Document and Email Encryption and Protection

Summary

Encrypt documents and email messages containing sensitive information.

Body

SVSU recommends not storing documents with sensitive information in them. Whenever possible, we ask that you delete the file and then be sure to empty the file from the recycle bin.

If removing the file is not possible use 7-Zip or MS Purview to encrypt the file.

MS Purview is a service that helps manage and secure data across various platforms, ensuring compliance with privacy regulations and enhancing data protection. Purview uses a system of labels to classify data stored within an email or document.  These labels are applied within Office 365 when data has been scanned and identified.

View Enabling Technologies Purview Workshop Recording

Sending unencrypted email messages containing sensitive financial data or Personally Identifiable Information is a violation of SVSU policy; whether written in the body or as an attachment. Unencrypted Email is sent in clear text that can easily be intercepted and read by anyone, while in transit.

Examples of Sensitive Data:

  • Social Security numbers
  • Driver’s License numbers
  • Passport numbers
  • State-issue ID numbers
  • Any bank/financial account numbers
  • Credit/debit card numbers
  • Protected health information
  • Documents protected by attorney-client privilege
  • Any passwords or authentication credentials

Select Encryption Format

7-Zip

When storing working documents, they should remain in their original Microsoft formats such as Word (.docx) or Excel (.xlsx) so they can be easily opened, edited, and saved during normal use. Microsoft Purview helps protect these documents while they are stored by applying organizational data protection and sensitivity controls.

When files need to be shared externally through email, it is recommended to use 7-Zip to create an encrypted archive before sending. This allows the original document to remain unchanged while providing password protection during transmission. Using 7-Zip is a simple and consistent method for securely sharing files by email, while keeping the editable source documents stored in their native Microsoft formats.

When a file is sent using 7-Zip encryption, the recipient will receive a password-protected ZIP attachment. They must download the ZIP file and enter the password you provided to open the file.

Install 7-Zip

Before installing, check if 7-Zip is already installed on your computer.

  1. Click on the Start Button on your SVSU computer and Type Software Center (note there is no dialog box, just start typing).  You will see a dialog box similar to the one below - click on Software Center.


     
  2. Software Center will open and you will see a screen similar to the one below - click on 7-Zip and then click Install in the next dialog box.  7-Zip will be installed.

    If you do not see 7-Zip please open a ticket at mysupport.svsu.edu.  Ask for assistance with running Configuration Manager with the following at the ticket description.  "I'm trying to install 7-Zip and it does not show Software Center.  I need assistance running Control Panel > System Security > Configuration Manager > Actions > Machine Policy Retrieval & Evaluation Cycle.  Please assign this ticket to Technical Support per the Encrypting eMail Attachments Knowledge Article".  A technician will contact you and assist in getting 7-Zip on Software Center for you.



     

Encrypt Files

  1. Open File Explorer on your computer.
  2. Select the files that you want to send as encrypted files by holding down the CTRL button and clicking to select multiple files.
  3. Release the CTRL button and Right Click within the highlighted, selected files, select 7-Zip, then Add to Archive
  4. Set the following items in the dialog box to these values (i.e. leave all defaults except those listed below)
    1. Change the Filename and location of where you want the file to be stored.  The ... buttons allow you to select the storage location.  The white dialog box is the file name.
    2. Archive format -  zip
    3. Encryption method -  ZipCrypto
    4. Enter the password 
    5. Reenter the password
    6. Click OK
    7. The zipped file will be stored in the location you specified in the first bullet above.
    8. The encrypted zip file can now be attached to an email.
    9. If the receiver has an up to date Windows they will be able to decrypt it with windows explorer without needing to have 7-zip installed.
    10. You will need to provide them the password that you created when you encrypted the file.
  5. The user will receive the file in their email.  They will need to download the file and open it using the password you supplied them.

Office 365

MS Purview is a service that helps manage and secure data across various platforms, ensuring compliance with privacy regulations and enhancing data protection. Purview uses a system of labels to classify data stored within an email or document.  These labels are applied within Adobe Acrobat and Office 365 when data has been scanned and identified.

Classifications

Thank you to Enabling Technologies for the permission to use their Purview training instructions, below.

There are many different labels that can be applied to emails, files, and documents. These are the ones we have implemented, and the GLBA will include items from the other categories, so is the most comprehensive label.

