Graham Holdings Company Information Security Policy

1. Policy Overview / Purpose

The policy outlines the shared responsibilities of employees of Graham Holdings Company and its subsidiaries (“GHC” or “the Company”) for safeguarding information that they learn or have access to in their jobs and for safeguarding the systems that process that information.

2. Scope

This policy applies to the Company’s computer or communications systems, Company information that is input into such systems and reports from such systems in paper, disk or other tangible form. Employees whose jobs involve the use of such systems must understand and comply with this policy. Employees who violate this policy may be subject to disciplinary action, up to and including termination, and to denial of access to Company information and information systems.

The requirements of this policy and related directives also apply to vendors, contractors, agents and affiliates of the Company who access Company information systems and violations may lead to termination of contracts, revocation of systems access privileges, and other remedies.

3. Responsibilities

3.1 Policy Owner Wally Cooney
Senior Vice President
Finance and Chief Financial Officer                      
3.2 Responsible Party Stacey Halota,
Vice President
Information Security and Privacy

4. Policy


The Company is critically dependent on information and information technology. If important information, such as private customer information, were disclosed inappropriately, the Company could suffer serious losses, including harm to its reputation. Systems that process financial information must be secure so that investors and auditors may rely on information the Company reports. For these and other business reasons, the Company has adopted this Information Security Policy, which outlines the shared responsibilities of employees for safeguarding Company information that they learn or have access to in their jobs and for safeguarding the systems that process that information.

This policy supplements provisions of the Code of Business Conduct that pertain to “Computer Networks, Voice Mail, Email and the Internet” and “Confidential Information,” all of which remain in effect.


To implement effective security measures for our information systems, responsibility is divided among four categories of people: System Owners, System Custodians, System Users and the Information Security Group. Most employees of the Company are System Users and, therefore, have some level of responsibility under this policy.

4.2.1 Owner Responsibilities

Information System Owners are division heads or department Vice Presidents within a division, or their delegates, who oversee and are responsible for information systems used within a division or department. Owners determine who is granted access to systems and data and how the system and the information it processes will be used, including defining business rules that System Custodians follow to enable appropriate security measures such as system backup and recovery.

4.2.2 Custodian Responsibilities

Custodians are IT Department staff members and business department IT staff members, including system administrators. Custodians are responsible for safeguarding information and systems, including implementing access control measures and making backups. Custodians implement, operate and maintain security measures defined by Owners and the Information Security Group and are responsible for reporting information security issues or concerns to the Owner and the Information Security Group.

4.2.3 User Responsibilities

Most employees of the Company are Users of Company systems. Users are responsible for understanding and complying with this Policy and the Code of Business Conduct. Users are responsible for following the directives of Owners, Custodians and the Information Security Group regarding the use of systems and information. A User who has questions about his or her responsibility, about the appropriate handling of a specific type of information or about any system security issue should ask the Custodian or Owner of the system. Anyone who knows of or suspects a compromise of security or a violation of this policy must report it as outlined below.

4.2.4 Responsibilities of the Information Security Group

The Information Security Group is responsible for establishing and maintaining information security policies, standards, guidelines and procedures. The Information Security Group reviews the designations and actions of System Owners, provides advice on information security issues, and reports unresolved issues to the division head. The Information Security Group, in cooperation with the Company’s corporate office, is responsible for checking systems to ensure compliance with this policy and other relevant directives. The Information Security Group investigates and reports system intrusions and other information security incidents.


To ensure that access to Company systems and information is limited to those with a legitimate business need, the Company has adopted (A) access controls, (B) physical security restrictions, (C) restrictions on network connections, and (D) requirements governing non-disclosure of confidential information.

In addition, some systems or information may be designated by the Owner as requiring heightened security, such as encryption or other methods beyond those defined in this policy. Custodians and Users are responsible for following such directives of the Owner regarding system security and information handling.

