9.1.6 Ensure 'Allow users to apply sensitivity labels for content' is 'Enabled'

Information

Information protection tenant settings help to protect sensitive information in the Power BI tenant. Allowing and applying sensitivity labels to content ensures that information is only seen and accessed by the appropriate users.

The recommended state is Enabled or Enabled for a subset of the organization.

Note: Sensitivity labels and protection are only applied to files exported to Excel, PowerPoint, or PDF files, that are controlled by 'Export to Excel' and 'Export reports as PowerPoint presentation or PDF documents' settings. All other export and sharing options do not support the application of sensitivity labels and protection.

Note 2: There are some prerequisite steps that need to be completed in order to fully utilize labeling. See here.

Rationale:

Establishing data classifications and affixing labels to data at creation enables organizations to discern the data's criticality, sensitivity, and value. This initial identification enables the implementation of appropriate protective measures, utilizing technologies like Data Loss Prevention (DLP) to avert inadvertent exposure and enforcing access controls to safeguard against unauthorized access.

This practice can also promote user awareness and responsibility in regard to the nature of the data they interact with. Which in turn can foster awareness in other areas of data management across the organization.

Impact:

Additional license requirements like Power BI Pro are required, as outlined in the Licensed and requirements page linked in the description and references sections.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Enable sensitivity labels:

Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal

Select Tenant settings.

Scroll to Information protection.

Set Allow users to apply sensitivity labels for content to one of these states:

State 1: Enabled

State 2: Enabled with Specific security groups selected and defined.

Default Value:

Disabled

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: PROGRAM MANAGEMENT, RISK ASSESSMENT

References: 800-53|PM-5, 800-53|RA-2

Plugin: microsoft_azure

Control ID: 19d1764f28f006de06cc5a6186fd8e8591d3e639b9728b332cc03afd091a3a3e