| General Policies | Policy Document |
|---|
| Section: | Information/Data Classification | Policy ID: | 03.06.01 |
| Policy: | Information/Data Classification | Effective Date: | 12.31.2008 |
| BU: | Corporate |
1. Policy Overview / Purpose
The purpose of this policy is to provide guidelines regarding maintaining information of Graham Holdings Company and its subsidiaries (“GHC” or “the Company”) in a professional and systematically enforced manner.
2. Scope
This policy applies to all employees and other users of the Company information, both electronic and hard copy. All employees and other users must comply with all aspects of this policy.
3. Responsibilities
| 3.1 Policy Owner | Wally Cooney, Senior Vice President Finance and Chief Financial Officer |
| 3.2 Responsible Party | Stacey Halota, Vice President Information Security and Privacy |
4. Policy
4.1 GENERAL GUIDELINES FOR DATA CLASSIFICATION
Overall, data usage must be governed with the goal of reducing risk to the Company, its employees and customers while still supporting business operations. All data must be governed by the Company’s Records Retention policy, and must be purged according to business requirements. The following categories will be used to classify and protect all Company information:
4.1.1 Highly Restricted
This classification label applies to the most sensitive business information that is intended for use strictly within the Company. Its unauthorized disclosure could seriously and adversely impact the Company, its customers, its business partners, or employees and legal implications for its unauthorized disclosure are probable. Examples include certain customer and employee data such as Social Security numbers, driver’s license numbers, government issued ID, tax ID, passport and alien registration numbers, financial account and debit/credit card numbers, PIN numbers, protected health information (PHI), computer password repositories, and identity token personal identification numbers.
4.1.2 Confidential
This classification label applies to sensitive business information that is intended for use within the Company. Its unauthorized disclosure could seriously and adversely impact the Company, its customers, its business partners, or employees and legal implications for its unauthorized disclosure are possible. Examples include company financial data, business secrets, performance evaluations, customer transaction data, strategic alliance agreements, unpublished internally-generated market research, and internal audit reports.
4.1.3 For Internal Use Only
This classification label applies to all other information that does not clearly fit into the previous classifications. While its unauthorized disclosure is against policy, it is not expected to seriously or adversely impact the Company or its employees, suppliers, business partners, or its customers. Examples include new employee training materials, company address books and internal policy manuals.
4.1.4 Public
This classification applies to information that has been approved by the Company management for release to the public. By definition, there is no such thing as unauthorized disclosure of this information and it may be disseminated without potential harm. Examples include product and service brochures, advertisements, job opening announcements, and approved press releases. (Note: All data classified as “public” must still be approved for release by the designated approver for the Company.)
For further information regarding requirements related to encryption, storage, copying, disposal, labeling and access control, refer to the table below:
| Guidelines by Data Type | ||||
| Highly Restricted | Confidential | Internal Use Only | Public | |
| Encrypted On Disk and Tape | Yes | Recommended | No | No |
| Encrypted Over Public Networks | Yes | Yes | Optional | No |
| Storage/Copying Restrictions | Owner permission required for copying. Emailing and storage on laptops, desk- tops and other removable media (with the exception of backup media) must be approved in writing by data owner and division or corporate general counsel’s office on a per-person basis and encrypt- ion is mandatory. Use in QA, test, train- ing and development environments pro- hibited unless depersonalized by scrambling or other means so that the data elements classified as Highly Re- stricted cannot be traced to an individual. | Owner permission required for copying. Use in training environments prohibited unless allowed by business owner. Un-encrypted storage on desktops, laptops and removable media (with the exceptions of backup media) not recommended. Use in training (where permitted by data owner), QA, test and development environments prohibited unless protect-ed against unauthorized use. | Determined by data owner. | No restriction |
| Disposal Restrictions | Shred/Degauss | Shred/Degauss | None | None |
| Labeling Required? | Yes | Recommended | No | Recommended |
| Outsourcing/Release to 3rd Parties | Owner permission required/NDA re- quired/Outsourcing contract must con- tain protection clauses commensurate to data outsourced. | Owner permission required/NDA required/Outsourcing contract must con-tain protection clauses commensurate to data outsourced. | Owner permission required/NDA re- quired/Outsourcing contract must contain protection clauses commensurate to data outsourced. | No restriction |
| Access Control | Restricted to need to know, owner permission required. Locked storage for hard copies. | Restricted to need to know, owner per- mission required. Locked storage for hard copies. | Determined by data owner. | Read only for company wide use, other determined by data owner. |
4.2 RESPONSIBLITIES, DISCIPLINARY ACTION AND AMENDMENTS
Company employees and authorized users of Company data are responsible to fully understand and maintain compliance with this policy. Any questions should be directed to the Policy Owner and Responsible Party.
Appropriate disciplinary actions will be taken against individuals found to be in violation with this policy. Actions can range from restriction of the use of company information to termination of employment and, where warranted, legal action.
The Company reserves the right to change or edit this policy at any time without prior notice. Changes will be posted on the enforcement system and notices sent to appropriate management for distribution to all users.
4.3 POLICY EXCEPTIONS AND ADMINISTRATION
Exceptions to this policy must be communicated to the Corporate or Business Unit’s “Policy Owner” and “Responsible Party” as appropriate. The Business Unit must:
- Document the underlying circumstances, nature of exception and proposed treatment;
- Communicate the exceptions to the GHC “Policy Owner” and “Responsible Party”; and
- Document and maintain all approvals.
This policy is maintained and updated by the Corporate Accounting Department. Requests for revisions must document the legitimate business need for the change and are subject to approval pursuant to Corporate Policy 01.01.01 – Policy Development and Management.
5. Definitions
No definitions are included as part of this policy.
6. References
Refer to the following policies for additional guidance on this policy:
- 04.04.01 Records Retention
7. Exhibits
No exhibits are included as part of this policy.
8. Frequently Asked Questions (FAQ)
No FAQ’s are included as part of this policy.
9. Procedures
No procedures are included as part of this policy.
10. Policy History
| Issuance/Revision Date | Effective Date | Version | Revision Description |
| 12.31.2008 | 12.31.2008 | v.01 | Original Issuance |
