Confidentiality Class External Confidentiality Label Document Type Page

Ericsson Internal Group Instruction 1 (9)

Prepared By (Subject Responsible) Approved By (Document Responsible) Checked

ECESBOM CESARE BOMBELLI GFFIG [Fredrik Robertsson]

Document Number Revision Date Reference

000 24-3146 Uen G 2022-04-19

Classification and handling of Information

Application

Rules applicable to all employees and/or individuals performing work for Ericsson and to be
used within the entire Ericsson Group when handling information owned by, or in the custody
of, Ericsson.

Contents

1 Instruction .................................................................................................................................. 1
1.1 How to classify information ..............................................................................................2
1.2 Classification levels..............................................................................................................2
1.2.1 Open .........................................................................................................................................2
1.2.2 Ericsson Internal ...................................................................................................................3
1.2.3 Ericsson Confidential...........................................................................................................3
1.3 Labeling ...................................................................................................................................3
1.3.1 Other labeling ........................................................................................................................3
1.4 Access control ........................................................................................................................4
1.4.1 Information produced and classified by external party ..........................................4
1.5 Photography/Audio-Video recording Requirements ...............................................4
1.6 Changes in classification....................................................................................................5
1.7 Handling of information .....................................................................................................5
1.8 Connection to Ericsson Business Processes.................................................................8
1.9 Adherence/Compliance Controls ....................................................................................8
2 Responsibility ............................................................................................................................ 8
3 Exemption/Deviation .............................................................................................................. 8
4 Contacts for this Instruction ................................................................................................... 8
5 References .................................................................................................................................. 8
6 Change information.................................................................................................................. 9

1 Instruction
Ericsson’s workforce has access to information owned by Ericsson, or information that is
entrusted to Ericsson by external parties. Wrongful disclosure of such information may
cause damage to Ericsson, customers, workforce and/or partners & suppliers.

The term information refers to any collection of information that is printed, written on paper,
stored and/or processed electronically, transmitted, shown as film or clips, or spoken in
conversation.
Confidentiality Class External Confidentiality Label Document Type Page

Ericsson Internal Group Instruction 2 (9)

Prepared By (Subject Responsible) Approved By (Document Responsible) Checked

ECESBOM CESARE BOMBELLI GFFIG [Fredrik Robertsson]

Document Number Revision Date Reference

000 24-3146 Uen G 2022-04-19

The level of protection applied shall reflect the value of the information to ensure relevant,
consistent, and cost-efficient protection of information within Ericsson.

Information created and processed in Ericsson Group Management System (EGMS) [1] is
subject to the right protection measures. The Criticality Assessment [2] and the selection of
protection level supports the Process Owner1 in deciding adequate protection measures.

Ericsson information shall be classified and labeled in accordance with its confidentiality.

1.1 How to classify information

Information is classified based on confidentiality of the information and as such the level of
harm it may cause the organization if the information is disclosed to unauthorized persons.

The level of harm is often connected to financial loss, reputational damage, loss of
operations and deals and is expressed in terms of no harm, limited harm or noticeable or
severe harm to the company.

To classify information and label it gives transparency and assists in protecting the
information to the right level.

1.2 Classification levels

In Ericsson we have three classification levels: Open, Ericsson Internal and Ericsson
Confidential.

1.2.1 Open

Open information is open to all and is intended for wide distribution inside and outside of
Ericsson. It contains no information that may have negative impact on the Company, e.g.,
no harm.

This classification level is used for external or public presentations, published press releases
etc.

Open Information shall still be protected to ensure the integrity and availability of
information but has no requirements on confidentiality.

1 Process Owner is intended at any level. About Information managed in EBP, responsibility on Information and classification
is assigned to the Process Owner, as described in the EBP document. About information in scope for EGMS, i.e., beyond EBP,
reference is Description of the EGMS document, sec. 1.7 “Document Handling”
Confidentiality Class External Confidentiality Label Document Type Page

Ericsson Internal Group Instruction 3 (9)

Prepared By (Subject Responsible) Approved By (Document Responsible) Checked

ECESBOM CESARE BOMBELLI GFFIG [Fredrik Robertsson]

Document Number Revision Date Reference

000 24-3146 Uen G 2022-04-19

1.2.2 Ericsson Internal

Ericsson Internal information may cause limited harm to Ericsson if it is wrongfully disclosed
to unauthorized parties.

