Ex Libris Data Classification Policy
Version 2.0
Purpose and Scope
Ex Libris, a ProQuest company, proactively strives to maintain the security and integrity of all data it holds in the Ex Libris cloud environment. The purpose of this document is to ensure that information is protected at an appropriate level. This policy applies to all Ex Libris information, –in all forms, including but not limited to paper, electronic, and voice. This policy ensures that Ex Libris information assets are classified so that they receive the appropriate level of protection.
Definition
Information Owner – is the person who creates the information and/ or is responsible for the information.
Reference Documents
Information Classifications
Role and Responsibility
Steps and responsibilities for information management are the following:
Role | Responsibility |
---|---|
1. Entering the information asset in the Inventory of Assets | Asset owner |
2. Assigning classification level for information | Asset owner |
3. Labeling the information | Asset owner |
4. Handling the information | Individual authorized to access the information |
Information received by Ex Libris from outside sources will be classified by the Ex Libris Chief Information Security Officer (CISO) as required by this policy. The Ex Libris CISO will also identify the asset owner within Ex Libris.
Classification of Information
Classification Criteria
The level of classification is determined based on the following criteria:
- Value of information - based on impacts assessed during risk assessment.
- Severity and criticality of information - based on the probability and or the likelihood against the information that is defined the criticality.
- Legal and contractual obligations - based on the Ex Libris legal counsel requirements.
Classification Levels
There are three classification levels:
- Public
- Internal Use Only
- Confidential
The table below discusses the criteria for the classification, required labeling of the asset, the access restrictions, and examples for each type of classification
Classification Level | Classification Label | Classification Criteria | Access Restrictions | Examples |
---|---|---|---|---|
Public |
(Unlabeled) |
Data that has no impact on the availability, integrity, or confidentiality of the system |
Information is publicly available to anyone |
Press releases |
Internal Use Only |
Internal Use Only |
Information not approved for use outside Ex Libris where its loss would inconvenience the organization or management but where disclosure is unlikely to result in financial loss or affect privacy. |
Information is available to all Ex Libris employees. |
|
Confidential |
Ex Libris Confidential |
Unauthorized disclosure, alteration or destruction could cause a significant level of risk to the company or impact privacy. |
Information is available only to specific employees based on need to know and least privileges. |
|
Authorized Persons
Confidential information may only be accessed by those individuals authorized to that information. All access is on a need to know basis.
Information Labeling
Information assets will be labeled to reflect their classification level.
Handling Information
Information assets may be taken off-premises only after obtaining authorization in accordance with the IT Security Policy.
The method for secure, erasure and destruction of media is prescribed in the Data Disposal section of this policy.
Protection Requirements | |||
---|---|---|---|
Asset Type | Confidential | Internal Use Only | Public |
Paper Documents |
|
|
|
Electronic Documents |
|
|
|
Electronic storage media |
|
|
|
Information systems |
|
|
|
Data Disposal
Data must be deleted in accordance with the NIST 800-88 standard for clearing and sanitizing data on writable media. Disks and tapes must be destroyed once they are no longer needed. CDs that are no longer needed must destroyed by a CD/DVD crusher or shredder. All storage devices that may need to be used again must be wiped in accordance with NIST 800-88.
Policy Enforcement
Any employee found to willfully or intentionally violate this policy may be subject to disciplinary action, up to and including termination of employment.
Record of Changes
Type of Information | Document Data |
---|---|
Document Title: |
Ex Libris Data Classification Policy |
Document Owner: |
Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO). |
Approved by: |
Eyal Alkalay – Ex Libris Sr. Director of Cloud Engineering |
Issued: |
Feb 22, 2013 |
Reviewed & Revised: |
May 15, 2018 |
Revision Control
Version Number | Nature of Change | Date Approved |
---|---|---|
1.0 |
Initial version |
Feb 22 ,2013 |
1.1 |
Review and update - Tomer S |
Feb 20 ,2014 |
1.2 |
Update of classification levels - Ellen A |
Feb 22 ,2015 |
1.3 |
Review and update -Tomer S |
Apr 11 ,2016 |
Review and update - Tomer S |
Jan 01 ,2017 |
|
2.0 |
Review and update - Tomer S |
May 15 ,2018 |
Document Distribution and Review
The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver