Securing Your Business Information - Template from Microsoft
Download as DOCX, PDF1 like838 views
This document provides guidance on using various Microsoft technologies to secure business information, including Information Rights Management (IRM) to protect documents and emails, Secure/Multipurpose Mail Extensions (S/MIME) to encrypt and digitally sign emails, BitLocker to encrypt drives and removable storage, and Encrypted File System (EFS) to encrypt files and folders. It describes how to configure each technology, such as applying permissions in Outlook and Word to restrict document access and expiration dates. The document aims to help users protect their company's confidential information from unauthorized disclosure.
Securing Your Business Information - Template from Microsoft
- 1. Work Smart by Microsoft IT Securing Your Business Information Customization note:This document contains guidance and/or step-by-step instructions that can be reused, customized, or deleted entirely if they do not apply to your organization’s environment or installation scenarios. Any text marked by yellow highlighting indicates either customization guidance or organization-specific variables. All of the highlighted text in this document should either be deleted or replaced prior to distribution. Whether you are exchanging emails, sharing documents, or having a phone conversation, it is your responsibility to help protect your company’s confidential information from any unauthorized disclosure. In this Work Smart guide, you will learn how to use four Microsoft technologies that help protectbusiness information. These technologies include Information Rights Management (IRM), Secure/Multipurpose Mail Extensions (S/MIME), BitLocker Drive Encryption, and Encrypted File System (EFS). Note:For more information about how to classify business information and data according to the potential impact of unintentional disclosure read the “Classifying and Protecting Your Business Information” Work Smart guide at http://aka.ms/customerworksmart. Topics in this guide include: Using IRM to protect information Applying S/MIME to email messages Protecting data with BitLocker Protecting data with EFS For more information
- 2. 2 | Securing Your Business Information Using IRM to protect information When a company has configured their systems to use Information Rights Management (IRM), employees using Microsoft Office can apply permissions to messages or documents by using options on the ribbon. The protection options that are available are based on permission policies that are customized for an organization. Office 2013 also provides several predefined groups of rights, such as Do Not Forward in Outlook 2013. More information about IRM is available athttp://technet.microsoft.com/en- us/library/cc179103.aspx. Protecting documents on SharePoint Online To learn more about applying IRM on SharePoint Online using RMS, see http://office.microsoft.com/en-us/sharepoint-server-help/apply-information-rights- management-to-a-list-or-library-HA010154148.aspx and the Work Smart Guide "Secure Collaboration using SharePoint Online" at http://aka.ms/customerworksmart. Using IRM to protect email messages To restrict permissions on email messages and prevent recipients from forwarding, printing, or copying sensitive data, do the following: 1. In Outlook 2013, on the Mail page, select the Home tab, and click New Email. 2. In the new message, click the Options ribbon tab, and clickPermissions. Note: If you are not connected to your corporate network, you may first need to clickConnect to Rights Management Servers to get templates. Once connected to the server, a list of permissions displays. 3. Select the appropriate permission for the email message.
- 3. 3 | Securing Your Business Information Configuring a message to expire 1. In Outlook 2013, on the Mail Home tab, click New Email. 2. In the new message, click the Options ribbon tab. 3. In the More Options section, click Delay Delivery. 4. Select the Expires after check box and enter date and time. 5. Click Close. Using IRM to protect emails in Outlook Web App To restrict permissions on email messages and to prevent recipients from forwarding, printing, or copying sensitive data, when using Exchange 2013, do the following: 1. In OWA, on the Outlook page, click new mail. 2. In the new message, click the ellipses (…). 3. In the drop-down list, select set permissions, and then select the appropriate permission for the email message.
