INFORMATION CLASSIFICATION

AND HANDLING POLICY

TABLE OF
CONTENTS
1.1 PURPOSE ................................................................................................. 3
1.2 APPLICABILITY...................................................................................... 3
1.3 POLICY....................................................................................................... 3
1.4 WSP INFORMATION CLASSIFICATION MATRIX ................. 4
1.5 RESPONSIBILITIES .............................................................................. 5
1.6 BUSINESSES, SECTORS, REGIONS AND DIVISIONS ......... 5
1.7 LINE AND PROJECT MANAGERS ................................................ 5
1.8 EMPLOYEES ........................................................................................... 5
1.9 REPORTING OF MISUSE OR BREACHES ................................ 5
1.10 ENFORCEMENT .................................................................................... 5
1.11 INFORMATION MARKING ............................................................... 5
1.12 INFORMATION CLASSIFICATION - COMMUNICATIONS 6
1.13 INFORMATION CLASSIFICATION - STORAGE ...................... 8
1.14 INFORMATION CLASSIFICATION - HANDLING.................... 9
1.15 INFORMATION CLASSIFICATION - SECURITY...................... 11
1.16 QUALITY MANAGEMENT ............................................................... 12
1.1 PURPOSE
WSP Global Inc., together with its affiliates and subsidiaries (“WSP”) creates, collects and processes a vast
amount of information in multiple formats every day. WSP has a responsibility to protect this information
and to ensure its confidentiality, integrity and availability.
The WSP Code of Conduct states that protecting our information and assets is vitally important to both our
business and to our clients. WSP is committed to the correct and proper classification and handling of this
information. The assigned classification places controls relating to the type of information and its need to
remain confidential and secure based on the four aspects of:
— Communications – how to transmit information securely, including internal, external, email and other
— Storage – requirements for employees to ensure the protection of information
— Handling – the use of hard copy, soft copy and digital information handling
— Security – the expected behaviour of employees in the use of IT and assets
The appropriate classification, handling and storage of information is the responsibility of every WSP
employee. This policy is mandatory and applies to all WSP employees, independent consultants, contractors,
sub-contractors and third parties that have access to WSP information or WSP-managed information.

1.2 APPLICABILITY
This policy represents WSP’s global position and takes precedence over all other relevant policies which are
developed at a local level. The policy applies to all:
— WSP information including information WSP is managing on behalf of WSP clients;
— Regions, business units and services;
— WSP employees and independent consultants;
— WSP contractors and sub-contractors or anyone else working on behalf of WSP;
— Third party commercial service providers.

1.3 POLICY
All information (regardless of its format) owned, created, received, stored and processed by WSP must be
classified as defined in this Policy, according to the sensitivity of its contents, unless a client has specified, or
we are accountable for, supplemental classification and handling requirements within a particular contract.
Classification controls should take account of the organizational needs for sharing or restricting the
information and the associated impacts and risks (e.g. consequences if information is handled
inappropriately). All information must be classified into one of following categories:
— Public – information that is available to the general public and is intended for distribution outside WSP.
There would be no impact on WSP, its employees, or clients if this type of information was mishandled
or accidentally released.
— Internal – information that is only intended for internal distribution among WSP employees,
independent consultants, contractors, sub-contractors, clients and authorized third parties. In the
majority of instances there would be no significant impact on WSP, its employees or clients if this type
of information was mishandled or accidentally released.
— Confidential – information which is protected by WSP policies and/or legal contracts or by any
legislation or regulations. The unauthorized or accidental disclosure of this information could adversely
impact WSP, its clients, its employees and its business partners.
— Restricted – highly sensitive confidential information. The unauthorized or accidental disclosure of this
information would seriously and adversely impact WSP, its clients, its employees and its business
partners.
The information classification matrix on page 4 provides examples of the different categories.
July 2017
Uncontrolled if printed
wsp.com Page 3
1.4 WSP INFORMATION CLASSIFICATION MATRIX

Classification Public Internal Confidential Restricted

Risk Level Low Low Significant High

Definition Information that is available to the Information that is only intended for Information that is protected by contractual Highly sensitive confidential
general public and intended for internal distribution among WSP requirements, internal policies or legislation. information.
distribution outside WSP. This employees and authorized third parties
information may be freely (i.e. service providers, independent
disseminated without potential consultants,
harm. contractors/subcontractors).

