Document and Email Encryption and Protection

SVSU recommends not storing documents with sensitive information in them. Whenever possible, we ask that you delete the file and then be sure to empty the file from the recycle bin.

If removing the file is not possible, please follow the instructions, below, to encrypt the file.

View Enabling Technologies Purview Workshop Recording

Sending unencrypted email messages containing sensitive financial data or Personally Identifiable Information is a violation of SVSU policy; whether written in the body or as an attachment. Unencrypted Email is sent in clear text that can easily be intercepted and read by anyone, while in transit.

Examples of Sensitive Data:

  • Social Security numbers
  • Driver’s License numbers
  • Passport numbers
  • State-issue ID numbers
  • Any bank/financial account numbers
  • Credit/debit card numbers
  • Protected health information
  • Documents protected by attorney-client privilege
  • Any passwords or authentication credentials

Select a Method for Document and Email Protection

Select the method of document and email protection you will used based off of the type of file or email you are using.

PDF Files:

Adobe Acrobat

Password Protect the PDF File
If the document you wish to apply protection to is a PDF, follow the instructions at this Securing PDFs with Passwords page to add a password/encrypt the file.

You will need Adobe Acrobat to complete these steps.  Installation instructions are found in the Related Articles section of this page, under Adobe Creative Cloud Installation Guide.

This is an abbreviate version of how encrypt and assign a password to a PDF file with Adobe Acrobat

  1. Open the PDF in Acrobat, and do one of the following:

    • Choose File > Protect Using Password.
  2. If you receive a prompt, click Yes to change the security.

  3. Decide between allowing Viewing or Editing access, and then type and retype your password. Your password must be at least six characters long.

  4. Click Apply. Acrobat displays a confirmation message that the file was successfully protected using password.

Once you assign a password to the file, please call the people you are sharing the file with to let them know the password.  DO NOT email the password along with the file or in a separate email.  Email is not secure and can be openly read among network traffic.

Redact Portions of Data within a PDF
When documents are shared with other parties or if they are stored on a computer drive, sensitive or private pieces information can redacted from a PDF.  Redacting the portions of sensitive data will allow the file to pass information protection and data loss prevention scans because the text or images are permanently removed from the PDF file.  

Follow instructions at this Adobe support page on How to Redact a PDF .

ITD Lab How-To Video

Purview

If you prefer, you can use Purview, instead of the built in Password protection, to encrypt a PDF file.  You will need to enable the PDF preference before Purview becomes available within Adobe Acrobat.

Enable Purview within Adobe Acrobat

  1. Open Adobe Acrobat
  2. Click Menu or Edit, depending on your version of Adobe Acrobat
  3. Choose Preferences
  4. Select the Security Category
  5. Check the box next to Enable Microsoft Purview Information Protection
  6. Click OK
  7. Restart Adobe Acrobat (it may take a couple of restarts)
  8. You will know MS Purview is available from Adobe Acrobat when you see this option available:
    1. File -> Protect PDF-> Select a MS Purview Sensitivity Label
    2. Select one of the Labels explained above

Receiving a PDF Document with Purview Protection

External users, receiving Purview-Encrypted PDF documents, should use the Microsoft Edge Browser to view the PDF files.  SVSU users can open the Purview-Encrypted PDF document with Adobe Acrobat.  Note that Purview-Encrypted PDFs will not open within an Email Preview window nor browsers, other than MS Edge.

Office 365: Microsoft Purview

Classifications

Thank you to Enabling Technologies for the permission to use their Purview training instructions, below.

There are many different labels that can be applied to emails, files, and documents. These are the ones we have implemented, and the GLBA will include items from the other categories, so is the most comprehensive label.

