Havas is committed to protecting its information assets from illegal or damaging actions by individuals, either knowingly or unknowingly.
This Data Protection Policy defines for Havas employees the proper labelling and handling of information and will ultimately help Havas to manage and minimize risk of the occurrence of the actions mentioned above.
The purpose of this policy is to describe the classification of data at Havas and explain access controls and procedures which protect information based on these classifications. All employees should familiarize themselves with the classifications in this policy.
This policy applies to all information, both physical and digital, under control of Havas. This policy applies to all Havas employees, contractors, vendors and representatives with access to Havas systems. Confidential and sensitive information entrusted to business partners, suppliers and any other third party entities must be protected by the classifications set forth within this policy. All employees are responsible for taking the appropriate steps, as defined below, to comply with this policy and ensure the protection of all data assets.
Havas data classification system, as defined in this document, are based upon the concept of ‘need to know’. As such, information is not disclosed to any person who does not have a legitimate and demonstrable business need to receive the information. Enforcement of this policy, be it by technical or procedural methods, will protect the company information from unauthorized disclosure, use, modification, and deletion.
Consistent use of this data classification system is essential if confidential and sensitive information is to be protected. Without the consistent use of this data classification system, Havas risks loss of customer relationships, loss of public confidence, internal operation disruption, excessive costs, and other competitive disadvantages. This policy consistently protects confidential information in any form, regardless of the technology used to process it, the party or individual handles handling it, the location where the information resides, or the stage in the information’s life cycle.
5.1. Classification Labels
Havas has categorized its data into four distinct classification labels, as follows:
HIGHLY CONFIDENTIAL: This classification label applies to private information that is intended for use strictly within Havas by agents of Havas. Its unauthorized disclosure could seriously and adversely impact the company, its customers, its business partners, and its suppliers. Examples include human resources data; corporate level strategic plans; litigation strategy memos; financial data, personally identifiable information (PII). This information is intended for those who have a need to work with this information to fulfil business requirements for the company and or a client.
SENSITIVE: This classification label applies to data that is received from Havas customers. The intent of this classification is to safeguard information critical to Havas business relationships and to comply with industry regulations. This information is restricted at Havas to those with an immediate need to know requirement. Other employees of Havas with no requirement to access such data are not to be granted privileges to this data. Hard copies of confidential data must be shredded when no longer needed.
HAVAS INTERNAL ONLY: This classification label applies to all other information that does not clearly fit into the previous two classifications. While its unauthorized disclosure is against policy, it is not expected to seriously or adversely impact Havas or its employees, suppliers, business partners, or its customers. Examples include the Havas employee telephone directory, procedural documents, new employee training materials, and internal rule manuals and policies.
PUBLIC:This classification applies to information that has been approved by Havas or its customers for release to the public. There is no such thing as unauthorized disclosure of this information as it may be disseminated without potential harm. Examples include product and service brochures, advertisements, and press releases.
Default Classification: Information without a label is by default classified as Internal Use Only or Confidential.
Users must use electronic labelling when available, for instance on Microsoft Office 365 programs, to ensure that documents and emails are classified correctly and handled appropriately by Havas security systems. To learn more about Office 365 labelling, search “sensitivity labels” on Microsoft Office 365 support site.
5.2. Data owners
The data owner is the creator of the data or in terms of data received into Havas the first recipient. In the case of several recipients, someone must be appointed as data owner and responsible for data labelling.t. Owners do not legally own the information entrusted to their care. They act as stewards and supervise the ways in which confidential and sensitive information is used and protected. Data owners are explicitly appointed or implicitly vested by their business role. Data can be acquired via supplier, created internally, acquired from the public or other sources, aggregated from other data… But in all cases, a data owner exists either formally or implicitly.
Three examples of data ownership follow:
– A client provides a database with the names and email addresses of some of its customers. In this case, the client account manager is the data owner.
– A financial application is used at an agency to handle the financial operations. The CFO is the data owner of the information stored and processed in the application.
– A creative department member produces a set of banners for a campaign. The Creative Manager of the agency is the owner of the data.
The data owner should decide the classification under which the data falls. IT can certainly provide guidance, but the final determination for the classification is the data owner’s responsibility. The legal department must be involved always for personally identifiable information handling, to adhere to the local regulations in this matter.
The data owner is responsible for allowing specific people (or roles) to access, modify and delete the data, always to accomplish business needs and based on the concept of ‘need to know’. Another responsibility is that the information is labelled correctly.
Data owners should review their data’s classification at least annually to ensure that data remains properly classified.
5.3. Data custodians
Data Custodians are responsible for the safe custody, transport, storage of the data and implementation of business rules when the Data Owner is not able to do it for technical reasons. The Custodian by definition does not know the importance of the data to business, how it will be used or what roles should access the data. The Data Owner when not able by himself expresses to the Custodian these parameters. The Custodian then implements the security on the data to match the criteria set by the Data Owner.
Traditionally, IT acted as Data Custodian, however with the ability of users of labelling and giving rights over data and systems outside of the IT scope (for example, Pulse, Concur, TalentSpace,…), the custodian generally is no longer the IT department.