Examples • Marketing brochures • Internal telephone and email • Client or employee personal
directory information (except that which is • Employee sensitive information (i.e.
• Employee brochures
The examples are only • Internal policies and procedures restricted) ethnic origin, political opinions,
• News or media releases
provided for guidance (excluding those published on the • Client and project information that is religious or philosophical beliefs,
purposes and should • Pamphlets
web) designated as or required to be treated trade union membership, data about
not be seen as • Advertisements
• Training manuals and as confidential under the terms of the health or sex life and criminal record
exhaustive lists • Web content contract
documentation data)
• Job postings • Employee performance records
• Employee newsletters and intranet • Childcare/adoption information
announcements • Financial information/budgetary reports
• Addiction services information
• Inter-office memorandums • Audit reports
(which are neither • Draft project reports • Disability services information
confidential nor restricted) • Vendor contracts/commercially • Unpublished financial reports
sensitive information • Strategic corporate plans
• Information covered by non-disclosure/ • Passwords / cryptographic private
confidentiality agreements keys
• Business continuity plans • Information designated by a Client as
• Incident reports Highly Sensitive/Restricted/Highly
Confidential or other
• Information collected as part of
internal/criminal/HR investigations

Possible consequences None In the majority of instances the Unauthorized disclosure could adversely Unauthorized disclosure would
if information is unauthorized disclosure would not impact WSP, its employees, its clients and its seriously and adversely impact WSP, its
mishandled significantly impact WSP, its business partners. employees, its clients and its business
employees, or its clients. partners.

July 2017
Uncontrolled if printed
wsp.com Page 4
1.5 RESPONSIBILITIES
This document is owned by the WSP Chief Information Security Officer, however the application of the
policy, both in terms of information classification and handling, is the responsibility of all WSP
employees and all managers.

1.6 BUSINESSES, SECTORS, REGIONS AND DIVISIONS

Each business, sector, region, division and support function shall ensure that these requirements are met
following the formal introduction of this policy. This may require specific processes and procedures to be
in place to comply with, and in some cases exceed, the requirements of this policy. Where practical, the
sensitivity of existing data is to be assessed and the respective information classifications are to be
applied.

1.7 LINE AND PROJECT MANAGERS

All managers (line managers and project managers) are directly responsible for implementing the
requirements of this policy within their business or support areas, and for the adherence by their staff,
be they line-managed or managed through an assignment.

1.8 EMPLOYEES
All employees or agents acting on behalf of WSP are responsible for the implementation of this policy and
for ensuring information is classified and handled to the appropriate level as defined within this policy,
and that it remains accurate, complete and available.

1.9 REPORTING OF MISUSE OR BREACHES

All employees are required to report any misuse and/or breach of this policy to their line manager
and/or the regional data protection officer through the defined Security Incident management process.

1.10 ENFORCEMENT
WSP reserves the right to take such action as it deems appropriate against individuals who breach the
conditions of this policy. WSP employees, independent consultants, contractors, or sub-contractors who
breach this policy may be subject to disciplinary action, including suspension and dismissal.
Breaches of this policy by a third party commercial service provider may lead to the withdrawal of WSP
information technology resources to that third party commercial service provider and/or the
cancellation of any contract(s) between WSP and the third party commercial service provider.

1.11 INFORMATION MARKING

All information (regardless of its format) owned, created, received, stored and processed by WSP must be
handled appropriately according to its classification. The information marking that must be applied is
stated below by classification level.
— Public – documents do not require an information security classification marking
— Internal – documents do not require an information security classification marking
— Confidential – documents must be marked Confidential, both on front cover and all document
pages.
— Restricted – documents must be marked Restricted, both on front cover and all document pages

July 2017
Uncontrolled if printed
wsp.com Page 5
1.12 INFORMATION CLASSIFICATION - COMMUNICATIONS

