Data Classification-Handling.pdf

Full Transcript

DATA CLASSIFICATION
AND HANDLING POLICY
EBSCO Industries Publication

Abstract
Designed to define how data is identified, classified, labeled, properly handled, and
protected in accordance with its importance and potential impact to EBSCO Industries Inc..

CorpIT Information Security
 CORPORATE IT - INFORMATION SECURITY
Data Classification and Handling Policy

Contents
1. Purpose............................................................................................................... 2
2. Scope................................................................................................................... 2
3. Review Frequency.............................................................................................. 2
4. Document References........................................................................................ 2
5. Definitions........................................................................................................... 2
6. Policy Provisions................................................................................................ 3
7. Changes.............................................................................................................. 4
8. Enforcement........................................................................................................ 4
9. Policy Priority..................................................................................................... 4
10. Monitoring........................................................................................................... 4

Page 1 of 4
 CORPORATE IT - INFORMATION SECURITY
Data Classification and Handling Policy

1. Purpose
This policy establishes the framework and guidelines for classifying and handling
data within the organization to ensure its confidentiality, integrity, and availability in
accordance with its importance and potential impact to EBSCO Industries Inc.
(Company). Data must be properly handled throughout its entire lifecycle, from
creation to disposal. The importance of such information varies and therefore
requires different levels of protection.

2. Scope
This policy applies to all people, processes and technology that constitutes the
Company Information systems, including board members, directors, employees,
suppliers and other third parties who have access to Company systems.

3. Review Frequency
This document is reviewed annually or upon significant changes to the organization,
business, or customer environments.

4. Document References
4.1 Data Classification and Handling Manual
4.2 Media Sanitization and Disposal Policy.
4.3 Information Security Policy

5. Definitions
5.1. Public: Data that is open to public consumption and readily available through
public sources.
5.2. Internal: Data that is not intended to be shared with the public and should
generally not be disclosed outside the Company, such as internal emails and
documentation not otherwise categorized as Confidential or Restricted. By default,
Company data is considered at least Internal, unless it rises to the level of
Confidential or Restricted.
5.3. Confidential: Data that could adversely affect the Company or an individual if
made available to unauthorized parties, such as the technical specifications of a
new product or Company financial information. This also includes information the
Company has a contractual, legal, or regulatory obligation to keep confidential but
does not rise to the level of Restricted.
5.4. Restricted: Data that the Company has a contractual, legal, or regulatory
obligation to safeguard in the most stringent manner. This includes personal
information that, in some cases, could require notifications to affected individuals
or authorities in the case of unauthorized disclosure or loss of this data.
5.5. Principle of Least Privilege: A fundamental security concept that emphasizes
restricting access rights and permissions for users, processes, or systems to the
minimum level necessary to perform their legitimate tasks or functions.

Page 2 of 4
 CORPORATE IT - INFORMATION SECURITY
Data Classification and Handling Policy

6. Policy Provisions
6.1. Data Classification
6.1.1. Criteria for classifying data shall include the level of confidentiality, the
degree of access control required, the potential impact of unauthorized
disclosure, and the regulatory or contractual obligations associated with the
data.
6.1.2. All employees are responsible for:
6.1.3.1. Understanding what constitutes Public, Internal, Confidential, and
Restricted information.
6.1.3.2. Managing information consistent with the criticality of and the
requirements for confidentiality and integrity associated with the data.
6.1.3. All Company information whether at rest or in transit must be classified into
one of the four data classification categories.
6.1.4. Employees shall receive training annually and guidance on data
classification policies, including examples of data types and scenarios for
each classification level, to ensure consistent application of classification
criteria.
6.1.5. The organization will establish mechanisms for monitoring and auditing
compliance with data classification policies to ensure adherence to
established guidelines and procedures.
6.1.6. Regular reviews of access logs, security incidents, and data handling
practices shall be conducted to identify deviations from policy requirements
and potential security risks.
6.2. Data Handling
6.2.1. Access to data shall be restricted to authorized personnel based on the
Principle of Least Privilege.
6.2.2. All data must be protected to prevent loss, theft, unauthorized access,
and/or unauthorized disclosure.
6.2.3. Encryption mechanisms shall be used to protect data from unauthorized
access or disclosure. Data storage solutions shall adhere to industry best
practices and compliance requirements, ensuring data integrity and
protection.
6.2.4. All data must be destroyed in accordance with the company’s Media
Sanitization and Disposal Policy.
6.2.5. Any unauthorized disclosure, theft, or loss of Internal, Confidential, or
Restricted data must be immediately reported to Corporate Information
Security.
6.2.6. Non-disclosure agreements are required when working with third-party
vendors before Internal, Confidential, and Restricted data is shared outside
the Company.

Page 3 of 4
 CORPORATE IT - INFORMATION SECURITY
Data Classification and Handling Policy

7. Changes
This policy may change at any time to ensure data protection is maintained
effectively. Current versions will be maintained in PolicyTech unless another type of
notice is required by applicable laws.

8. Enforcement
Failure to comply with these guidelines as well as any applicable Company policies,
procedures, security controls or applicable regulations could result in disciplinary
action against the individual including verbal or written warnings, removal of system
access, reassignment to other duties, suspension, termination, and criminal or civil
prosecution.

Employees may report any violations or concerns related to this Policy through the
Corporate IT GRC Department or the Legal Department without fear of retaliation.

9. Policy Priority
This corporate policy takes precedence over all policies derived from or published
by business units or other EBSCO affiliated companies. In the event of a conflict
between terms of the policies, the corporate policy will apply.

10. Monitoring
Corporate Information Security will verify compliance of this policy through various
methods, including periodic review, business tool reports, internal and external
audits, and feedback to the policy owner.

Page 4 of 4