5.4. Labelling
If information is confidential or sensitive from the time it is created until the time it is destroyed or declassified, it must be labelled with an appropriate data classification designation. Confidential digital information should not be transferred to hard copy unless necessary. Actual markings must appear on all manifestations of the information, such as hard copies, optical media. All printed, handwritten, or other paper manifestations of confidential or sensitive information must have a clearly evident label on each page. If bound, all paper manifestations of such information must have an appropriate sensitivity label on the front cover. The cover sheet for faxes containing such information must also contain the appropriate classification label.
5.5. Shipping and Handling
The following measures should be adhered to in safeguarding data, labelled confidential or sensitive:
5.6. Destruction and Disposal
All Havas confidential and sensitive information must be destroyed when deemed no longer needed by the Data Owner, or when the client or data subject instructs Havas to destroy the information. To support this policy, Data Owners must review the continued value and usefulness of information on a periodic basis. Owners also must review the data retention schedule related to compliance with local and international laws and contractual obligations as per General Council to determine the minimum and maximum periods that information must be retained.
Data Custodians are responsible for the proper disposal of confidential or sensitive data no longer needed for business activities.
Simple file erasing or formatting does not qualify as proper deletion of digital material. Mechanical drives must be data wiped using approved software before leaving the premise. If data wipe is not available, physical destruction of the drives must be done. Proof of destruction should be kept on file.
Hard copy output such as received faxes or printouts that contain confidential data must be shredded.
5.7. Physical Security
Every office, computer room, and work area containing confidential information must be considered Restricted access zone or Highly Restricted access zone, as described in “IS- POL- 2103P-Physical and Environmental Security”. Every office, computer room, and work area containing sensitive information must be at least Office access zone, as described in “IS-POL-2103P-Physical and Environmental Security” When left in an unattended room, confidential and sensitive information must be locked in appropriate locked containers and not left easily accessible.
The following table defines required safeguards for protecting data and data collections based on their classification. Data security requirements for Proprietary Data are determined by the contracting agency and are therefore not included in the table below.
Security Control Category | Data Classification | |||
Public | Havas internal only | Sensitive | Confidential | |
Access Controls | No restriction for viewing. | Viewing and modification restricted to Havas employees or authorized parties acting on behalf of Havas. | Viewing and modification restricted to authorized individuals as needed for business- related roles.
|
Viewing and modification restricted to authorized individuals as needed for business- related roles.
|
Copying/Printing (applies to both paper and electronic forms) | No restrictions. | Printed copies must be limited to Havas employees or authorized parties acting on behalf of Havas.
|
Data should only be printed when there is a legitimate need.
|
Data should only be printed when there is a legitimate need.
|
Network Security | May reside on a public network. Protection with a firewall recommended. IDS/IPS protection recommended. | Protection with a network firewall required. IDS/IPS protection required. Servers hosting the data should not be visible to entire Internet. | Protection with a network firewall required. IDS/IPS protection required. Servers hosting the data should not be visible to entire Internet. | Protection with a network firewall using “default deny” ruleset required. IDS/IPS protection required.
|
System Security | Must follow general best practices for system management and security.Host-based software firewall recommended. | Must follow general best practices for system management and security.Host-based software firewall required. | Must follow general best practices for system management and security.Host-based software firewall required. | Must follow general best practices for system management and security.Host-based software firewall required.
|
Physical Security | System must be locked or logged out when unattended.
|
System must be locked or logged out when unattended.
|
System must be locked or logged out when unattended.
|
System must be locked or logged out when unattended.
|
Remote Access to systems hosting the data | No restrictions. | Access restricted to local network or general Havas Virtual Private Network (VPN) service.
|
Access restricted to local network or general Havas Virtual Private Network (VPN) service.
|
Restricted to local network or secure VPN group.
|
Data Storage | Storage on a secure server recommended.
|
Storage on a secure server recommended.
|
Storage on a secure server recommended.
|
Storage on a secure server required.
|
Transmission | No restrictions. | No requirements | No requirements | Encryption required (e.g., via SSL or secure file transfer protocols).
|
Backup/Disaster Recovery | Backups required; daily backups recommended. | Daily backups/secure copy required.
|
Daily backups/secure copy required.
|
Daily backups/secure copy required.
|
User: all Havas employees, including all personnel affiliated with third parties.
Responsibility: Be compliant with the policy. Inform HR of any significant noncompliance. IT: staff of Havas IT.
Responsibilities: Be compliant with the policy. Inform users about their responsibilities. Implement whenever is possible mechanisms that enforce the policy. Inform HR of any significant noncompliance.
This policy will be effective for the defined scope starting on 07/09/2020. This policy is due to be reviewed on 20/08/2021.
For further information on the policy, its implementation, compliance and control please contact:havas.ciso@havasit.com
This policy was approved by the Havas Information Security Committee on 04/09/2020.
The compliance policy controls for the statements of this document are defined in the document “IS-DAC-4001C – Data Protection Policy Controls”. This is complemented by the spreadsheet “IS-POL-2001C – Acceptable Use Policy Controls template” to help in the evaluation of controls.