Classification Public Internal Confidential Restricted

Risk Level Low Low Significant High

Internal and External Public information which is to be Internal information which is to be In accordance with the External Communications and In accordance with the External Communications and
Communications published on WSP intranet and published on WSP intranet sites must Disclosure Policies, confidential information must never Disclosure Policies, restricted information must never
internet sites must comply with be authorized by the line manager of be published, posted or discussed on any internet sites, be published, posted or discussed on any internet sites,
corporate External Communications WSP section or service area who is forums or message boards, including those sites which forums or message boards, including those sites which
and Disclosure Policies and be responsible for the information. are officially sanctioned by WSP. are officially sanctioned by WSP.
authorized by the line manager of the Where information, image, logo, or Under no circumstances should confidential Under no circumstances should restricted information
WSP section or service area who is other media to be published on the information be transmitted by text, instant messaging be transmitted by text, instant messaging (IM) or chat.
responsible for the information. internet is the property of a client, (IM) or chat. Any business information received by text Any business information received by text or chat
Where information, image, logo, or written client consent is required prior or chat should be reiterated and confirmed in an email should be reiterated and confirmed in an email with the
other media to be published on the to publication. with the appropriate level of classification and handling appropriate level of classification and handling applied.
internet is the property of a client, No business information should be applied.
written client consent is required transmitted by text or chat. Any
prior to publication. business information received by text
No business information should be or chat should be reiterated and
transmitted by text or chat. confirmed in an email with the
appropriate level of classification and
handling applied.

Email Communications No special handling required No special handling required Ensure that the name and email address of the Ensure that the name and email address of the
(both internal and intended recipient are correct. intended recipient are correct.
external)
The email message should be clearly marked as The email message is clearly marked as
“Confidential” and classified within Outlook as “Restricted” and classified within Outlook as
Private. Confidential.
Only the minimum amount of confidential Any email attachment, either internal or external
information as is necessary for a given function(s) is encrypted or password protected with the
to be carried out is to be sent. password communicated via a separate medium
Any email being sent externally has its attachment e.g. SMS, and the email body contains no restricted
encrypted or is password protected with the information.
password communicated via a separate medium e.g. Only the minimum amount of restricted
SMS. The email body contains no restricted information as is necessary for a given function(s)
information. to be carried out is to be sent.
If the email contains employee or client personal If the email contains employee or client personal
information, the information must only be information, the information must only be
contained within an attachment which is contained within an attachment which is
encrypted. Transfer must be in accordance with all encrypted. Transfer must be in accordance with all
applicable data protection and privacy legislation applicable data protection and privacy legislation
and any applicable corporate Privacy Policy. and any applicable corporate Privacy Policy.

July 2017
Uncontrolled if printed
wsp.com Page 6
 INFORMATION CLASSIFICATION - COMMUNICATIONS

Classification Public Internal Confidential Restricted

Risk Level Low Low Significant High

Other Communications Use standard WSP fax For Facsimile transfer use standard WSP Confidential information should only be sent by fax Restricted information should not be
(including Facsimile and coversheet and take reasonable fax coversheet and take reasonable care in exceptional circumstances such as: communicated by fax under any circumstances.
File Transfer, both care in dialing fax number. in dialing fax number. • Medical emergency; For electronic file transfer of information, transfer
internal and external). For electronic file transfer of must be encrypted and take place via a secure, IT-
This should not be sent from a fax • Where a legal obligation exists;
information, transfer must take machine which is located within an area approved channel e.g. Secure FTP, TLS or VPN.
place via a secure, IT-approved that is accessible to the general public. • Informed consent;
Sending removable media via internal or external
channel. • Where there is no alternative.
For electronic file transfer of post must follow the Information Storage handling
information, transfer must take place When confidential information has to be sent by fax: requirements for restricted information. Ensure
via a secure, IT-approved channel e.g. the recipient is aware of the sending of
• The fax machine used to send/receive information and confirms receipt of same.
Secure FTP, TLS or VPN.
confidential information should be located
within a secure area which is not accessible by
the general public and fax machines/ Multi-
Functional Devices should be configured to not
print transmission reports showing the front
page of transmitted fax;
• Make sure you are using the correct fax number
for the intended recipient;
• Telephone the intended recipient before the
transmission to ensure they are waiting by the
fax machine for the transmission. Make a
subsequent telephone call to confirm receipt of
the transmission;
• Ensure you remove all documents from the fax
machine immediately after faxing.
For electronic file transfer of information, transfer
must take place via a secure, IT-approved channel
e.g. Secure FTP, TLS or VPN.
Sending removable media via internal or external
post must follow the Information Storage handling
requirements for confidential information. Ensure
the recipient is aware of the sending of information
and confirms receipt of same.