4.3.1 Access Controls

System Access Request Process

The System Access Request process requires the System Owner to approve requests for system access based on job duties and other business activities. When a person’s need for system access changes (for example, due to a change in job duties, leave of absence or employment termination), that person’s supervisor must submit a change request using the System Access Request process. Access privileges will be periodically reviewed by Owners and Custodians. No one must access or attempt to access information or systems unless the System Owner has granted access rights.

User IDs and Passwords

Unless the System Owner determines otherwise,* each person who accesses multi-user information systems will be given a unique user ID and will select a private password. Everyone who logs onto a system must use his or her unique user ID and password. Use of another person’s user ID is prohibited. Each employee must keep his or her user ID and password confidential, is responsible for safeguarding that information, and is responsible for any use that others may make of it.

(*In some circumstances, the System Owner may authorize the use of a Group ID, which allows two or more people to use the same ID to access a system. Users who are given a Group ID must treat it as confidential and must not provide it to unauthorized individuals.)

(a) Rules for Creating Passwords

Users must choose passwords that are difficult for others to guess.

  • Passwords must not contain all or part of the user’s user ID.
  • Passwords must be at least eight characters in length.
  • Passwords must contain characters from three of the following four categories:
    1. English upper-case characters (A … Z)
    2. English lower-case characters (a … z)
    3. Base 10 digits (0 … 9)
    4. Non-alphanumeric (For example: !, $, #, %)
  • Passwords must not be related to one’s job or personal life. For example, a car license plate number, a spouse’s or child’s name or fragments of an address must not be used.
  • Passwords must not be a word found in the dictionary standing alone.
  • Proper names, places, technical terms and slang must not be used as passwords.

(b) Password Changes

  • Passwords must be changed at least every 90 days.
  • At least 5 days must pass between password changes.
  • Users must not construct passwords that are identical or substantially similar to passwords they have previously used.

(c) Password Storage and Non-disclosure

Passwords must not be written in readily decipherable form and left where unauthorized persons may discover them, including in batch files, automatic log on scripts, software macros, terminal function keys and computers without access controls.

Passwords must never be revealed to others, and IT staff must not ask users to reveal passwords. The only time a password should be known by another is when a temporary password is issued or reset to provide temporary system access. Temporary passwords must be changed the first time the user accesses the system. If a user believes his or her user ID and password is being used by someone else, the user must immediately notify the system administrator, who must then notify the Information Security Group.

4.3.2 Physical Security

Local area network servers must be placed in locked cabinets, closets or computer rooms. Computer and network equipment may not be removed from Company premises without proper authorization. Pagers, personal digital devices and cellular phones may be removed from Company premises without prior authorization. Laptop computers may be removed without prior authorization, except for those designated as being non-removable.

4.3.3 Computers Attached to the Company Internal Networks

No one is permitted to attach any laptop, desktop PC or other device to an internal network (either cabled or wireless) without obtaining approval from IT Client Support and the Information Security Group. All users connected to Company networks must employ a password-based screen-saver.

4.3.4 Non-Disclosure of Confidential Company Information to Third Parties

The provisions of the Code of Business Conduct pertaining to Confidential Information are particularly important when the information is contained on computer systems because of the ease by which such information can be transferred. The Code’s prohibition against disclosing confidential Company information is applicable whether the information is on paper or stored electronically. If confidential Company information is lost, disclosed to unauthorized parties or suspected of being lost or improperly disclosed, the Owner of the system that handles that information must be notified immediately. The Owner must then notify the Information Security Group.


Users must not disable or bypass the current version of approved virus-scanning software that is provided on computers. If Users suspect infection by a computer virus, they must immediately stop using the affected computer and call IT Client Support. Users must not attempt to eradicate viruses themselves. The infected computer must be immediately isolated from any networks. Until the virus has been successfully eradicated, any storage media used with the infected computer must not be used with any other computer.


4.5.1 Software Sources

Users must not download software, including games, to Company computers or networks without specific approval from IT Client Support. The Company may delete unapproved software from Company computers. For purposes of this section, macros in spreadsheets and word processing documents are not considered software.

