Ex Libris Data Classification Policy

Purpose and Scope

Ex Libris, a ProQuest company, proactively strives to maintain the security and integrity of all data it holds in the Ex Libris cloud environment. The purpose of this document is to ensure that information is protected at an appropriate level. This policy applies to all Ex Libris information, in all forms, including but not limited to paper, electronic, and voice. This policy ensures that Ex Libris information assets are classified so that they receive the appropriate level of protection.

Definition

Information Owner – is the person who creates the information and/ or is responsible for the information.

Reference Documents

Information Classifications

Role and Responsibility

Steps and responsibilities for information management are the following:

Role	Responsibility
1. Assigning classification level for information	Asset owner
2. Labeling the information	Asset owner
3. Handling the information	Individual authorized to access the information

Information received by Ex Libris from outside sources will be classified by the Ex Libris Chief Information Security Officer (CISO) as required by this policy. The Ex Libris CISO will also identify the asset owner within Ex Libris.

Classification of Information

Classification Criteria

The level of classification is determined based on the following criteria:

Value of information as identified during risk assessment.
Severity and criticality of information - based on the probability and/or the likelihood against the information that is defined the criticality.
Legal and contractual obligations - based on the Ex Libris legal counsel requirements.

Classification Levels

There are three classification levels:

Public
Internal
Confidential

The table below notes the criteria for the classification, required labeling for the asset, the access restrictions, and examples of each type of classification.

Classification Level	Classification Label	Classification Criteria	Access Restrictions	Examples
Public	"Public"	Data that has no impact on the availability, integrity, or confidentiality of the system	Information is publicly available to anyone. Use may be subject to copyright restrications.	Advertisements Catalogs Job opening announcements Press releases Public website content
Internal	"Internal"	Information that is intended to be used internally only in day-to-day operations. Information not approved for use outside Ex Libris where its loss would inconvenience the organization or management but where disclosure is unlikely to result in financial loss or affect privacy.	Information is available to all Ex Libris employees, certain contractors and advisors subject to confidentiality obligations. For internal business purposes only. Remote access through an approved Clarivate VPN (virtual private network).	Internal security procedures and processes Meeting minutes Details of internal events Administrative processes Floor plans Internal standards and guidelines If in doubt, treat information posted on our intranet as Non-Public.
Confidential	"Confidential"	Sensitive data which if disclosed would have a business impact. This includes but is not limited to a critical business impact for our business (usually reputational, regulatory or financial). A critical impact to our business is one which is so serious that it calls into question our credibility, damages our reputation, raises the danger of customer cancellations, or otherwise causes significant business damage. Unauthorized disclosure, alteration or destruction could cause a significant level of risk to the company or impact privacy.	Information is available only to specific employees based on need to know and least privileges. It can only be disclosed to third parties subject to appropriate legal/contractual safeguards and where required, the approval of a designated manager or director.	Human Resource personal information about individuals Company financial information Customer data, including customer contact information (mailing address, email, etc.) Sensitive customer or partner data Sensitive data Regulated data Vendor lists Contracts Stockholder and option holder records Employee lists or org. charts If it is unclear how information has been classified, it should be assumed to be Confidential.

Classification Level

Classification Label

Classification Criteria

Access Restrictions

Examples

Public

"Public"

Data that has no impact on the availability, integrity, or confidentiality of the system

Information is publicly available to anyone. Use may be subject to copyright restrications.

Advertisements
Catalogs
Job opening announcements
Press releases
Public website content

Internal

"Internal"

Information that is intended to be used internally only in day-to-day operations. Information not approved for use outside Ex Libris where its loss would inconvenience the organization or management but where disclosure is unlikely to result in financial loss or affect privacy.

Information is available to all Ex Libris employees, certain contractors and advisors subject to confidentiality obligations.

For internal business purposes only. Remote access through an approved Clarivate VPN (virtual private network).

Internal security procedures and processes
Meeting minutes
Details of internal events
Administrative processes
Floor plans
Internal standards and guidelines

If in doubt, treat information posted on our intranet as Non-Public.