Automatic labeling is applied when the content of a file or message meets a certain confidence level.  The confidence level is based on the amount of supporting evidence detected.  View this support article from Microsoft regarding Purview Confidence Levels

Label classifications are listed in order from the lowest to the highest sensitivity:

  • General - This will be applied when there is no label specified.
  • Personal - This should be applied to non-work-related records.
  • Personally Identifiable Information (PII) – Full names, Social Security Numbers, Driver’s License number, financial information, and medical records. This should be encrypted and be defined by the end user who can decrypt.
  • Financial Data - Anything related to financial activities and performance of a business or person. This could include data about monetary transactions, assets, income, liabilities, net worth, credit ratings, financial statements, and other indicators of profitability and growth. This should be encrypted and be defined by the end user who can decrypt. 
  • Gramm-Leach-Bliley Act (GLBA) - Social security numbers, credit card numbers, full names, U.S./U.K. passport numbers, U.S. driver's license numbers and U.S. physical addresses. This may also include items such as Budget proposals, Financial statements and reports. Tax information such as tax planning documents, tax forms, tax filing related documents and tax regulation documents.
  • Confidential: Internal Use Only and Recipient Only
    • Internal Use Only - Documentation or files that are confidential to the university. Only persons with an @svsu.edu email address will be able to de-crypt the content.
    • Recipient Only - Documentation or files that are intended for a specific person only. Recipients will need to verify their identity prior to decrypting.

Outlook Email: Microsoft Purview

Automatic Sensitivity Classification Labels

  1. When an email contains sensitive information in it, an automatic label will be applied. If the information contained in the email conflicts with our policy, a notification will also appear. To view the reason for the notification, click on Show details.
  2. After reading the details, if it is still unclear why a specific label was placed on an email, click Learn more to bring up details and Report if the label is incorrect. Learn more about reporting incorrect labels, below.

    Show details. Learn more.  Report.
     
  3. If the policy notification is ignored, and the user still tries to send the email to the unauthorized recipient, a notification will appear that the email has been prevented from being sent due to conflicting with the policy.

    Send blocked notification.  This message includes one or more recipients who aren't authorized to receive sensitive information. Please remove those recipients and try to send the message again. Click OK.

Adjust and Report Incorrect Labels

Report Incorrect Labels
If the email is labeled incorrectly, but it needs to get sent out immediately, please:
1 - Click Report.
2 - Contact IT Support by calling 989-964-4225.

If the email is not urgent please Click Report and then email support@svsu.edu or create a ticket at mysupport.svsuedu.

The automatic sensitivity label can be adjusted. If this conflicts with the actual categorization as well as policy, please do not modify the label.  Help keep SVSU data safe!

  1. While considering data security, follow the instructions above to Report the incorrect label to IT Support.
  2. Then, click the Sensitivity Icon, then select the appropriate security label. 
    At the top Outlook on the Web (stamp) or at the right of the Subject in Outlook Desktop Version (shield with lock).

    While considering data security, click the Sensitivity Icon, then select the appropriate security label.
    Outlook on the Web View

    While considering data security, click the Sensitivity Icon, then select the appropriate security label.  At the top Outlook on the Web or at the right of the Subject in Outlook Desktop Version
    Outlook Desktop Version View
     
  3. When prompted, select the appropriate justification for making the label change. These changes are reviewed by IT system admins.
  4. If you selected Other, you will be able to type a reason or comment to explain the change. Other is the only option that offers a place to type a reason for changing the label.
  5. Click Change.

    When prompted, select the appropriate justification for making the label change.  Type a reason or comment to explain the change.  Click Change.

Manually Apply a Sensitivity Label

To apply a sensitivity label to an email that was not automatically identified:

  1. Click Options.
  2. Click the stamp icon.
  3. Select the appropriate label option for the email.
    1. When determining which Confidential option to use:
      1. Anyone will allow anyone within SVSU to view the information.
      2. Trusted People limits the ability to view the information to the person(s) you are sending the email to.

        Anyone will allow anyone within SVSU to view the information. Trusted People limits the ability to view the information to the person(s) you are sending the email to.

Manually Encrypt an Email Message and Attachments

To skip labeling, but still encrypt email messages and attachments:

  1. Click Options
  2. Click on the Encrypt, padlock icon.
  3. Select the desired permission.
    1. Encrypt (Encrypt-Only) means that the recipient will need to sign in with their credentials and password for their email account. The email can be forwarded, the recipient can also copy and print the information in the email.
    2. Do Not Forward means in addition to the sign in prompt for encryption, the recipient also cannot forward the email to anyone, and they cannot print or copy the information from the email.
  4. The label and encryption will be noted and displayed on the message draft, as well as on the message that stored in the Outlook Sent folder.

