Skip to main content
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    Ex Libris Data Classification Policy

    Version 1.4
    Newer version available.

    Purpose and Scope

    Ex Libris, a ProQuest company, proactively strives to maintain the security and integrity of all data it holds in the Ex Libris cloud environment. The purpose of this document is to ensure that information is protected at an appropriate level. This document is applied to all types of information, regardless of the form - paper or electronic documents, to ensure the protection of information assets from unauthorized access. This policy ensure that Ex Libris information assets received an appropriate level of protection by observing this data classification policy.


    Information Owner – is the person who creates the information and/ or is responsible for the information.

    Classification Process

    Steps and Responsibility

    Steps and responsibilities for information management are the following: 

    Step name Responsibility
    1. Entering the information asset in the Inventory of Assets Asset owner
    2. Classification of information Asset owner
    3. Information labeling Asset owner
    4. Information handling Persons with access rights in accordance with this Policy

    Information received by Ex Libris from outside sources will be classified by the Ex Libris Chief Information Security Officer (CISO) as required by this policy.  The Ex Libris CISO will also identify the asset owner within Ex Libris.

    Classification of Information

    Classification Criteria

    The level of classification is determined based on the following criteria: 

    • Value of information - based on impacts assessed during risk assessment.
    • Severity and criticality of information - based on the probability and or the likelihood against the information that is defined the criticality. 
    • Legal and contractual obligations - based on the Ex Libris legal counsel requirements.

    Classification Levels

    All information must be classified into confidentiality levels.

    Classification Level Classification Label Classification Criteria Access Restrictions  Examples 



    Data that has no impact on the availability, integrity, or confidentiality of the system

    Information is publically available to anyone

    • Press releases

    Internal Use Only

    Internal Use Only

    Information not approved for use outside Ex Libris where its loss would inconvenience the organization or management but where disclosure is unlikely to result in financial loss or affect privacy.

    Information is available to all Ex Libris employees.

    • Internal security procedures and processes
    • meeting minutes


    Ex Libris Confidential

    Unauthorized disclosure, alteration or destruction could cause a significant level of risk to the company or impact privacy.

    Information is available only to specific employees based on need to know and least privileges.

    • Human Resource personal information about individuals
    • Company financial information


    Authorized Persons

    Confidential information may only be accessed by those individuals authorized to that information.  All access is on a need to know basis.

    Information Labeling

    Information assets will be labeled to reflect their classification level. 

    Handling Information

    Information assets may be taken off-premises only after obtaining authorization in accordance with the IT Security Policy.
    The method for secure, erasure and destruction of media is prescribed in the Data Disposal section of this policy. 

    Classification LevelAsset Type Confidential Internal Use Only Public
    Paper Documents
    • Documents may only be kept in rooms without public access documents must be regularly removed from printers or fax machines
    • The document must be stored in a locked cabinet
    • The document may be transferred within the organization only
    • Documents must immediately be removed from printers or fax machines
    • The document can be publically shared  
    • Faxing the document is allowed
    Electronic Documents
    • Access to the information system where the document is stored must be protected by a strong password 
    • The screen on which the document is displayed must be automatically locked after 20 minutes of inactivity
    • When files are transmitted,  they must be securely protected
    • Only persons with authorization for this document may access the part of the information system where this document is stored
    • The document can be shared   
    Electronic storage media
    • Media or files must be password protected
    • The media may only be kept in rooms with controlled physical access
    • Media or file must be protected from external access
    • The storage media can be shared
    Information systems
    • Only authorized persons may have access
    • Access to the information system must be protected by a strong password
    • The screen must be Automatically locked after at least 20 minutes of inactivity
    • Data in transit must have https encryption.
    • Users must log out of the information system if they have temporarily or permanently left the workplace
    • The information must password protected  
    • The information  can be shared


    Data Disposal

    Ex Libris has strict procedures and a policy for handling obsolete removable media based on the NIST 800-88 standard for clearing and sanitizing data on writable media. These procedures are also applied if a customer decides to terminate the service. Disks and tapes are destroyed once they are no longer needed. CDs that are no longer needed are destroyed by a CD/DVD data crusher or shredder. All storage devices that may need to be used again are cleaned by data wipe software.

    Policy Enforcement

    Any employee found to willfully or intentionally violate this policy may be subject to disciplinary action, up to and including termination of employment.


    Record of Changes

    Type of Information Document Data

    Document Title:

    Ex Libris Data Classification Policy

    Document Owner:

    Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO).

    Approved by:

    Eyal Alkalay – Ex Libris Sr. Director of Cloud Engineering


    Feb 22, 2013

    Reviewed & Revised:

    Jan 01 , 2017


    Revision Control

    Version Number Nature of Change Date Approved


    Initial version

    Feb 22 ,2013


    Review and update - Tomer S

    Feb 20 ,2014


    Update of classification levels -  Ellen A

    Feb 22 ,2015


    Review and update -Tomer S

    Apr 11 ,2016


    Review and update - Tomer S

    Jan 01 ,2017



    Document Distribution and Review

    The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver

    • Was this article helpful?