This is information intended for internal use or for limited distribution to external parties
and shall be used for most information produced in Ericsson. Ericsson Internal is in general
accessible widely within Ericsson. Ericsson Internal information may only be distributed
externally under Non-Disclosure Agreement (NDA) [3], [11].

1.2.3 Ericsson Confidential

The classification and label Ericsson Confidential shall be used for information that needs
the highest level of protection for confidentiality.

Confidential information may cause noticeable damage to business operations or to

individuals if disclosed to unauthorized persons.

Access shall be limited, and protection requirements against unauthorized access are strict.

Ericsson Confidential information may only be distributed externally under Non-Disclosure

Agreement (NDA) [3].

1.3 Labeling

All Ericsson information shall be classified and labeled according to its classification with
Open, Ericsson Internal or Ericsson Confidential where feasible. If no labeling is possible or
in place, default classification ‘Ericsson Internal’ shall be assumed. 2

1.3.1 Other labeling

1.3.1.1 Public

Public relates to all external publication or disclosure of Ericsson information to a public

audience approved by Group Function Marketing and Corporate Relations or by an
authorized spokesperson [6] appointed by Group Function Marketing and Corporate
Relations.

2 Additional labeling of information may be provided for certain needs. For example, information related to attorney-client
privilege may be labeled to inform the reader of such legal obligations. This and similar labeling requirements, not directly
related to information security, are not in scope for this Group Instruction.
Confidentiality Class External Confidentiality Label Document Type Page

Ericsson Internal Group Instruction 4 (9)

Prepared By (Subject Responsible) Approved By (Document Responsible) Checked

ECESBOM CESARE BOMBELLI GFFIG [Fredrik Robertsson]

Document Number Revision Date Reference

000 24-3146 Uen G 2022-04-19

Information intended for publication i.e., financial reports, can be confidential up to its
release and shall be handled accordingly. Information shall be re-classified to open and
labeled as public when the decision has been taken to publish it externally.

1.3.1.2 Commercial in Confidence

Information intended to be shared with external parties shall be labeled according to its
classification with the addition of “Commercial in confidence”.

This labeling shall be applied either as an additional label or in the form of a watermark.

1.4 Access control

Access shall be granted role based. Accesses must be reviewed by the Process Owner
regularly. The following rules apply depending on classification:

Open
No Access restrictions. Protection measures to protect integrity and availability still apply.
Label may be Open or Public.

Ericsson Internal
Access to information is given to a wide Ericsson Workforce audience, although role-based
access may be applied.

Ericsson Confidential
Access to information is role-based. Label may be Ericsson Confidential or Commercial in
Confidence.

1.4.1 Information produced and classified by external party

Ericsson regularly handles information that is produced and classified by a customer,

vendor, or other external party. When in Ericsson´s custody, the information shall be
handled and classified in accordance with the agreement between Ericsson and 3rd party. If
no agreement exists, all information shared shall be handled as Ericsson Internal
information with role-based access applied.

Information entrusted to Ericsson that is classified as sensitive by an external party shall,

regardless of its labeling, be classified as Ericsson Confidential and handled accordingly.

1.5 Photography/Audio-Video recording Requirements

Local Management at Ericsson determines if taking pictures and recording audio-video is

allowed, preventing it in specific locations or where sensitive operations take place. Such
restricted areas include external events where Ericsson is the arranger. Typical locations are
Red- and Yellow zones.
Confidentiality Class External Confidentiality Label Document Type Page

Ericsson Internal Group Instruction 5 (9)

Prepared By (Subject Responsible) Approved By (Document Responsible) Checked

ECESBOM CESARE BOMBELLI GFFIG [Fredrik Robertsson]

Document Number Revision Date Reference

000 24-3146 Uen G 2022-04-19

Any restrictions on pictures taking and audio-video recording must be communicated to all
concerned individuals. This communication can be in the form of awareness training, signs,
information flyers etc. The manager responsible for the area or object with restrictions may
grant exceptions through a written permission.

