Skip to main content
ExLibris
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    Ex Libris Data Classification Policy

    Version 2.0

    Purpose and Scope

    Ex Libris, a ProQuest company, proactively strives to maintain the security and integrity of all data it holds in the Ex Libris cloud environment. The purpose of this document is to ensure that information is protected at an appropriate level. This policy applies to all Ex Libris information, –in all forms, including but not limited to paper, electronic, and voice. This policy ensures that Ex Libris information assets are classified so that they receive the appropriate level of protection. 

    Definition

    Information Owner – is the person who creates the information and/ or is responsible for the information.

    Information Classifications

    Role and Responsibility

    Steps and responsibilities for information management are the following: 

    Role Responsibility
    1. Entering the information asset in the Inventory of Assets Asset owner
    2. Assigning classification level for information Asset owner
    3. Labeling the information Asset owner
    4. Handling the information Individual authorized to access the information

    Information received by Ex Libris from outside sources will be classified by the Ex Libris Chief Information Security Officer (CISO) as required by this policy.  The Ex Libris CISO will also identify the asset owner within Ex Libris.

    Classification of Information

    Classification Criteria

    The level of classification is determined based on the following criteria: 

    • Value of information - based on impacts assessed during risk assessment.
    • Severity and criticality of information - based on the probability and or the likelihood against the information that is defined the criticality. 
    • Legal and contractual obligations - based on the Ex Libris legal counsel requirements.

    Classification Levels

    There are three classification levels:

    • Public
    • Internal Use Only
    • Confidential

    The table below discusses the criteria for the classification, required labeling of the asset, the access restrictions, and examples for each type of classification

    Classification Level Classification Label Classification Criteria Access Restrictions  Examples 

    Public

    (Unlabeled)

    Data that has no impact on the availability, integrity, or confidentiality of the system

    Information is publicly available to anyone

    Press releases

    Internal Use Only

    Internal Use Only

    Information not approved for use outside Ex Libris where its loss would inconvenience the organization or management but where disclosure is unlikely to result in financial loss or affect privacy.

    Information is available to all Ex Libris employees.

    • Internal security procedures and processes
    • meeting minutes

    Confidential

    Ex Libris Confidential

    Unauthorized disclosure, alteration or destruction could cause a significant level of risk to the company or impact privacy.

    Information is available only to specific employees based on need to know and least privileges.

    • Human Resource personal information about individuals
    • Company financial information

     

    Authorized Persons

    Confidential information may only be accessed by those individuals authorized to that information.  All access is on a need to know basis.

    Information Labeling

    Information assets will be labeled to reflect their classification level. 

    Handling Information

    Information assets may be taken off-premises only after obtaining authorization in accordance with the IT Security Policy.
    The method for secure, erasure and destruction of media is prescribed in the Data Disposal section of this policy. 

    Protection Requirements 
    Asset Type Confidential Internal Use Only Public
    Paper Documents
    • Documents may only be kept in rooms without public access documents must be regularly removed from printers or fax machines
    • The document must be stored in a locked cabinet
    • The document may be transferred within the organization only
    • Documents must immediately be removed from printers or fax machines
    • The document can be publicly shared  
    • Faxing the document is allowed
    Electronic Documents
    • Access to the information system where the document is stored must be protected by a strong password 
    • The screen on which the document is displayed must be automatically locked after 20 minutes of inactivity
    • When files are transmitted,  they must be securely protected
    • Only persons with authorization for this document may access the part of the information system where this document is stored
    • The document can be shared   
    Electronic storage media
    • Media or files must be password protected
    • The media may only be kept in rooms with controlled physical access
    • Media or file must be protected from external access
    • The storage media can be shared
    Information systems
    • Only authorized persons may have access
    • Access to the information system must be protected by a strong password
    • The screen must be Automatically locked after at least 20 minutes of inactivity
    • Data in transit must have https encryption.
    • Users must log out of the information system if they have temporarily or permanently left the workplace
    • The information must password protected  
    • The information  can be shared

     

    Data Disposal

    Data must be deleted in accordance with the NIST 800-88 standard for clearing and sanitizing data on writable media.  Disks and tapes must be destroyed once they are no longer needed.  CDs that are no longer needed must destroyed by a CD/DVD crusher or shredder.  All storage devices that may need to be used again must be wiped in accordance with NIST 800-88. 

    Policy Enforcement

    Any employee found to willfully or intentionally violate this policy may be subject to disciplinary action, up to and including termination of employment.
     

     

    Record of Changes

    Type of Information Document Data

    Document Title:

    Ex Libris Data Classification Policy

    Document Owner:

    Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO).

    Approved by:

    Eyal Alkalay – Ex Libris Sr. Director of Cloud Engineering

    Issued:

    Feb 22, 2013

    Reviewed & Revised:

    May 15, 2018

     

    Revision Control

    Version Number Nature of Change Date Approved

    1.0

    Initial version

    Feb 22 ,2013

    1.1

    Review and update - Tomer S

    Feb 20 ,2014

    1.2

    Update of classification levels -  Ellen A

    Feb 22 ,2015

    1.3

    Review and update -Tomer S

    Apr 11 ,2016

    1.4

    Review and update - Tomer S

    Jan 01 ,2017

    2.0

    Review and update - Tomer S

    May 15 ,2018

     

     

    Document Distribution and Review

    The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver

    • Was this article helpful?