Confidential

"Confidential"

Sensitive data which if disclosed would have a business impact. This includes but is not limited to a critical business impact for our business (usually reputational, regulatory or financial).

A critical impact to our business is one which is so serious that it calls into question our credibility, damages our reputation, raises the danger of customer cancellations, or otherwise causes significant business damage.

Unauthorized disclosure, alteration or destruction could cause a significant level of risk to the company or impact privacy.

Information is available only to specific employees based on need to know and least privileges.

It can only be disclosed to third parties subject to appropriate legal/contractual safeguards and where required, the approval of a designated manager or director.

Human Resource personal information about individuals
Company financial information
Customer data, including customer contact information (mailing address, email, etc.)
Sensitive customer or partner data
Sensitive data
Regulated data
Vendor lists
Contracts
Stockholder and option holder records
Employee lists or org. charts

If it is unclear how information has been classified, it should be assumed to be Confidential.

Authorized Persons

Confidential information may only be accessed by individuals authorized to access that information. All access is on a need to know basis.

Information Labeling

Information assets will be labeled to reflect their classification level.

Handling Information

Information assets may be taken off-premises only after obtaining authorization in accordance with the IT Security Policy.
The method for secure, erasure and destruction of media is prescribed in the Data Disposal section of this policy.

Protection Requirements
Asset Type	Confidential	Internal Use Only	Public
Paper Documents	Do not leave unattended and store securely. Implement additional controls as necessary to comply with applicable legal & regulatory requirements.	Take reasonable care: The document must be stored in a locked cabinet The document may be transferred within the organization only Documents must immediately be removed from printers or fax machines	No special safeguards: The document can be publicly shared Faxing the document is allowed
Electronic Documents and Media	Encrypt on all environments (cloud and back-up sites). Store within a controlled-access system, on fully encrypted, company-owned equipment. Lock equipment when not in use or when unattended. Do not store electronic files on a personally owned device. Store only on a company-owned encrypted portable storage device.	Store within a controlled-access system, on fully encrypted, company-owned equipment. Lock equipment when not in use or when unattended. Do not store electronic files on a personally owned device. Store on a company-owned portable storage device.	No special safeguards
Electronic storage media	Media or files must be password protected The media may only be kept in rooms with controlled physical access	Media or file must be protected from external access	The storage media can be shared
Information systems	Only authorized persons may have access Access to the information system must be protected by a strong password The screen must be Automatically locked after at least 20 minutes of inactivity Data in transit must have https encryption.	Users must log out of the information system if they have temporarily or permanently left the workplace The information must password protected	The information can be shared

Data Disposal

Data must be deleted in accordance with the NIST 800-88 standard for clearing and sanitizing data on writable media. Disks and tapes must be destroyed once they are no longer needed. CDs that are no longer needed must be destroyed using a CD/DVD crusher or shredder. All storage devices that may need to be used again must be wiped in accordance with NIST 800-88.

Policy Enforcement

Failure to comply with this policy will result in disciplinary action up to and including termination of employment.

Record of Changes

Type of Information	Document Data
Document Title:	Ex Libris Data Classification Policy
Document Owner:	Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO)
Approved by:	Barak Rozenblat - VP Cloud Services
Issued:	Feb 22, 2013
Reviewed & Revised:	July 6, 2022

Revision Control

Version Number	Nature of Change	Date Approved
1.0	Initial version	Feb 22, 2013
1.1	Review and update - Tomer S	Feb 20, 2014
1.2	Update of classification levels - Ellen A	Feb 22, 2015
1.3	Review and update -Tomer S	Apr 11, 2016
1.4	Review and update - Tomer S	Jan 1, 2017
2.0	Review and update - Tomer S	May 15, 2018
2.1	Review and update - Tomer S	Jun 5, 2019
2.2	Review and update - Tomer S	Apr 23, 2020
2.3	Review and update - Tomer S	Aug 8, 2021
2.4	Review and update - Tomer S	July 6, 2022

Document Distribution and Review

The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver