Skip to main content
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    Ex Libris Data Classification Policy

    Version 2.4

    Purpose and Scope

    Ex Libris, a ProQuest company, proactively strives to maintain the security and integrity of all data it holds in the Ex Libris cloud environment. The purpose of this document is to ensure that information is protected at an appropriate level. This policy applies to all Ex Libris information, in all forms, including but not limited to paper, electronic, and voice. This policy ensures that Ex Libris information assets are classified so that they receive the appropriate level of protection. 


    Information Owner – is the person who creates the information and/ or is responsible for the information.

    Information Classifications

    Role and Responsibility

    Steps and responsibilities for information management are the following: 

    Role Responsibility
    1. Assigning classification level for information Asset owner
    2. Labeling the information Asset owner
    3. Handling the information Individual authorized to access the information

    Information received by Ex Libris from outside sources will be classified by the Ex Libris Chief Information Security Officer (CISO) as required by this policy. The Ex Libris CISO will also identify the asset owner within Ex Libris.

    Classification of Information

    Classification Criteria

    The level of classification is determined based on the following criteria: 

    • Value of information as identified during risk assessment.
    • Severity and criticality of information - based on the probability and/or the likelihood against the information that is defined the criticality. 
    • Legal and contractual obligations - based on the Ex Libris legal counsel requirements.

    Classification Levels

    There are three classification levels:

    • Public
    • Internal
    • Confidential

    The table below notes the criteria for the classification, required labeling for the asset, the access restrictions, and examples of each type of classification.

    Classification Level Classification Label Classification Criteria Access Restrictions  Examples 



    Data that has no impact on the availability, integrity, or confidentiality of the system

    Information is publicly available to anyone. Use may be subject to copyright restrications.

    • Advertisements

    • Catalogs

    • Job opening announcements

    • Press releases

    • Public website content



    Information that is intended to be used internally only in day-to-day operations. Information not approved for use outside Ex Libris where its loss would inconvenience the organization or management but where disclosure is unlikely to result in financial loss or affect privacy.

    Information is available to all Ex Libris employees, certain contractors and advisors subject to confidentiality obligations.

    For internal business purposes only. Remote access through an approved Clarivate VPN (virtual private network).

    • Internal security procedures and processes

    • Meeting minutes

    • Details of internal events

    • Administrative processes

    • Floor plans

    • Internal standards and guidelines


    If in doubt, treat information posted on our intranet as Non-Public.



    Sensitive data which if disclosed would have a business impact. This includes but is not limited to a critical business impact for our business (usually reputational, regulatory or financial).

    A critical impact to our business is one which is so serious that it calls into question our credibility, damages our reputation, raises the danger of customer cancellations, or otherwise causes significant business damage.

    Unauthorized disclosure, alteration or destruction could cause a significant level of risk to the company or impact privacy.  

    Information is available only to specific employees based on need to know and least privileges.

    It can only be disclosed to third parties subject to appropriate legal/contractual safeguards and where required, the approval of a designated manager or director.

    • Human Resource personal information about individuals

    • Company financial information

    • Customer data, including customer contact information (mailing address, email, etc.)

    • Sensitive customer or partner data

    • Sensitive data

    • Regulated data

    • Vendor lists

    • Contracts

    • Stockholder and option holder records

    • Employee lists or org. charts


    If it is unclear how information has been classified, it should be assumed to be Confidential.


    Authorized Persons

    Confidential information may only be accessed by individuals authorized to access that information. All access is on a need to know basis.

    Information Labeling

    Information assets will be labeled to reflect their classification level. 

    Handling Information

    Information assets may be taken off-premises only after obtaining authorization in accordance with the IT Security Policy.
    The method for secure, erasure and destruction of media is prescribed in the Data Disposal section of this policy. 

    Protection Requirements 
    Asset Type Confidential Internal Use Only Public
    Paper Documents
    • Do not leave unattended and store securely. Implement additional controls as necessary to comply with applicable legal & regulatory requirements.

    Take reasonable care:

    • The document must be stored in a locked cabinet

    • The document may be transferred within the organization only

    • Documents must immediately be removed from printers or fax machines

    No special safeguards:

    • The document can be publicly shared  

    • Faxing the document is allowed

    Electronic Documents and Media
    • Encrypt on all environments (cloud and back-up sites).

    • Store within a controlled-access system, on fully encrypted, company-owned equipment.

    • Lock equipment when not in use or when unattended.

    • Do not store electronic files on a personally owned device.

    • Store only on a company-owned encrypted portable storage device.

    • Store within a controlled-access system, on fully encrypted, company-owned equipment. Lock equipment when not in use or when unattended.

    • Do not store electronic files on a personally owned device.

    • Store on a company-owned portable storage device.

    No special safeguards

    Electronic storage media
    • Media or files must be password protected
    • The media may only be kept in rooms with controlled physical access
    • Media or file must be protected from external access
    • The storage media can be shared
    Information systems
    • Only authorized persons may have access

    • Access to the information system must be protected by a strong password

    • The screen must be Automatically locked after at least 20 minutes of inactivity

    • Data in transit must have https encryption.

    • Users must log out of the information system if they have temporarily or permanently left the workplace

    • The information must password protected  

    • The information  can be shared


    Data Disposal

    Data must be deleted in accordance with the NIST 800-88 standard for clearing and sanitizing data on writable media. Disks and tapes must be destroyed once they are no longer needed. CDs that are no longer needed must be destroyed using a CD/DVD crusher or shredder. All storage devices that may need to be used again must be wiped in accordance with NIST 800-88.

    Policy Enforcement

    Failure to comply with this policy will result in disciplinary action up to and including termination of employment.


    Record of Changes

    Type of Information Document Data

    Document Title:

    Ex Libris Data Classification Policy

    Document Owner:

    Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO)

    Approved by:

    Barak Rozenblat - VP Cloud Services


    Feb 22, 2013

    Reviewed & Revised:

    July 6, 2022


    Revision Control

    Version Number Nature of Change Date Approved


    Initial version

    Feb 22, 2013


    Review and update - Tomer S

    Feb 20, 2014


    Update of classification levels -  Ellen A

    Feb 22, 2015


    Review and update -Tomer S

    Apr 11, 2016


    Review and update - Tomer S

    Jan 1, 2017


    Review and update - Tomer S

    May 15, 2018


    Review and update - Tomer S

    Jun 5, 2019


    Review and update - Tomer S

    Apr 23, 2020


    Review and update - Tomer S

    Aug 8, 2021


    Review and update - Tomer S

    July 6, 2022



    Document Distribution and Review

    The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver

    • Was this article helpful?