July 2017
Uncontrolled if printed
wsp.com Page 7
 1.13 INFORMATION CLASSIFICATION - STORAGE

Classification Public Internal Confidential Restricted

Risk Level Low Low Significant High

Information Storage All document storage should use All document storage should use an IT- In accordance with the Code of Conduct and local In accordance with the Code of Conduct and local
an IT-approved location/facility, approved location/facility, be it physical, Acceptable Computer Usage Policy, confidential Acceptable Computer Usage Policy, restricted
be it physical, virtual or cloud- virtual or cloud-based. information and WSP information systems that information and WSP information systems that
based. store or process such information should be store or process such information should be
stored/hosted on a WSP network server. stored/hosted on a WSP network server.
Confidential information shall not be stored locally Restricted information shall not be stored locally
on the hard drive of a laptop or desktop computer, on the hard drive of a laptop or desktop computer,
except where necessary for business or technical except where necessary for business or technical
reasons. The hard drive must remain within WSP reasons. The hard drive must remain within WSP
office premises (see Security and Use of Computer office premises (see Security and Use of Computer
Equipment and Assets). Equipment and Assets).
Confidential information stored on a WSP network Restricted information stored on a WSP network
server or information system must be held within server or information system must be held within a
a secure folder which is only accessible by secure folder which is only accessible by authorized
authorized employees. employees.
Storage on a mobile device or removable media is Storage on a mobile device or removable media is
only permitted where: strictly prohibited.
• The mobile device or removable media Storage via a third party should only use IT-
device is encrypted; approved services and be in accordance with the
Working with Third Parties Policy.
• The mobile device or removable media
device is secured when not in use.
• Only IT-approved USB memory sticks are
used.
Storage via a third party should only use IT-
approved services and be in accordance with the
Working with Third Parties Policy.

July 2017
Uncontrolled if printed
wsp.com Page 8
 1.14 INFORMATION CLASSIFICATION - HANDLING

Classification Public Internal Confidential Restricted

Risk Level Low Low Significant High

Hard Copy handling, No special precautions No special precautions required; Printing, scanning and photocopying of Printing, scanning and photocopying of
including retention required. however, always ensure original confidential information must be kept to a restricted information must be kept to a
(Printing, Scanning documents and copies are removed minimum. minimum.
etc.) from printer, scanner or
Printing, scanning and photocopying should be Printing, scanning and photocopying should only
photocopier as soon as possible.
carried out within an area which is not accessible be carried out within WSP or approved client areas
Where practical a clear desk policy by the general public. which are not accessible by the general public.
should be in operation for all non-
public materials. Always ensure original documents and copies are Always ensure original documents and copies are
removed from printer, scanner or photocopier removed from printer, scanner or photocopier as
as soon as possible. soon as possible.
All hard copies are to be disposed of in a secure All hard copies are to be disposed of in a secure
disposal bin. Note: Destruction must be in line disposal bin. Note: Destruction must be in line with
with the Corporate Retention policy, based on the the Corporate Retention policy, based on the type of
type of documentation. documentation.
Access to areas containing confidential Access to areas containing restricted information
information should be restricted to authorized should be restricted to authorized employees.
employees.
Where practical a clear desk policy should be in
Where practical a clear desk policy should be in operation. All restricted information is locked away
operation. All confidential information is locked securely when it is not in use.
away securely when it is not in use. For internal or external postal
For internal or external postal communications ensure the recipient is
communications ensure the recipient is aware aware of the sending of information and
of the sending of information and confirms confirms receipt of same. Use approved
receipt of same. secure couriers for restricted information
sent via external post.

Electronic information No special requirements. No special requirements. When creating, utilizing and replicating When creating, utilizing and replicating restricted
handling Note: Where the information, confidential information, documents, or records, information, documents, or records, access to any
(Document creation, image or logo is to be access to any such information must remain such information must remain limited.
replication etc.) replicated/published and is the limited. All documents containing personal information
property of a client, written client All documents containing personal information must be encrypted or password protected at all
consent is required prior to must be encrypted or password protected at all times.
publication. times.