Automatic labeling is applied when the content of a file or message meets a certain confidence level.  The confidence level is based on the amount of supporting evidence detected.  View this support article from Microsoft regarding Purview Confidence Levels

Label classifications are listed in order from the lowest to the highest sensitivity:

  • General - This will be applied when there is no label specified.
  • Personal - This should be applied to non-work-related records.
  • Personally Identifiable Information (PII) – Full names, Social Security Numbers, Driver’s License number, financial information, and medical records. This should be encrypted and be defined by the end user who can decrypt.
  • Financial Data - Anything related to financial activities and performance of a business or person. This could include data about monetary transactions, assets, income, liabilities, net worth, credit ratings, financial statements, and other indicators of profitability and growth. This should be encrypted and be defined by the end user who can decrypt. 
  • Gramm-Leach-Bliley Act (GLBA) - Social security numbers, credit card numbers, full names, U.S./U.K. passport numbers, U.S. driver's license numbers and U.S. physical addresses. This may also include items such as Budget proposals, Financial statements and reports. Tax information such as tax planning documents, tax forms, tax filing related documents and tax regulation documents.
  • Confidential: Internal Use Only and Recipient Only
    • Internal Use Only - Documentation or files that are confidential to the university. Only persons with an @svsu.edu email address will be able to de-crypt the content.
    • Recipient Only - Documentation or files that are intended for a specific person only. Recipients will need to verify their identity prior to decrypting.

Outlook Email

Automatic Sensitivity Classification Labels

  1. When an email contains sensitive information in it, an automatic label will be applied. If the information contained in the email conflicts with our policy, a notification will also appear. To view the reason for the notification, click on Show details.
  2. After reading the details, if it is still unclear why a specific label was placed on an email, click Learn more to bring up details and Report if the label is incorrect. Learn more about reporting incorrect labels, below.

    Show details. Learn more. Report.
     
  3. If the policy notification is ignored, and the user still tries to send the email to the unauthorized recipient, a notification will appear that the email has been prevented from being sent due to conflicting with the policy.

    Send blocked notification. This message includes one or more recipients who aren't authorized to receive sensitive information. Please remove those recipients and try to send the message again. Click OK.

Adjust and Report Incorrect Labels

Report Incorrect Labels
If the email is labeled incorrectly, but it needs to get sent out immediately, please:
1 - Click Report.
2 - Contact IT Support by calling 989-964-4225.

If the email is not urgent please Click Report and then email support@svsu.edu or create a ticket at mysupport.svsuedu.

The automatic sensitivity label can be adjusted. If this conflicts with the actual categorization as well as policy, please do not modify the label.  Help keep SVSU data safe!

  1. While considering data security, follow the instructions above to Report the incorrect label to IT Support.
  2. Then, click the Sensitivity Icon, then select the appropriate security label. 
    At the top Outlook on the Web (stamp) or at the right of the Subject in Outlook Desktop Version (shield with lock).

    While considering data security, click the Sensitivity Icon, then select the appropriate security label.
    Outlook on the Web View

    While considering data security, click the Sensitivity Icon, then select the appropriate security label.  At the top Outlook on the Web or at the right of the Subject in Outlook Desktop Version
    Outlook Desktop Version View
     
  3. When prompted, select the appropriate justification for making the label change. These changes are reviewed by IT system admins.
  4. If you selected Other, you will be able to type a reason or comment to explain the change. Other is the only option that offers a place to type a reason for changing the label.
  5. Click Change.

    When prompted, select the appropriate justification for making the label change.  Type a reason or comment to explain the change.  Click Change.

Manually Apply a Sensitivity Label

To apply a sensitivity label to an email that was not automatically identified:

  1. Click Options.
  2. Click the stamp icon.
  3. Select the appropriate label option for the email.
    1. When determining which Confidential option to use:
      1. Internal Use Only will allow anyone within SVSU to view the information.
      2. Recipient Only (Do not forward) limits the ability to view the information to the person(s) you are sending the email to. Printing is not available when using this option.

        Recipient Only (Do not forward) limits the ability to view the information to the person(s) you are sending the email to. Printing is not available when using this option.

Manually Encrypt an Email Message and Attachments

To skip labeling, but still encrypt email messages and attachments:

  1. Click Options
  2. Click on the Encrypt, padlock icon.
  3. Select the desired permission.
    1. Encrypt (Encrypt-Only) means that the recipient will need to sign in with their credentials and password for their email account. The email can be forwarded, the recipient can also copy and print the information in the email.
    2. Do Not Forward means in addition to the sign in prompt for encryption, the recipient also cannot forward the email to anyone, and they cannot print or copy the information from the email.
  4. The label and encryption will be noted and displayed on the message draft, as well as on the message that stored in the Outlook Sent folder.

