Ex Libris is committed to providing its customers with a highly secure and reliable environment for its hosting and cloud-based applications. It has therefore developed a multi-tiered security model that covers all aspects of hosting and cloud-based Ex Libris systems. The security model and controls are based on international protocols and standards and industry best practices, such as ISO/IEC 27001, the standard for information security management systems (ISMS).
As part of the company’s focus on security issues, Ex Libris employs a dedicated Security Officer and a dedicated Cloud Services team that is responsible for:
Applying the security model to all system tiers
Monitoring and analyzing the infrastructure for suspicious activities and potential threats
Issuing periodic security reports to Ex Libris management and customers
Dynamically updating the security model and addressing new security threats
In addition, the Ex Libris Security Team is dedicated to:
Systematically examining the organization's information security risks, taking into account threats and vulnerabilities
Designing and implementing a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address the risks that are deemed unacceptable
Adopting an overarching management process to ensure that the information security controls continue to meet the organization's evolving information security needs
Physical Security Protocols
Security controls at Ex Libris data centers are based on standard technologies and follow the industry’s best practices. The physical security controls are constructed in such a way as to eliminate the effect of single points of failure and retain the resilience of the computing center.
The Ex Libris data centers have a SSAE16 SOC1 service auditor’s report as the result of an indepth audit of the centers’ control objectives and control activities, including controls over information technology and all other related processes.
A variety of environmental controls are implemented at the Ex Libris data center facilities.
Servers are locked inside the infrastructure in a designated area.
The server area is cooled by a separate air conditioning system, which keeps the climate at the desired temperature to prevent service outage.
The facilities are protected by a fire suppression system, which protects the computing equipment and has built-in fire, water, and smoke detectors.
The facilities have on-site generators, which serve as an alternative power source.
There is 24-hour video surveillance of all entrances and exits, lobbies, and ancillary rooms. The videos are recorded and monitored, and be retained for later use.
Physical Access Control
Physical access to the data center is restricted to personnel with a business need to access the infrastructure. All physical access activities are logged and monitored. All visitors need to be approved beforehand, and the approval is for a limited period of time. Visitors must be accompanied by an authorized employee throughout their visit.
Operational and Information Security Protocols
Operating systems used in the cloud are hardened according to best practices in the industry. Only services and components that are necessary to support the application stack are activated. The administrator user always has a password set up, and only necessary ports in the firewall are open.
Firewalls: Applications in the hosting and cloud have firewalls installed to shield them from attack and prevent the loss of valuable customer data. The firewalls are configured to serve as perimeter firewalls to block ports and protocols.
Network-Based Intrusion Detection and Prevention
The combination of an intrusion detection system (IDS) and intrusion prevention system (IPS) installed and tracks all illegal activities. The system sends real-time alerts and proactively blocks communication once a suspicious attack is discovered. The system performs various activities on the network: log collection and analysis from the various machines (firewalls, switches, and routers), file integrity checking, and rootkit detection.
Ex Libris has strict procedures and a unique policy for handling obsolete data based on the DoD 5220.22-M standard. These procedures are also applied if a customer decides to stop using EX Libris' software. Disks and tapes are destroyed once they are no longer needed. Tapes are overwritten with the next use. CDs that are no longer needed are destroyed by a CD/DVD data crusher or shredder. All storage devices that may need to be used again are cleaned by data wipe software.
On a regular basis, Ex Libris performs system backups to back up application files, database files, and storage files. All backup files are subject to the privacy controls in practice at Ex Libris. The restore procedures are tested on an ongoing basis to ensure rapid restoration in case of data loss.
Development Life Cycle and Maintenance
Ex Libris implements a number of practices to keep each stage of the software development life cycle secure. These include:
Planning – During the planning stage, the security officer submits a report specifying the product’s security requirements. The report includes the security requirements covering all of the solution components, such as the application, the database, and the client side. To manage security issues optimally, the security officer uses various methods, such as access control, auditing, and monitoring.
Design and Development – The security officer verifies that the design and development of the product are based on our security guidelines. Other security issues are addressed by an additional security-gap requirements document. The security code review is tested on security-sensitive parts of the application.
Implementation, Testing, and Documentation – Unit, integration, and system testing confirm that security requirements are properly implemented. The requirements are documented and become standard policy.