- 4. 4 | Securing Your Business Information Note:When users send an IRM-protected message from OWA, any files attached to the message also receive the same IRM protection and are protected by using the same rights policy template as the message. In Exchange 2013, IRM protection is applied to files associated with Microsoft Office Word, Excel, and PowerPoint, as well as .xps files and email messages. IRM protection is applied to an attachment only if it's not already IRM-protected. Using IRM to protect a document You also can protect Microsoft Office Word, Microsoft Office Excel, and Microsoft Office PowerPoint files by applying IRM: 1. In Word 2013, click File, and on the Info page, click Protect Document. 2. SelectRestrict Access and click to select the appropriate restriction to apply. Note: If you are not connected to yourcorporate network, you may first need to clickConnect to Rights Management Servers to get templates. Once connected to the server, a list of permissions displays. Specifying who can access or change a document 1. In Word 2013, click File, and on the Info page, click Protect Document. 2. UnderRestrict Access click Restricted Access. 3. In the Permissions window, select the Restrict Permissions to this document check box.
- 5. 5 | Securing Your Business Information 4. Add users in the Read or Change boxes and click OK. Configuring a file to expire Use IRM to enforce an expiration date so that recipients cannot access the file after a specific date: 1. In Word 2013, click File, and on the Info page, click Protect Document. 2. Under Restrict Access click Restricted Access. 3. In the Permissions window, select the Restrict Permissions to this document check box. 4. In the Permissions window, click More Options. 5. Select the This document expires on: check box, enter an expiration date, and click OK. 6. When the date has passed, the user will not be able to open the document.
- 6. 6 | Securing Your Business Information How to password protect a section in OneNote 2013 1. In OneNote, open the section you wish to protect and select the Review tab. 2. Under Password Protection, select Set Password. 3. In the Password Protection window, enter and confirm your new password and click OK. 4. A pop-up window appears. Select whether to keep or delete existing backups of the section that do not have the assigned password. How to change or remove a password from a section in OneNote 2013 1. In OneNote, open the section that is password protected and select the Review tab. 2. Under Password Protection, select Change Password or Remove Password. a. If changing the password, enter the old and new password and confirm the new password. Then, click OK. b. If removing the password, enter the password and click OK. Applying S/MIME to email messages Secure/Multipurpose Mail Extensions (S/MIME) enables you to encrypt and/or digitally sign your email messages. Encrypting your messages converts regular text data with an encrypted text so that only people who you specify can read it. Digitally signing an email message helps ensure that no tampering occurs while your message and its attachments are in transit. Signing a message digitally with S/MIME Signing a message digitally applies an authorized certificate to it that validates that the message is from you and is unaltered. To sign a message digitally: 1. In Outlook 2013, in an open message, click the Options tab. 2. In the More Options group, click the arrow in the lower-right corner to expand options box. 3. Under Security, click Security Settings.
- 7. 7 | Securing Your Business Information 4. Select the Add digital signature to this message check box. 5. Select the following options, if applicable: Select the Send this message as clear text signed check box to enable recipients who do not have S/MIME security to read the message. Select the Request S/MIME receipt for this message check box to verify that the recipient validates the digital signature and receives the message unaltered, and for you to receive an email notification about who opens the message and when it is opened. 6. Click OK. Notes: For more information about S/MIME in Office 2010, seehttp://office.microsoft.com/en- us/outlook-help/send-an-email-message-with-an-s-mime-receipt-request- HP010356428.aspx. For more information about S/MIME in Office 2013, seehttp://office.microsoft.com/en- us/outlook-help/send-an-email-message-with-an-s-mime-receipt-request- HA102748933.aspx. Encrypting a message with S/MIME Encrypting a message with S/MIME means that recipients cannot access it unless they have a private key that matches the public key that you used for encryption. To encrypt a message with S/MIME: 1. In Outlook 2013, in an open message, click the Options tab. 2. In the More Options group, click the arrow in the lower-right corner to expand options box. 3. Under Security, click Security Settings.
