage media.
 Store in a physically
secure location in which
backups are logged and
access is controlled and
monitored.
No special
requirements.
Dispose of
 Cross-shred or incinerate
paper documents.
 Destroy tapes and other
magnetic media. Request
that hard disk drives be
destroyed.
 Follow your organization
policies for the
appropriate disposal of
retired hardware and
media.
 Cross-shred or
incinerate paper
documents.
 Destroy tapes and other
magnetic media.
 Remove data on hard
disks that you plan to
reuse or retire.
 Destroy inoperable hard
disk drives.
No special
requirements.

6. 6 | Classifying and Protecting Your Business Information
Recommended security practices
Use the Microsoft Office System Document Inspector
If you plan to share an electronic copy of a Microsoft Office Word document with clients or
colleagues, it is a good idea to review the document for hidden data or personal
information that might be stored in the document itself or in the document properties
(metadata). Document Inspector is a built-in tool that can be used to scan your data before
sharing it with others.
For more information on how to use Document Inspector, see Remove hidden data and
personal information by inspecting documents at http://office.microsoft.com/en-us/word-
help/remove-hidden-data-and-personal-information-by-inspecting-documents-
HA010354329.aspx.
Guard confidential information
Do not discuss confidential information in public places.
Beware of multiple network connections
Never concurrently connect your computer to your corporate network and the Internet, or
any other network that your company does not manage. This compromises your company's
network security.
Review list of group recipients
Think globally before posting any content. Before you send or reply to email, post to
Yammer, One Drive, or any another social website, or post data to SharePoint, make sure
that the information is appropriate for disclosure to everyone who has access to the email
or website.
Use Outlook Web Access
Use Outlook Web Access (OWA) to check your email from your home computer. Be careful
if you access corporate resources by using kiosks and other public locations, even though
OWA, as key strokes may be monitored if the public network does not have the correct
configuration.
Do not leave documents or presentations unattended
Remove all documents after meetings, and erase whiteboards.
Beware of posting on walls or bulletin boards
If your document is HBI, do not post it in hallways or on bulletin boards.

7. 7 | Classifying and Protecting Your Business Information
For more information
This guide provides foundational knowledge to help you make better decisions about
securing your data. Other guides are available to teach you how to help protect your
information. Visit the Modern IT Experience featuring IT Showcase at
http://microsoft.com/microsoft-IT and search for the following Work Smart titles:
 Securing your business information
 Secure collaboration using SharePoint Online
 Securing your computer
 Protecting data with Windows 8 BitLocker
The following content may be of interest to you as well:
 Introduction to IRM for email messages
http://office.microsoft.com/en-us/outlook-help/introduction-to-irm-for-email-
messages-HA102749366.aspx
 Video: Getting Started with Encrypting File System in Windows 7
http://technet.microsoft.com/en-us/windows/how-do-i-get-started-with-the-
encrypting-file-system-in-windows-7.aspx
 International Data Protection Standards
http://download.microsoft.com/download/B/8/2/B8282D75-433C-4B7E-B0A0-
FFA413E20060/international_privacy_standards.pdf
 Work Smart by Microsoft IT
http://aka.ms/customerworksmart
This guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR
STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. © 2014 Microsoft Corporation. All rights reserved.