Deployment and Maintenance – The security officer is responsible for identifying, managing, and minimizing security vulnerabilities. The security officer also performs quarterly penetration tests or security reviews.
The following items are relevant for access control:
Access control – Access to the infrastructure is limited, based on role and responsibility and is only available to Operations and Professional Services for maintaining and supporting customers.
Authentication – Ex Libris also enforces a strict role based password policy that applies to both layers - the operational team members and the application's users. Passwords are stored in an encrypted form, using a one-way encryption method based on an industry standard hash algorithm. Only the application is able to compare the hashed and entered passwords. In some cases Ex Libris grants the customer full root access and full control. Customers can implement their own password based on their password policy (depending on products, service level, and their contract agreement).
Authorization and Privacy – Multi-tenancy and shared resources are basic characteristics of the Hosting and SaaS architecture. Resources, such as storage, and networks are shared between users. Data privacy and protection may be compromised, as the European Network and Security Agency explains, if there is “a failure of mechanisms separating storage, memory, routing, and even reputation between different tenants of the shared infrastructure” (https://www.enisa.europa.eu/media/faq-on-enisa/FAQ%20Cloud%20Computing.pdf/at_download/file). Therefore, strict data isolation is applied in the application to all layers of the application. Data isolation is defined based on either shared resources using firewall rules for network isolation, Oracle VPD, or separate databases for database isolation and separate files and permissions for files sharing isolation.Since the privacy and confidentiality of its customers' data are the company’s top priority, Ex Libris has developed extended authorization controls and additional security processes to protect customer privacy. The authorization mechanism in Ex Libris applications supports the segregation of duties. Segregation of duties is applied in order to minimize the risks and the possibility of misusing privileges.
Ex Libris has instituted the following policies in order to protect customer data:
Customer data is protected with Oracle technologies.
Personal information is protected.
Sensitive personal information such as bank information and credit cards are not stored by Ex Libris.
Customer data, including private data, is deleted based on the Data Elimination section and backed up customer data is deleted periodically. All access control activities produce logs with enough information to meet auditing requirements and support usage charges. In addition, access control activities generate notifications to designated users to prevent users from setting up rogue accounts or otherwise modifying access entitlements.
The following items are relevant for asset management:
Incident Management – NIST defines a computer security incident as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.” (http://www.csirt.org/publications/sp800-61.pdf). To handle security incidents effectively, Ex Libris has constructed incident response and notification procedures.Ex Libris employs a dedicated Incident Handling team that responds to security incidents and mitigates risks. The team uses monitoring and tracking tools and performs real-time analysis. Additionally, the team has clear procedures in place for communicating the incidents to any involved party and for handling escalations. Every incident is forwarded to the security officer for assessment and analysis.
Personnel Security – Ex Libris realizes that the malicious activities of an insider could have an impact on the confidentiality, integrity, and availability of all types of data and has therefore formulated policies and procedures concerning the hiring of IT administrators or others with system access. Ex Libris has also formulated policies and procedures for the ongoing periodic evaluation of IT administrators or others with system access. User permissions are continuously updated and adjusted so that when a user's job no longer involves infrastructure management, the user's console access rights are immediately revoked.
Background Checks – Once a candidate has been offered a job with Ex Libris and before he or she begins employment, we conduct a background check. For all background checks and reference checks we receive a release from the candidate prior to starting the screening process. We use a third party to conduct our background checks. The standard check includes S.C check, criminal history, employment verification, and reference checks. Any additional checks are conducted based on business needs.
SSAE16 SOC1 – As described earlier, Ex Libris data facilities went through an in-depth audit of their control objectives and control activities and a SSAE16 SOC1 audit report was issued.
Personal Information Collected and How It is Collected
We do not require Website visitors to provide personal information in order to have access to the Website. We may collect personal information that users choose to provide when filling out registration forms on the Website for different Ex Libris offerings and services, such as events, webinars, or "contact us" requests (collectively, "Contact Us Requests").
Products and Services
We may receive and store personal information about users from our library customers in connection with the products and services that we provide.