Furthermore, it is not permitted to take pictures or record videos of any documents whether
electronic or in paper, or of any other objects which are sensitive from a trade secret view,
such as prototypes or specific equipment or that are classified as Confidential or higher.
Images identifying individuals are to be considered as personal data and must be handled
accordingly [4].

A permit for taking pictures and/or filming and recording must state time, place, responsible
within Ericsson, name of the photographer and name of the photographer’s company. The
permit document must be carried and presented when requested. A copy of the permit must
be stored by the approver. Preferably, use the Photographing / film permission request form
[5] to handle permissions.

Pictures must not be taken, and videos not recorded, of any individuals without their
consent.

The photographer has the sole responsibility to seek necessary consents when required
from individuals intended to be subject to photographing or video recording. Decline of
consent must always be respected.

1.6 Changes in classification

The confidentiality of information can change during its life cycle. The Classification label
shall reflect the current level of confidentiality.

1.7 Handling of information

The classification level determines the handling requirements for the information to ensure
the right level of protection.

Information, regardless of what media it is stored on, must be protected from unauthorized
access. Electronically processed, stored, and transmitted information that is non-public has
restrictions regarding access, handling, communication and disposal or destruction.

Non-public information that is printed or written on paper has restrictions regarding access
control, storage, distribution, and destruction of the information.
Confidentiality Class External Confidentiality Label Document Type Page

Ericsson Internal Group Instruction 6 (9)

Prepared By (Subject Responsible) Approved By (Document Responsible) Checked

ECESBOM CESARE BOMBELLI GFFIG [Fredrik Robertsson]

Document Number Revision Date Reference

000 24-3146 Uen G 2022-04-19

The minimum restrictions for handling information according to its classification are listed in
the below quick chart of handling guidelines3. Further restrictions may be introduced by the
Process Owner.

Handling Area Handling requirement Open Ericsson Internal Ericsson Confidential

No additional
If authorized and
requirements If authorized and commercial
Sharing information with commercial agreement
on top of the agreement (NDA) is in place
customers and (NDA) is in place. Apply
Information Apply “Commercial in
“Commercial in
external parties Security Confidence” as a label or
Confidence” as a label
Requirements watermark.
or watermark.
(ISR) [7]

No additional
Storage in green zone requirements Safe, secure cabinet or
Not allowed
Public areas on top of the locked furniture
ISRs

Storage in yellow zone No additional

No additional
requirements
Ericsson Offices with physical requirements on top of Safe, secure cabinet or vault
on top of the
Documents access control the ISRs
ISRs

No additional
Storage in No additional
requirements Access controlled areas, locked
requirements on top of
red zone on top of the furniture or cabinet
the ISRs
ISRs

No additional
Kept under surveillance
Storage outside Ericsson requirements
or stored in a secure In safe or under surveillance
premises on top of the
place
ISRs

No additional
Document containers Shredder or document
requirements
Destruction and disposal for recycling in containers for secure recycling in
on top of the
yellow/red zones yellow/red zones
ISRs

No
E-mail Internal No requirements Encrypted
requirements
Communication
No
E-mail External No requirements Encrypted4
requirements

3 The restrictions in the quick guide are the comprehensive selection of requirements in the Information Security Management
System (ISMS – part of the Ericsson Group Management System, EGMS) regarding confidentiality and handling of
information.
4 Please see instructions for External e-mail encryption
Confidentiality Class External Confidentiality Label Document Type Page

Ericsson Internal Group Instruction 7 (9)

Prepared By (Subject Responsible) Approved By (Document Responsible) Checked

ECESBOM CESARE BOMBELLI GFFIG [Fredrik Robertsson]

Document Number Revision Date Reference

000 24-3146 Uen G 2022-04-19

Handling Area Handling requirement Open Ericsson Internal Ericsson Confidential

Internal post – Sealed

envelopes.
Internal post – Open
envelopes
Delivery by postal No Public post – Not allowed
services requirements
Public post – Sealed
envelopes Courier – Sealed and signed
envelopes, confirmation of
receipt

Voice calls and video When business is covered by

No
calls and meetings on No requirements NDA, use appropriate Ericsson
requirements
collaboration platform tools and services.

