Information & Data Classification

General Policies      Policy Document
 Section: Information/Data
Classification
 Policy ID: 03.06.01
 Policy: Information/Data
Classification
 Effective Date: 12.31.2008             
 BU: Corporate

1. Policy Overview / Purpose

The purpose of this policy is to provide guidelines regarding maintaining information of Graham Holdings Company and its subsidiaries (“GHC” or “the Company”) in a professional and systematically enforced manner.

2. Scope

This policy applies to all employees and other users of the Company information, both electronic and hard copy. All employees and other users must comply with all aspects of this policy.

3. Responsibilities

 3.1 Policy Owner Wally Cooney,
Senior Vice President
Finance and Chief Financial Officer                
 3.2 Responsible Party Stacey Halota,
Vice President
Information Security and Privacy

4. Policy

4.1 GENERAL GUIDELINES FOR DATA CLASSIFICATION

Overall, data usage must be governed with the goal of reducing risk to the Company, its employees and customers while still supporting business operations. All data must be governed by the Company’s Records Retention policy, and must be purged according to business requirements. The following categories will be used to classify and protect all Company information:

4.1.1 Highly Restricted

This classification label applies to the most sensitive business information that is intended for use strictly within the Company. Its unauthorized disclosure could seriously and adversely impact the Company, its customers, its business partners, or employees and legal implications for its unauthorized disclosure are probable. Examples include certain customer and employee data such as Social Security numbers, driver’s license numbers, government issued ID, tax ID, passport and alien registration numbers, financial account and debit/credit card numbers, PIN numbers, protected health information (PHI), computer password repositories, and identity token personal identification numbers.

4.1.2 Confidential

This classification label applies to sensitive business information that is intended for use within the Company. Its unauthorized disclosure could seriously and adversely impact the Company, its customers, its business partners, or employees and legal implications for its unauthorized disclosure are possible. Examples include company financial data, business secrets, performance evaluations, customer transaction data, strategic alliance agreements, unpublished internally-generated market research, and internal audit reports.

4.1.3 For Internal Use Only

This classification label applies to all other information that does not clearly fit into the previous classifications. While its unauthorized disclosure is against policy, it is not expected to seriously or adversely impact the Company or its employees, suppliers, business partners, or its customers. Examples include new employee training materials, company address books and internal policy manuals.

4.1.4 Public

This classification applies to information that has been approved by the Company management for release to the public. By definition, there is no such thing as unauthorized disclosure of this information and it may be disseminated without potential harm. Examples include product and service brochures, advertisements, job opening announcements, and approved press releases. (Note: All data classified as “public” must still be approved for release by the designated approver for the Company.)

For further information regarding requirements related to encryption, storage, copying, disposal, labeling and access control, refer to the table below:

Guidelines by Data Type

Highly Restricted

Confidential

Internal Use Only

Public
Encrypted On Disk and TapeYesRecommendedNoNo
Encrypted Over Public NetworksYesYesOptionalNo
Storage/Copying RestrictionsOwner permission required for copying. Emailing and storage on laptops, desk-
tops and other removable media (with
the exception of backup media) must be approved in writing by data owner and division or corporate general counsel’s
office on a per-person basis and encrypt-
ion is mandatory. Use in QA, test, train-
ing and development environments pro-
hibited unless depersonalized by
scrambling or other means so that the
data elements classified as Highly Re-
stricted cannot be traced to an
individual.
Owner permission required for copying. Use in training environments prohibited unless allowed by business owner. Un-encrypted storage on desktops, laptops and removable media (with the exceptions of backup media) not recommended. Use in training (where permitted by
data owner), QA, test and development
environments prohibited unless protect-ed against unauthorized use.
Determined by data owner.No restriction
Disposal RestrictionsShred/DegaussShred/DegaussNoneNone
Labeling Required?YesRecommendedNo
Recommended
Outsourcing/Release to 3rd
Parties
Owner permission required/NDA re-
quired/Outsourcing contract must con-
tain protection clauses commensurate to data outsourced.
Owner permission required/NDA
required/Outsourcing contract must con-tain protection clauses commensurate
to data outsourced.
Owner permission required/NDA re-
quired/Outsourcing contract must contain protection clauses commensurate to
data outsourced.

No restriction
Access ControlRestricted to need to know, owner permission required. Locked storage for
hard copies.
Restricted to need to know, owner per-
mission required. Locked storage for
hard copies.
Determined by data owner.
Read only for company wide use, other
determined by data owner.

4.2 RESPONSIBLITIES, DISCIPLINARY ACTION AND AMENDMENTS

Company employees and authorized users of Company data are responsible to fully understand and maintain compliance with this policy. Any questions should be directed to the Policy Owner and Responsible Party.

Appropriate disciplinary actions will be taken against individuals found to be in violation with this policy. Actions can range from restriction of the use of company information to termination of employment and, where warranted, legal action.

The Company reserves the right to change or edit this policy at any time without prior notice. Changes will be posted on the enforcement system and notices sent to appropriate management for distribution to all users.

4.3 POLICY EXCEPTIONS AND ADMINISTRATION

Exceptions to this policy must be communicated to the Corporate or Business Unit’s “Policy Owner” and “Responsible Party” as appropriate. The Business Unit must:

  • Document the underlying circumstances, nature of exception and proposed treatment;
  • Communicate the exceptions to the GHC “Policy Owner” and “Responsible Party”; and
  • Document and maintain all approvals.

This policy is maintained and updated by the Corporate Accounting Department. Requests for revisions must document the legitimate business need for the change and are subject to approval pursuant to Corporate Policy 01.01.01 – Policy Development and Management

5. Definitions

No definitions are included as part of this policy.

6. References

Refer to the following policies for additional guidance on this policy:

7. Exhibits

No exhibits are included as part of this policy.

8. Frequently Asked Questions (FAQ)

No FAQ’s are included as part of this policy. 

9. Procedures

No procedures are included as part of this policy.

10. Policy History

 Issuance/Revision Date Effective Date Version Revision Description
 12.31.2008 12.31.2008 v.01 Original Issuance