The Way We Use Personal Information
We may contact users to respond to their Contact Us Requests, or contact library staff in connection with their use of products and services to which their institutions subscribe. We store personal information only for as long as necessary to respond to users, to provide the products and services and/or to comply with applicable record retention rules. We will not use personal information to contact patrons of library customers. We will not share, transfer or disclose users' personal information to any third party without each User's express consent, except as expressly stated herein.
Sharing Personal Information
Safe Harbor Privacy Framework
Ex Libris (USA) Inc. participates in the U.S.-EU and U.S.-Switzerland Safe Harbor Privacy Framework as set forth by the United States Department of Commerce. As part of our participation in safe harbor, we have agreed to the TRUSTe Dispute Resolution Requirements for disputes relating to our compliance with the Safe Harbor Privacy Framework. If you have complaints regarding our compliance with the Safe Harbor you should first contact us by email to firstname.lastname@example.org. If contacting us does not resolve your complaint, you may raise your complaint by contacting TRUSTe here, by fax at 415-520-3420, or mail at Watchdog Complaints, TRUSTe, 55 2nd Street, 2nd Floor, San Francisco, CA, USA 94105. If you are faxing or mailing TRUSTe to lodge a complaint, you must include the following information: the name of company, the alleged privacy violation, your contact information, and whether you would like the particulars of your complaints shared with the company. For information about TRUSTe or the operation of TRUSTe’s dispute resolution process, please visit TRUSTe or request this information from TRUSTe at any of the addresses listed above. The TRUSTe dispute resolution process shall be conducted in English.
User Rights Regarding Personal Information
The security of personal information is important to us. We follow generally accepted industry standards, including the use of appropriate administrative, physical and technical safeguards to protect the personal information submitted to us.
We conduct compliance audits of our privacy practices to verify adherence to this policy. When we have knowledge that any of our employees or third-party service providers is using or disclosing personal information in a manner contrary to this policy, we will take reasonable steps to prevent or stop the use or disclosure. We hold our employees and third-party providers accountable for maintaining the trust that our Users place in our company.
Personally identifiable Information means any information recorded in any form about or concerning an identifiable individual or that can be used, either alone or in combination with other information, to identify an individual, including any information about the goods or services provided by a user to such individual. Personally identifiable Information shall include information (i) provided by or on behalf of User to Ex Libris; or (ii) obtained, used, accessed, processed, possessed or acquired by Ex Libris on behalf of User or otherwise in connection with the provision of goods and/or services to or for User, including all copies, in whatever form. Personally identifiable information shall be considered data (as defined below) and shall be safeguarded by Ex Libris in accordance with the terms of this agreement.
Data means user's information that Ex Libris stores or has stored on behalf of user in connection with the hosting services as well as information regarding use of the system by user or the authorized users that is generated by the System or by Ex Libris as a result of the Services, including all copies of the foregoing, in whatever form. For the avoidance of doubt, as between Ex Libris and user, user exclusively owns any and all rights in and to all Data. Ex Libris agrees to use or disclose the Data solely for the purpose of providing the hosting services. Any Ex Libris employees, contractors or agents ("Representatives") to whom Ex Libris discloses any data shall be under an obligation (and in the case of non-employees a written obligation) to protect and use the data in accordance with the terms of this Agreement. Ex Libris shall be responsible for the actions of any of the representatives to whom it discloses the data. If Ex Libris becomes aware of any unauthorized access, use or disclosure of the data or any portion thereof, Ex Libris shall promptly and fully notify User of all facts known to it of such unauthorized use or disclosure.
Integrity of the Data
Ex Libris uses commercially reasonable efforts to protect the integrity of the data. If any data is lost, destroyed or becomes inaccessible to User, Ex Libris uses its commercially reasonable efforts to recover such data so it is available for use. If the data cannot be recovered by Ex Libris within a reasonable period, then Ex Libris will be responsible for paying all reasonable costs and expenses necessary to recreate the data.
Data Privacy FAQs
Are there specific anonymization jobs in Alma Analytics?
The Alma Analytics database is populated with ongoing feeds from Alma’s operational database. This process is referred to as ETL: Extract, Transfer and Load. The data in Analytics is an exact reflection of the operational data that is used in Alma. Therefore, data that is anonymized in Alma is reportable in Analytics only in an anonymized format. Alma runs anonymization jobs on the following data elements:
- Fines & Fees
- Resource Sharing Requests
When any of these records is anonymized, the link between the relevant record and the borrowing patron is permanently removed from the system—that is, it is not restorable in any way. Consequently, any interface that shows information about the borrower of a loan will have no history information to display.