Encrypted hard drive or

Ericsson controlled No Encrypted hard drive or Ericsson
Ericsson appropriate
Device requirements appropriate tools and services
tools and services5

Authorized devices and

Authorized devices and using
No using appropriate
Private devices appropriate Ericsson tools and
requirements Ericsson tools and
services.
services.
Workstations
No
Devices and Third party devices Should be avoided Not allowed
requirements
Services
Relevant cloud service
No Relevant cloud service listed on
Cloud or Internet storage listed on IT Service
requirements IT Service Catalog
Catalog6

Disabled by default. An Disabled by default. An

USB (any device with
storage capability)
Disabled by exemption is required exemption is required.
default. An
exemption is If usage is permitted, If usage is permitted, then
required then information shall information shall be kept
be kept encrypted7 encrypted

Keep in sight. Use Supervised and in locked

Traveling and hand No
Travel locked suitcases if suitcase. Electronically stored
carriage requirements
possible information should be encrypted

5 Example: EMM on mobile phones

6 Cloud storage services available from IT Service Catalog are: AWS at Ericsson, Azure at Ericsson
7 Currently BitLocker is the tool for encryption suggested by Global IT
Confidentiality Class External Confidentiality Label Document Type Page

Ericsson Internal Group Instruction 8 (9)

Prepared By (Subject Responsible) Approved By (Document Responsible) Checked

ECESBOM CESARE BOMBELLI GFFIG [Fredrik Robertsson]

Document Number Revision Date Reference

000 24-3146 Uen G 2022-04-19

1.8 Connection to Ericsson Business Processes

This Instruction provides rules and work procedures to be embedded in relevant parts of the
Ericsson Business Processes (EBP) and in approved tools for the effective management of
Information Classification and Handling, in all Ericsson Units and across all Ericsson
Business Capability Areas, where Ericsson, customer and partner information is handled.

1.9 Adherence/Compliance Controls

Adherence to this Instruction is required at all levels, through execution of the rules for
Classification and Handling of Information. Detailed Controls are listed as part of the
Information Security Requirements [7], in detail section 8.2 Information Classification.

2 Responsibility
Process Owners have the responsibility to set the classification for information created in
their respective areas and appropriate handling procedures.

Managers on all levels are responsible for ensuring that information is handled in their units
and relevant tools as applicable and in accordance with the classification.

This responsibility includes informing workforce about applicable rules and procedures.

Group Security is responsible for providing the framework for information security which is
available through the Information Security Management System [8]and the Information
Security Requirements [7] and the general guidelines on the handling of information for the
different classification levels.

3 Exemption/Deviation
In line with Governance of Steering Documents [9], all Group Instructions are mandatory
unless an exemption/deviation is granted following process described in Rules for writing
and handling Group and Local Steering Documents [10].

4 Contacts for this Instruction

Group Function Finance & Common Functions, Group Security.

5 References
[1] Group Directive, 034 02-2431 Uen, Ericsson Group Management System (EGMS)
Confidentiality Class External Confidentiality Label Document Type Page

Ericsson Internal Group Instruction 9 (9)

Prepared By (Subject Responsible) Approved By (Document Responsible) Checked

ECESBOM CESARE BOMBELLI GFFIG [Fredrik Robertsson]

Document Number Revision Date Reference

000 24-3146 Uen G 2022-04-19

[2] Instruction, GFFI-20:011984 Uen, Criticality Assessment Instruction

[3] Instruction, LME-07:002942 Uen, External personnel non-disclosure and access

instruction

[4] Group Directive, 034 02-3150 Uen, Data Privacy Management

[5] Form, GFFI-21:021048 Uen. Photographing/ film permission request form

[6] Instruction, GFMC-21:000131 Uen, Instruction Spokesperson

[7] Instruction, GFFI-20:009468 Uen, Information Security Requirements

[8] Group Directive, 034 02-3137 Uen, – Information Security Management System

[9] Instruction, EAB-10:17160 Uen, Governance of Steering Documents

[10] Work Instruction, 000 21-2908 Uen, Rules for writing and handling Group and Local
Steering Documents

[11] Ericsson Internal web page: Non-Disclosure Agreements (NDA) with external
parties - Internal (ericsson.com)

6 Change information
Summary of changes compared to previous revision:

1. Process Owner replaces Information Owner throughout full document

2. Sec. 1.5 Added “audio” to “video” recording
3. Sec. 1.7 Improved terminology to remove ambiguities