Skip to main content
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    Ex Libris Information Security Policy

    Version 1.7

    Purpose and Scope

    Ex Libris, part of Clarivate, is committed to protecting our systems, information, and our customers’ information. The purpose of this policy is to provide a security framework based on ISO 27002 that will ensure the protection of Ex Libris information from unauthorized access, loss or damage.

    This policy applies to all Ex Libris employees and to all other individuals and entities granted use of Ex Libris information, including, but not limited to contractors and temporary employees. Information may be verbal, digital, and/or hardcopy, individually-controlled or shared, stand-alone or networked.

    Terms and Acronyms

    Vulnerability: Weakness that can be exploited by one or more threats.

    Control: Means of managing risk, including policies, procedures and standards.

    Information security: Preservation of confidentiality, integrity and availability of information.

    Personal data: All information about a person.

    Risk: Combination of the probability of an event and its consequences.

    Threat: Potential cause of an unwanted incident, which may result in harm to a system.

    Information Security Policy


    Ex Libris will perform risk assessment at least annually based on NIST standard SP 800-30 that identify, quantify, and prioritize risks.

    Classification of Information

    Ex Libris information will be classified into one of the following three classification levels:

    • Public
    • Internal Use Only
    • Confidential

    Classification and handling requirements are defined in The Ex Libris Data Classification Policy.

    Access Control

    Access to information is based on the concept of ‘least privilege’. 
    Access control requirements are defined in the Ex Libris Access Control Policy.

    Security Patches and Vulnerability Assessments

    Patches, updates, and service packs will be verified and tested before they are released.
    Security vulnerability will be communicated, evaluated and analyzed following the Ex Libris Security Patches and Vulnerability Assessments Policy.

    Passwords are created and used as required in the Ex Libris Password Management Policy.

    Data Encryption

    Ex Libris uses industry standards to encrypt personal data in transit and at rest.

    Data Destruction

    Ex Libris destroys data based on NIST 800-88.

    Human Resources

    • Ex Libris policies are communicated by Human Resources.
    • Job descriptions will include information security responsibilities.
    • Prior to employment, as allowed by law, individuals will be vetted and background checks will be performed for staff in critical positions, including positions with access to customer information.
    • All employees will sign confidentiality agreements as part of the employment process.
    • Segregation of duties will be implemented, as appropriate to reduce the risk of negligent or deliberate system misuse.

    Business Continuity

    Business continuity and disaster recovery plans are based on ISO 22301.
    See Ex Libris Cloud Services BCP for additional information.

    Configuration Management

    System and hardware configurations are defined, secured, and documented based on ITIL and best practice standards.

    Network Operations

    The Ex Libris network will be secured both physically and logically (network segmentation).

    Physical Security

    Ex Libris systems will be housed in security areas that are appropriately protected.

    Continuous monitoring of security controls

    Continuous monitoring of security controls will be performed through security checks, security reviews, application security vulnerability assessment scans and scans of network vulnerabilities. 

    Asset Management

    • Ex Libris assets are managed based on ITIL principles.
    • An owner is assigned to each Ex Libris asset.
    • The asset owner is responsible for the maintenance and protection of the asset.

    Change Management

    Ex Libris change management is based on the IT Infrastructure Library (ITIL) methodology for change management.
    Change management requirements are detailed in Welcome to the Ex Libris Cloud.

    Security and Privacy awareness training

    Security training and awareness is provided annually as part of the employee life cycle.

    Security and Privacy Incident Response

    Security and/or privacy incidents response will be performed as documented in the Ex Libris Security and Privacy Incident Response Policy.


    The Ex Libris Chief Information Security Officer (CISO) is responsible for compliance with this policy.

    Related Documents


    Record of Changes

    Type of Information Document Data

    Document Title:

    Ex Libris Information Security Policy

    Document Owner:

    Eddie Lavian - Ex Libris Security Specialist

    Approved by:

    Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO)


    Apr 26, 2018

    Reviewed & Revised:

    Aug 25, 2022


    Revision Control

    Version Number Nature of Change Date Approved


    Initial version

    Apr 26, 2018


    Updated – Tomer S

    May 10, 2018


    Updated – Tomer S

    Jul 22, 2018


    Updated – Tomer S

    Jun 5, 2019


    Reviewed - Tomer S

    Sept 21, 2020


    Reviewed - Tomer S

    Mar 24, 2021


    Reviewed - Tomer S

    Aug 01, 2021

    1.7 Review and Update - Shai B Aug 25, 2022

    Document Distribution and Review

    The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver

    • Was this article helpful?