Does Alma support retention periods for anonymized loan records?
Retaining history information in the system is very useful for auditing purposes. At time, libraries need refer to historical actions, such as loans, requests or fees, in order to be able to analyze issues of interest, such as what happened to a lost item or how a fee has been handled. An additional need for retaining historical information may be related to being able to extract statistical information, such as how many loans of a given type have been processed in a given period of time, or how many requests have been canceled.
In order to fulfill these requirements, Alma retains history records for fulfillment actions indefinitely. Having these records remain reportable in Analytics is essential in order to be able to meet the above listed requirements. However, the retaining of full historical information may create a privacy challenge. Many libraries have to abide to strict privacy regulations that forbid storing patron information that is not essential for a patron service. The indefinite storing of fulfillment information is a breach of these regulations.
The Alma process of anonymization is aimed at fulfilling both of these conflicting requirements. It strips relevant fulfillment records of their patron personal information where that information is not required for a current patron service, while retaining enough information to be able to meet the auditing and reporting requirements of the libraries.
Which historical loan records are anonymized?
All historical loan records that meet the following criteria are anonymized:
- The loan has been returned. Lost or claimed returned loans are considered active and are not anonymized.
- The loan has no associated active fees. If there are associated fines—such as lost loan or overdue item fines that are linked to the loan—and the fines have not been fully paid, the loan is not anonymized.
- The loan meets any criteria defined in the Loan Anonymization Rules (see Configuring Anonymization).
- Returns list in Manage Patron Services
- Loan history in Primo My Account
- History tab in the Item Editor screen, when filtered to view fulfillment history
- User Type
- User Group
- Job Title
- User Statistics 1
- User Statistics 2
- User Statistics 3
- User Statistics 4
- User Statistics 5
Which historical fines and fees records are anonymized?
All historical fine and fee records that meet the following criteria are anonymized:
- Fines and fees that have been fully paid.
- Fines and fees that have been fully waived.
- Fines and fees that have been closed by a bursar export.
- The patron's list of fines and fees in the User Edit form
The fine/fee record includes additional statistical information about the patron, including:
- User Group
- User Statistics 1
- User Statistics 2
- User Statistics 3
- User Statistics 4
- User Statistics 5
This statistical information remains on the fine/fee record and is not lost when the anonymization process is run.
Which historical requests are anonymized?
All historical requests that meet the following criteria are anonymized:
- Requests that have been fulfilled.
- Requests that have been canceled.
The record includes statistical information about the patron, including:
- User Group
- User Statistics 1
- User Statistics 2
- User Statistics 3
- User Statistics 4
- User Statistics 5
This statistical information remains on the request record and is not lost when the anonymization process is run.
Which resource sharing borrowing requests are anonymized?
All historical resource sharing borrowing requests that meet the following criteria are anonymized:
- Request has been canceled by a staff member.
- Request has been canceled by the patron.
- Request has been rejected by the lender.
- Request has been fulfilled and returned to the lender.
- Request has been removed.
- Removed requests are not automatically anonymized when removed. Their anonymization depends on the job configuration.
Anonymizing resource sharing requests may affect:
Borrowing Requests - removing the link between the requester and the patron record.
Lending Requests - When ISO requests are used, patron information may be included in the request information that is sent to the lender, as per the partner record configuration. The requester information is stored on the request’s note on the lending request. This information is also anonymized by the job.
- List of borrowing requests
- Edit form of borrowing request
- Lending request notes
- User Group
- User Statistics 1
- User Statistics 2
- User Statistics 3
- User Statistics 4
- User Statistics 5
This statistical information remains on the borrowing resource sharing request record and is not lost when the anonymization process is run.
Which personal data, if any, is stored in Alma Analytics?
The Alma Analytics database is populated with ongoing feeds from Alma’s operational database. Therefore, Analytics can report on the user data that is stored in Alma. This includes:
- Phone Numbers
- Campus Details
- User Statistics
When the anonymization processes are run, the data elements above are stripped from any user information. All that remains reportable is statistical information. This includes user group information and user statistical categories.