- 8. 8 | Securing Your Business Information 4. Select Encrypt message contents and attachments. 5. To change additional settings, such as selecting a specific certificate to use, click Change Settings, make the changes, click OK twice, and then click Close. Enabling recipients to access encrypted files When you send an encrypted message, S/MIME uses the recipient’s certificate and public key to encrypt the file. Therefore, you have to exchange certificates and keys before you can send and access encrypted messages from a specific person. If you plan to send an encrypted message to someone: 1. Send the person an email that you sign digitally by following the directions in the previous section “Signing a Message Digitally with S/MIME”. Signing your message digitally ensures that your public encryption key is included. This enables the person to send you encrypted email. 2. Ask the person to send you a digitally signed email that includes their public encryption key. This enables you to send them encrypted email. 3. Create an entry in your Outlook contacts for the person, which saves that person’s encryption key. After that, Outlook uses this key every time that you send this person an encrypted message. To create a contact entry: 4. Open a digitally signed email from the person, right-click the person’s name or email address, and select Add to Outlook Contacts. Important: If you want to exchange encrypted messages with an external party that does not have a secure email certificate, refer them to Thawte at http://www.thawte.com/home.htmlor VeriSign at http://www.verisign.com/index.html.
- 9. 9 | Securing Your Business Information Protecting data with BitLocker BitLocker Drive Encryption is a data protection feature available inWindows Vista, Windows 7, and Windows 8.BitLocker encrypts the hard drives on your computer to provide enhanced protection against data theft or exposure on computers and removable drives that are lost, stolen, or decommissioned.More information about BitLocker is available at http://technet.microsoft.com/en-us/library/hh831713.aspx. BitLocker To Go provides drive encryption helps protect against unauthorized access on your portable storage drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other removable drives formatted by using the NTFS, FAT, or exFAT file systems. Note:For step-by-step guidance about how to enable BitLocker and BitLocker To Go in Windows 8, download the “Work Smart: Protecting Data with Windows 8 BitLocker”guide available at http://aka.ms/customerworksmart. Protecting data with EFS If your computer is not BitLocker compatible, you can use Encrypted File System (EFS)to encrypt your files and folders by using a certificate. EFS requires that users with whom you share information enter the appropriate decryption key before they can access the encrypted content. Although you can encrypt files individually, it is recommendedthat you designate a specific folder to store your encrypted files, and to encrypt that folder. All files that are created in or moved to the encrypted folder will automatically obtain the encrypted attribute. How to encrypt a folder: 1. Right-click a folder you want to encrypt, and then click Properties. 2. On the General tab, click Advanced. 3. In the Advanced Attributes dialog box, click theEncrypt contents to help secure datacheckbox and click OK.
- 10. 10 | Securing Your Business Information 4. You will be returned to the General tab. Click Apply. 5. In the Confirm Attribute Changes dialog box, select Apply changes to this folder, subfolders, and files and click OK. Important Note: Encryption of theMy Documents folder is not recommended. If you move, copy, or save a file to an encrypted folder, the file becomes encrypted. If you move, copy, or save an encrypted file to a location that is not on your computer, the file becomes decrypted. For more information Information Rights Management (IRM) http://technet.microsoft.com/en-us/library/cc179103.aspx Introduction to IRM for email messages http://office.microsoft.com/en-us/outlook-help/introduction-to-irm-for- email-messages-HA102749366.aspx Secure/Multipurpose Internet Mail Extensions (S/MIME) http://technet.microsoft.com/en-us/library/jj891023.aspx BitLocker http://technet.microsoft.com/en-us/library/hh831713.aspx Encrypted File System (EFS) http://technet.microsoft.com/en-us/library/bb457116.aspx Video: Getting Started with Encrypting File System in Windows 7 http://technet.microsoft.com/en-us/windows/how-do-i-get-started-with- the-encrypting-file-system-in-windows-7.aspx
- 11. 11 | Securing Your Business Information International Data Protection Standards http://download.microsoft.com/download/B/8/2/B8282D75-433C-4B7E- B0A0-FFA413E20060/international_privacy_standards.pdf Work Smart by Microsoft IT http://aka.ms/customerworksmart Modern IT Experience featuring IT Showcase http://microsoft.com/microsoft-IT This guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. © 2014 Microsoft Corporation. All rights reserved.