July 2017
Uncontrolled if printed
wsp.com Page 9
 INFORMATION CLASSIFICATION - HANDLING

Classification Public Internal Confidential Restricted

Risk Level Low Low Significant High

Digital photographic or No special precautions No special precautions required. Photographic and video recordings taken as part of Photographic and video recordings taken as part of
video recording device required. confidential project work must be transferred from restricted project work must be transferred from the
usage the photographic or recording device onto a WSP photographic or recording device onto a WSP
network server as soon as is practical. When the network server and encrypted as soon as is practical.
transfer is complete the photographic/video
recording on the device should be deleted. When the transfer is complete the photographic/
video recording on the device should be deleted.
In the event that this cannot be carried out
immediately the photographic or recording device In the event that this cannot be carried out
should be locked away securely when not in use. immediately the photographic or recording device
should be locked away securely when not in use.

Voice Recordings Any recording of calls, video Any recording of calls, video that Any recording of calls, video that captures sound or Any recording of calls, video that captures sound or in-
that captures sound or in- captures sound or in-person in-person conversations must have the necessary person conversations must have the necessary level of
person conversations must have conversations must have the level of consent, from one or all parties involved. If in consent, from one or all parties involved. If in doubt
the necessary level of consent, necessary level of consent, from one doubt ensure all parties know the conversation is ensure all parties know the conversation is being
from one or all parties involved. or all parties involved. If in doubt being recorded. recorded.
If in doubt ensure all parties ensure all parties know the
know the conversation is being conversation is being recorded. Note that restricted information should not be
recorded. discussed in open telephone or video communication
and recording of calls and conversations is prohibited.
Disposal All laptop computers, desktop All laptop computers, desktop All laptop computers, desktop computers, mobile All laptop computers, desktop computers, mobile
computers, mobile computer computers, mobile computer computer devices, external/portable hard drives, computer devices, external/portable hard drives, USB
devices, external/portable hard devices, external/portable hard USB memory keys and photocopier, scanner or memory keys and photocopier, scanner or printer
drives, USB memory keys and drives, USB memory keys and printer drives must be disposed of in accordance with drives must be disposed of in accordance with local
photocopier, scanner or printer photocopier, scanner or printer local legal, financial and environmental regulations, legal, financial and environmental regulations to a
drives must be disposed of in drives must be disposed of in except where specified by contract. minimum global standard, except where specified by
accordance with local, financial accordance with local, financial and contract.
and environmental regulations. environmental regulations. If leased, the supplier needs to evidence a level of
control in destruction of any potential data stored on If leased, the supplier needs to evidence a level of
the device drives which would meet our standards. control in destruction of any potential data stored on
the device drives which would meet our standards.
Old CD/DVDs, diskettes or magnetic tape that contain
confidential information must be physically Old CD/DVDs, diskettes or magnetic tape that contain
destroyed in such a way that it is impossible to restricted information must be physically destroyed in
recover any of the confidential information stored on such a way that it is impossible to recover any of the
the device. restricted information stored on the device.

July 2017
Uncontrolled if printed
wsp.com Page 10
1.15 INFORMATION CLASSIFICATION - SECURITY