- Alma requires one unique ID in order to enable the linkage between the Alma user record and the institutional student information system. This may be any unique ID, not necessarily the patron barcode.
- Other data elements are not required, but where they are defined, they are used by the system to provide library services. For example:
- Email address is not mandatory but is used by Alma to enable the sending of library notices, such as overdue letters and courtesy notices. If there is no email in the system, Alma will not be able to send these notices.
- Phone number is not mandatory, but is used by Alma to send SMS messages to the patron. If there is no phone number in the system, Alma will not be able to send these SMS messages.
- Additional identifiers are not mandatory, but may be used by Alma where they are defined to facilitate links to other integrated systems, such as a bursar system.
- User group indication is used to facilitate fulfillment rules. The fulfillment rules are based on the user group, and can be implemented only when user group indications are assigned to the user record.
- Alma does not store photos. Rather, they are stored on a customer server on the library's premises. For more information, see photo_server_url.
How are Alma anonymization jobs configured? What are their results?
Alma automatically anonymizes all completed hold requests. Other elements’ anonymization may be activated or deactivated. You can define this on the Fulfillment Jobs Configuration page. For more information, see Configuring Anonymization.
- Loans – Anonymizing loans will cause a completed loan (i.e., a loan that was returned) to have its link to the borrower removed from the system. This is a database removal action that is not reversible. Loans anonymization rules can be further refined in the Loan Anonymization Rule Editor (see Loan Anonymization Rules). By default, loans are not anonymized if items are:
- marked Lost but not checked in/deleted.
- marked Claimed Returned but not checked in/deleted.
- linked to fees that are still in process. The loan will be anonymized only after all attached fees are closed.
- Fines and Fees – Fines and Fees are anonymized only after fully closed—that is, fully paid, waived or extracted to the bursar. The link to the patron is removed from the Fine/Fee. This is a database removal action that is not reversible. Anonymized fines/fees are reportable by statistical dimensions such as user statistical categories and user group.
- Borrowing and Lending Resource Sharing Requests – Resource sharing requests are anonymized only after their lifecycle is complete, for example when the item has been checked back in. The link to the patron record is removed from the request. This is a database removal action that is not reversible. Anonymized resource sharing requests are reportable by statistical dimensions such as user statistical categories and user group.
What is the impact of anonymization on reporting?
The anonymization process strips relevant fulfillment records of their patron personal information where that information is not required for a current patron service (that is, the record is a historical record), while retaining enough information to be able to meet the auditing and reporting requirements of the libraries. The relevant entities (loans, fees, requests and resource sharing requests) remain fully reportable, but without any information on the linked patron record other than statistical information based on the user’s user group and statistical categories.
Anonymized records have no link to any details of the patron, but remain reportable by statistical dimensions such as user statistical categories and user group.
Which (closed) transactions are anonymized?
- Resource sharing requests
- Logging information - Logging information as a result of batch jobs or processes that include sensitive data (for example, login tries). Log iles with sensitive data can only be accessed by Ex Libris. Jobs information is irreversibly removed from the system a year after it has been created.
- E-Mails - Emails remain attached to the user record. When the user record is purged from the system, all attached information is purged, including the attached emails. Purging of user data is fully controlled by the library.
Is it possible to activate the anonymization of closed resource sharing requests, loans, fees and overdue fees procedures separately?
Yes. Anonymization is configured on the Fulfillment Jobs Configuration page (Configuration Menu > Fulfillment > General > Fulfillment Jobs Configuration).
Fulfillment Jobs Configuration
As is evident from this screen, the library may decide which element to anonymize, independently of any other element that may be anonymized.
Is it possible to anonymize or delete sent emails? If yes, please explain.
By default, letters sent by Alma are retained indefinitely and available on the Attachments tab of the User Details. When the user record is purged from the system, all attached information is purged, including the attached emails. You may also define a letter retention policy to delete sent letters after a certain number of days. See Setting Letter Retention Periods.
How are hold requests managed in the context of anonymization?
Anonymizing of hold requests may be switched off by using the should_anonymize_requests parameter (Fulfillment > Fulfillment Configuration > Configuration Menu > General > Other Settings). If this parameter is set to true (the default option), when a request is added to the request history, the requester ID does not appear in the history details (it will be null). If this parameter is set to false, the requester ID is visible.