    Encrypt (Encrypt-Only) means that the recipient will need to sign in with their credentials and password for their email account. The email can be forwarded, the recipient can also copy and print the information in the email.
    Outlook Desktop Version View

    The label and encryption will be noted and displayed on the message draft, as well as on the message that stored in the Outlook Sent folder.
    Outlook on the Web View

Receiving an Encrypted Email

More information on Email Encryption is available at this Microsoft Support Page. This page also contains information, for the person receiving the message, to un-encrypt the message.

When you send an encrypted email, the recipient will not be able to view the content immediately. Within the body of the message they receive, will be a button to Read the message. This example is from a Gmail account.
When you send an encrypted email, the recipient will not be able to view the content immediately. Within the body of the message they receive, will be a button to Read the message

The recipient will need to sign in with the credentials for their email account to view the message.
The recipient will need to sign in with the credentials for their email account to view the message.

The Gmail account does not need to be tied to a Microsoft account to view the encrypted message.
The Gmail account does not need to be tied to a Microsoft account to view the encrypted message.

Office Files: Microsoft Purview

Once a file is saved to an SVSU network or cloud storage, it will be scanned and a sensitivity label applied.  File owners and those it is shared with, will need to be logged in to Office with an associated Microsoft account, like their SVSU account, based on their view or edit permission to the file.  This should be noted when using Office on a personally owned computer.

Automatic Sensitivity Classification Labels

Every new file will be scanned and have a sensitivity label automatically applied. A notification will appear stating which label has been applied. The notification can be dismissed by clicking OK.

A notification will appear stating which label has been applied. The notification can be dismissed by clicking OK.

To view the sensitivity label on existing files (J drive, OneDrive, and SharePoint within Teams), click on the Sensitivity Label icon.

Hovering over each label option provides a list of what type of information is contained within that category.

Hovering over each label option provides a list of what type of information is contained within that category.
Online Office File View
 

To view the sensitivity label on existing files (J drive, OneDrive, and SharePoint within Teams), click on the Sensitivity Label icon.
Desktop Version File View

Adjust Incorrect Labels

The automatic sensitivity label can be adjusted. If this conflicts with the actual categorization as well as policy, please do not modify the label.  Help keep SVSU data safe!

  1. While considering data security, be sure to create a ticket at mysupport.svsu.edu regarding the mislabeling of a file. 
  2. Click on the Sensitivity Label icon, shown above.
  3. When prompted, select the appropriate justification for making the label change. These changes are reviewed by IT system admins.
  4. If you selected Other, you will be able to type a reason or comment to explain the change. Other is the only option that offers a place to type a reason for changing the label.
  5. Click Change.

    When prompted, select the appropriate justification for making the label change.  Type a reason or comment to explain the change.  Click Change.

 

Other Types of Files: 7-Zip

For files that are not Office 365 or PDF, it is recommended to use 7-Zip for encryption.  Zipping a file is not ideal for files that need editing often since the file cannot simply be opened, edited and re-saved directly to a .ZIP file.  Using Adobe Acrobat or Microsoft Purvue is a better encryption method for current files that need editing.  7-Zip can also be used as a more generic method of encrypting files that will be sent via Email.  View the Related Articles section, on this page, to view instructions on "Encrypt a Document Using 7-Zip".

Details

Article ID: 93732
Created
Wed 12/4/19 11:30 AM
Modified
Fri 9/22/23 11:32 AM

Related Articles (2)

SVSU staff and faculty have access to Adobe Creative Cloud software suite through their login credentials. The Enterprise license for Adobe includes a full suite of over 20 applications for graphic design, video editing, web development, and Acrobat Pro for editing PDFs. This guide covers how to install the Adobe Creative Cloud software suite.
Use these methods to encrypt email messages and/or attachments for secure sending to other people.