Classification Public Internal Confidential Restricted

Risk Level Low Low Significant High

Security and Use of Computer Desktop/laptop computers No business information should be Desktop/laptop computers must be password Desktop/laptop computers must be password protected in
Equipment and Assets for must be password protected in made available to any third parties protected in accordance with the local Acceptable accordance with the local Acceptable Computer Usage
handling information accordance with the local through shared screen via Skype. Computer Usage Policy and logged off or “locked” Policy and logged off or “locked” (using Ctrl+Alt+Delete
Acceptable Computer Usage (using Ctrl+Alt+Delete keys or Windows key and L) keys or Windows key and L) when they have to be left
If using IT services to provide support,
Policy and logged off or when they have to be left unattended. unattended.
ensure that no information is visible in
“locked” (using Ctrl+Alt+Delete the event of a remote support activity Storage of information on desktop/laptop computers Storage of information on desktop/laptop computers is
keys or Windows key and L) being initiated. is strictly prohibited except where the Storage is strictly prohibited except where the Storage is necessary
when they have to be left necessary for business or technical reasons. for business or technical reasons.
unattended. Desktop/laptop computers must be
password protected in accordance with Your desktop/laptop computer / must be password Your desktop/laptop computer must be password
Laptop computers must either the local Acceptable Computer Usage protected in accordance with the local Acceptable
protected in accordance with the local Acceptable
be locked with a laptop cable Policy and logged off or “locked” (using Computer Usage Policy and your desktop/laptop computer
Computer Usage Policy and your desktop/laptop
lock if available or stored in a Ctrl+Alt+Delete keys or Windows key must be encrypted in accordance with the Encryption
computer/mobile device must be encrypted in
locked drawer or cabinet when and L) when they have to be left Policy; information is encrypted with separate passwords
accordance with the Encryption Policy.
left in the office overnight and unattended. which are transmitted via a different medium e.g. SMS.
kept with you at all times Information is backed up on a regular basis to an IT-
Laptop computers must either be locked Information is backed up on a regular basis to IT-approved
when working off-site, except approved location/storage.
with a laptop cable lock if available or location/storage.
where legislation or directives
require storage within stored in a locked drawer or cabinet Use of personal devices for storage or transmission of Storage or transmission on a mobile device or removable
specified locations e.g. airplane when left in the office overnight and confidential information is strictly prohibited.
media is strictly prohibited.
luggage hold during flights. kept with you at all times when working If using IT services to provide support, ensure that no
off-site, except where legislation or information is visible in the event of a remote Use of personal devices for storage or transmission of
Mobile devices must be directives require storage within confidential information is strictly prohibited.
encrypted and password support activity being initiated.
specified locations e.g. airplane luggage If using IT services to provide support, ensure that no
protected. hold during flights. The display should be positioned in such a way as to
minimize the risk of unauthorized individuals information is visible in the event of a remote support
Mobile devices must be encrypted and accessing the computer or viewing information activity being initiated.
password protected. displayed. The display should be positioned in such a way as to
Laptop computers must either be locked with a minimize the risk of unauthorized individuals accessing
laptop cable lock if available or stored in a locked the computer or viewing information displayed. Laptop
drawer or cabinet when left in the office overnight computers must either be locked with a laptop cable lock
and kept with you at all times when working off-site, if available or stored in a locked drawer or cabinet when
except where legislation or directives require storage left in the office overnight and kept with you at all times
within specified locations e.g. airplane luggage hold when working off-site, except where legislation or
during flights. directives require storage within specified locations e.g.
airplane luggage hold during flights.
Mobile devices must be encrypted and password
protected. Mobile devices must be encrypted and password
protected.

July 2017
Uncontrolled if printed
wsp.com Page 11
1.16 QUALITY MANAGEMENT

Status Approved

Effective Date November 15, 2017

Prepared by Mark Riley

Checked by Shoshana Rosenberg

Approved by Robert Ouellette

Applicability All WSP employees, independent consultants, contractors, sub-contractors, and

authorized third party service providers that use the organization’s IT resources.

WSP Code of Conduct

Related WSP Information Security Policy
Documents WSP Password Standards (available soon)
WSP Encryption Policy (available soon)
Corporate Retention Policy (available soon)
WSP Acceptable Computer Use policies (Local)
Jenny Dho
Contact Details
Global Chief Information Security Officer
WSP Global Inc.
1600, René-Lévesque Boulevard West, 16th Floor
Montréal (Québec)
H3H 1P9 Canada
Office: + 1 (438) 843-8021
Email: [email protected]

Mark Riley
Global Head Information Security Governance & Compliance
62-64 Hills Road, Cambridge. CB2 1LA. United Kingdom
Mobile: +44 (0)7481 166859
Email: [email protected]

This policy may be updated at any time (without notice) to ensure changes to WSP’s organization structure
and/or business practices are properly reflected in the policy. Please ensure you check the WSP global
intranet for the most up to date version of this policy.

July 2017
Uncontrolled if printed
wsp.com Page 12