Information Security Data Classification Policy

1.0 PURPOSE

1.1 Provide a method for Crowley Information Security to classify data and ensure that Crowley’s data is protected accordingly.

2.0 SCOPE

2.1 This policy applies to all subsidiaries, agents, and or consultants at each of the companies who utilize and/or support company IT assets, systems and information. References in this policy to the “Company” shall mean the company at which you are employed or for which you provide services.

3.0 DEFINITIONS

3.1 None.

4.0 RESPONSIBILITY

4.1 Company Employees

4.1.1 Notify Crowley IT Information Security of any data classification requirements and changes.

4.1.2 Protect the confidentiality, integrity, and availability of Company information.

4.1.3 When contracting with an external IT supplier, help ensure the supplier meets contractual obligations to protect and manage Company IT assets.

4.2 IT Information Security

4.2.1 Review and update the policy when needed.

5.0 POLICY/PROCEDURE

5.1 Data Classification

5.1.1 Crowley’s information will be classified by Crowley IT Information Security according to the most sensitive detail it contains in order to ensure the appropriate level of security is in place.

5.1.2 Crowley IT Information Security maintains three levels of data classification:

5.1.2.1 Public: Information that is available to the public and is likely to be found on the internet and or in public records. Examples include but are not limited to: public information on tariff rates, sailing schedules, and press releases.

5.1.2.2 Confidential: Information that is business sensitive or contains technical content. Examples include but are not limited to: employee handbooks, telephone directories, organizational charts, policies, procedures and standards, customer identifiable information, and Crowley’s technological infrastructure.

5.1.2.3 Private: Information that if disclosed, compromised, corrupted, or destructed could have an adverse impact on the reputation of Crowley, expose the organization to financial loss or legal liability, or provide an advantage to our competitors. Examples include but are not limited to: strategic plans, confidential contracts, personnel records, system configurations, and proprietary software.

6.0 RELATED DOCUMENTATION

6.1 CPP-IT-006 Information Security Policy

Effective Date: 1/19/2018 – CPP-IT- 006a