    Encrypt (Encrypt-Only) means that the recipient will need to sign in with their credentials and password for their email account. The email can be forwarded, the recipient can also copy and print the information in the email.
    Outlook Desktop Version View

    The label and encryption will be noted and displayed on the message draft, as well as on the message that stored in the Outlook Sent folder.
    Outlook on the Web View

Receiving an Encrypted Email

More information on Email Encryption is available at this Microsoft Support Page. This page also contains information, for the person receiving the message, to un-encrypt the message.

When you send an encrypted email, the recipient will not be able to view the content immediately. Within the body of the message they receive, will be a button to Read the message. This example is from a Gmail account.
When you send an encrypted email, the recipient will not be able to view the content immediately. Within the body of the message they receive, will be a button to Read the message

The recipient will need to sign in with the credentials for their email account to view the message.
The recipient will need to sign in with the credentials for their email account to view the message.

The Gmail account does not need to be tied to a Microsoft account to view the encrypted message.
The Gmail account does not need to be tied to a Microsoft account to view the encrypted message.
 

Office Apps

Once a file is saved to an SVSU network or cloud storage, it will be scanned and a sensitivity label applied.  File owners and those it is shared with, will need to be logged in to Office with an associated Microsoft account, like their SVSU account, based on their view or edit permission to the file.  This should be noted when using Office on a personally owned computer.

Automatic Sensitivity Classification Labels

Every new file will be scanned and have a sensitivity label automatically applied. A notification will appear stating which label has been applied. The notification can be dismissed by clicking OK.

A notification will appear stating which label has been applied. The notification can be dismissed by clicking OK.

To view the sensitivity label on existing files (J drive, OneDrive, and SharePoint within Teams), click on the Sensitivity Label icon.

Hovering over each label option provides a list of what type of information is contained within that category.

Hovering over each label option provides a list of what type of information is contained within that category.
Online Office File View
 

To view the sensitivity label on existing files (J drive, OneDrive, and SharePoint within Teams), click on the Sensitivity Label icon.
Desktop Version File View

Adjust Incorrect Labels

The automatic sensitivity label can be adjusted. If this conflicts with the actual categorization as well as policy, please do not modify the label.  Help keep SVSU data safe!

  1. While considering data security, be sure to create a ticket at mysupport.svsu.edu regarding the mislabeling of a file. 
  2. Click on the Sensitivity Label icon, shown above.
  3. When prompted, select the appropriate justification for making the label change. These changes are reviewed by IT system admins.
  4. If you selected Other, you will be able to type a reason or comment to explain the change. Other is the only option that offers a place to type a reason for changing the label.
  5. Click Change.

    When prompted, select the appropriate justification for making the label change.  Type a reason or comment to explain the change.  Click Change.

PDF

Redact Portions of Data within a PDF

When documents are shared with other parties or if they are stored on a computer drive, sensitive or private pieces information can redacted from a PDF.  Redacting the portions of sensitive data will allow the file to pass information protection and data loss prevention scans because the text or images are permanently removed from the PDF file.  

Follow instructions at this Adobe support page on How to Redact a PDF .

Adobe Password Protection

Adobe Acrobat is required to apply password protection. Installation instructions are found in the Related Articles section of this page, under Adobe Creative Cloud Installation Guide.

This is a quick guide on how to encrypt a PDF and assign a password using Adobe Acrobat. For a detailed explanation of each step, refer to the Adobe support article on adding passwords to PDFs.

  1. Open the PDF in Acrobat, and do one of the following:

    • Choose File > Protect Using Password.

  2. If you receive a prompt, click Yes to change the security.

  3. Decide between allowing Viewing or Editing access, and then type and retype your password. Your password must be at least six characters long.

  4. Click Apply. Acrobat displays a confirmation message that the file was successfully protected using password.

Once you assign a password to the file, please call the people you are sharing the file with to let them know the password.  DO NOT email the password along with the file or in a separate email.  Email is not secure and can be openly read among network traffic.

Details

Details

Article ID: 93732
Created
Wed 12/4/19 11:30 AM
Modified
Tue 3/10/26 2:46 PM

Related Articles

Related Articles (3)

Adobe Creative Cloud - Apps Installation Guide
This guide covers how to install the Adobe Creative Cloud software suite for faculty and staff.
Device DLP
Purview Device Data Loss Prevention (DLP) limits copying and pasting sensitive data into a browser and certain desktop apps, as a security measure, to stop sensitive information from being unintentionally shared or exposed online. It works by confirming the intent to copy sensitive data, reminding the user to protect against data leaks or breaches.
External Users Guide to Opening an Encrypted Email and Attachment
At SVSU, we prioritize security. One of the ways we demonstrate this is to make sure our organization and user's data does not fall into the wrong hands. We have turned on automatic email and attachment encryption for messages that contain personally identifiable information as well as financial data.