How is the ETL process affected by anonymization?
The Alma Analytics database is populated by ongoing feeds from Alma’s operational database. This process is referred to as ETL – Extract, Transfer and Load. The implication of this is that all data in Analytics is an exact reflection of the operational data that is used in Alma. Therefore, data that is anonymized in Alma is reportable in Analytics only in its anonymized format.
Can loans be anonymized based on rules, with sensitivity to different parameters?
You can enable anonymization rules to determine which loans, requests, and fines and fees are anonymized. See Configuring Anonymization.
Is it true that closed loans with unpaid fees cannot be anonymized?
Yes. Loans with unpaid fees are not anonymized because they still await processing (paying the fines). Keeping them linked to the patron is necessary for functional reasons—for example, for dispute handling. All Alma libraries are currently using the loans anonymization in this manner.
If data is anonyomized, is it possible to enable the user to see historical loans in Primo?
Primo allows patrons to view their historical loans using the List of Historical Loans.
List of Historical Loans
This option relies on Alma retaining the borrower information in the historical loan records. Obviously, this will only be possible if anonymization is not turned on in Alma. Activating anonymization removes all links to the borrower user record from the loan record and prevents the system from being able to link historical data with the patron.
Which type of user data is required in Alma?
Alma requires one unique ID in order to enable the linkage between the Alma user record and the institutional student information system. This may be any unique ID, not necessarily the patron barcode. Other data elements are not required, but where they are defined, they are used by the system to provide library services. For example:
Email address is not mandatory but is used by Alma to enable the sending of library notices, such as overdue letters and courtesy notices. If there is no email in the system, Alma will not be able to send these notices.
Phone number is not mandatory, but is used by Alma to send SMS messages to the patron. If there is no phone number in the system, Alma will not be able to send these SMS messages.
Additional identifiers are not mandatory, but may be used by Alma where they are defined to facilitate links to other integrated systems, such as a bursar system.
User group indication is used to facilitate fulfillment rules. The fulfillment rules are based on the user group, and can be implemented only when user group indications are assigned to the user record.
What tools does Alma supply for an institution that needs to abide by duty of disclosure?
The vast majority of user information in Alma is imported from the student information system, which serves as the master system of user information in the library. All user information may therefore be retrieved from that system. That said, some users may be created in Alma unlinked to any external student information record (for example: visiting researchers, alumni).
All user records in Alma may be exported via Analytics in bulk as per required filters, such as per given user groups. Specific records may be retrieved via APIs based on known IDs. The retrieved information may include fulfillment information such as open loans, fees and requests, or even historical ones if they have not been anonymized.
In addition, Alma supports a range of RESTful APIs that may be used to retrieve that information. Please refer to the Ex Libris Developer Network for full information about Alma’s user APIs.
Who can access the audit trail report in Alma Analytics?
Any user with an Analytics designer role has access to all Analytics reports. Other users may be granted permission to view specific reports as well.
How can the library get access to logs of activities of Ex Libris employees?
This is done via the login report. The login report shows the login actions of all users, including those of Ex Libris staff. Below is an example of this report:
Staff Login Report
How does Alma monitor unauthorized access to data?
Access to data is limited by Alma to users with appropriate roles only. Users with improper roles cannot use the Alma UI to view restricted data.
An Analytics report shows which user's address and phone information has been viewed and when. See the example below:
Access to Data Report
How does Alma log changes in user data?
User data changes use a similar auditing method as in other areas of the system. The audit tab records all changes in the record in a sorted manner, detailing the type of change. Below is an example of a user's audit log:
User Detail Audit Tab
Changes in loan information are recorded and accessible to authorized staff in the system, see example below:
Loan Audit Trail
Another example is for changes in a fine or fee’s status:
Fine and Fees Details
Who in Ex Libris has access to customer data?
According to contracts and procedures, the customer is in full control of the data and Ex Libris is not permitted to perform any transfers to third parties. Ex Libris is permitted to use its global affiliates to perform support services. This access by the Ex Libris affiliates is in accordance to contracts and data protection directives.
What is the retention period of history data?
History records are maintained indefinitely unless requested to be deleted/anonymized. Each institution can decide on the anonymization/retention period according to its needs.