4.5.2 Unauthorized Software Copying

Users must not copy software provided by the Company to any storage media, transfer such software to another computer, or provide such software to third parties without approval by department heads or directors and notification to the IT Department.

4.5.3 Software and Information Backup Responsibility

System Custodians are responsible for making periodic backups of server-based data and applications. Desktop or laptop computer users must regularly back up business information on those computers, or store it on network drives that are regularly backed up by the IT Department.

4.5.4 Software Change Control Process

Information systems must employ a documented change control process that must be used for all non-emergency changes to production system software, hardware and communications links.

4.5.5 Security Sign-Off Required

The Information Security Group must give written approval before new or substantially changed computer applications and systems are used for production processing.


Users must not compromise or attempt to compromise systems security measures unless authorized in writing by the Information Security Group. Incidents involving unapproved system hacking, guessing of passwords, file decryption, bootleg software copying or similar unauthorized attempts to compromise security may be unlawful, and will be considered violations of Company policy. Short-cuts, pranks and jokes that bypass system security measures are prohibited. Unless specifically authorized by the Information Security Group, no one is permitted to acquire, possess or use hardware or software tools that evaluate or compromise Company information system security.

The Company reserves the right to revoke system privileges of any user at any time. Conduct that interferes with normal and proper operation of Company information systems, that adversely affects the use of these information systems, that is harmful or offensive to others, or that otherwise violates any Company or division policy is not permitted.


4.7.1 Right to Search and Monitor

Information systems, including computers and networks, communication systems, other information processing or storage devices, and information contained on, generated on or handled by them, including messages, email, voicemail, hard drives, printer spool files, FAX machine output, log files and backup copies, are the property of the Company, and employees should have no expectation of privacy in them.

The Company reserves the right to monitor, inspect or search all systems or information at any time without the consent, presence or knowledge of the user. The Company retains the right, in its sole discretion, to remove material from its information systems. Information systems must generate logs that capture events and that provide sufficient data to assess the effectiveness of and compliance with information security measures.

4.7.2 Mandatory Reporting of System Security Concerns

All suspected system intrusions, virus infestations and other conditions that might jeopardize Company information or systems must be immediately reported to the Information Security Group.

4.7.3 Mandatory Reporting of Violations of this Policy

Any employee having information about a violation or suspected violation of this Information Security Policy must promptly report the violation to his/her manager, to the chief financial or legal officer of the division or to the division head. If the violation involves the employee’s manager, the employee should report the violation to one of the other individuals identified above. Similarly, if the violation involves one of the other individuals identified above, the employee should report the violation to Corporate by informing the Policy Owner or Responsible Party. As an alternative to reporting a violation or suspected violation to one of these individuals, an employee may call the Ethics Hotline (1-866-687-8972). Calls to the Ethics Hotline may be made anonymously.

4.7.4 Security Awareness Training

Employees who access Company information systems must complete a security awareness course provided by the Company.


Exceptions to this policy must be communicated to the Corporate or Business Unit’s “Policy Owner” and “Responsible Party” as appropriate. The Business Unit must:

  • Document the underlying circumstances, nature of exception and proposed treatment;
  • Communicate the exceptions to the GHC “Policy Owner” and “Responsible Party”; and
  • Document and maintain all approvals.

This policy is maintained and updated by the Corporate Accounting Department. Requests for revisions must document the legitimate business need for the change and are subject to approval pursuant to Corporate Policy 01.01.01 – Policy Development and Management

5. Definitions

No definitions are included as part of this policy.

6. References

Refer to the following policies for additional guidance on this policy:

7. Exhibits

No exhibits are included as part of this policy.

8. Frequently Asked Questions (FAQ)

No FAQ’s are included as part of this policy.

9. Procedures

No procedures are included as part of this policy.

10. Policy History

Revision Date
Effective Date       Version               Revision
10.31.2004 10.31.2004 v.01 Original Issuance
04.01.202004.01.2020v.02Revised Issuance