Skip to main content
ExLibris
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    Ex Libris Password Management Policy

    Version 2.3

    Overview

    Ex Libris, a ProQuest company, is committed to providing its customers with a highly secure and reliable environment for hosting and cloud-based applications. To support that commitment, Ex Libris has developed a strict and secure password policy and procedures that cover all aspects of password usage, including hosting and cloud-based Ex Libris systems and services.

    Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of the entire corporate network. For this reason, all individuals that access Ex Libris systems, including employees, contractors, and vendors, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

    Passwords not only protect Ex Libris and its information, but you as well. If somebody uses your account, you may be held responsible for their actions if you revealed your password to that person.

    Purpose

    The purpose of this policy is to establish a standard for the creation of strong passwords, the protection and appropriate use of these passwords, and the frequency with which passwords should be changed.

    Scope

    This policy applies to all individuals who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Ex Libris facility, has access to the Ex Libris network, or stores Ex Libris information.

    Password Policy

    General

    • All internal Ex Libris system user accounts, such as e-mail, workstation, and server accounts, where passwords are composed of twelve (12) complex characters, will be changed at least every 180 days.  Non-Ex Libris systems, such as third party products, that cannot comply with 12 complex character passwords, must be 8 complex characters long and will be changed at least every 90 days.
    • A user account that has system-level privileges granted through group membership or programs such as 'sudo' must have a password that is different from the password used for all other accounts held by this user
    • Passwords may not be inserted into e-mail messages.
    • All user-level passwords will conform to the password requirements described below.
    • All new user accounts require that the password be changed immediately by ensuring that h the change password next logon option is enabled.
    • All system-level passwords, such as root, NT admin, application administration account, or service account, will be changed at least every 180 days.
    • In a new installation of an Ex Libris product at a customer site, the application password will be changed immediately.
    • When providing an internal application user name/password to an external resource, such as a supplier, external developer, or distributor, a change of password will be performed immediately after the session.

    Password Requirements

    Passwords must be strong and have the following characteristics:

    • Complex:
      • Contain both uppercase and lowercase characters
      • Have digits, punctuation, or Unicode characters as well as letters (for example,  0-9, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)אßڑ)
    • Must be at least 8 characters long. System passwords must be at least 12 characters long
    • Enforce password history – at least 8 change cycles before a password can be reused 
    • Lockout – user accounts are blocked after 10 consecutive failed password entries
    • Must be a non-trivial combination
    • Must not be a word in any language, slang, dialect, or jargon
    • Must not be based on personal information
    • Must never be written down or stored unencrypted
    • Rename the system-level privileged account name when possible.
    • Do not use the product name or a name that someone can easily guess as the system-level privileged account name.

    In contrast, the following are characteristics of poor passwords and may never be used:

    • The default password
    • A password that is a common usage word such as:
      • Names of family, pets, friends, co-workers, fictional characters, and so forth
      • Computer terms, commands, names of companies, hardware, or software
      • Birthdays and other personal information, such as addresses and phone numbers
      • Word or number patters such as aaabbb, qwerty, zyxwvuts, 123321, and so forth.
      • Any of the above preceded or followed by a digit
      • Any of the above transformed by simple character substitutions (1 for l, @ for a, 3 for E, and so forth)

    Protecting Your Password 

    To protect your password,

    • In general, try to create passwords that can be easily remembered. One way to do this is to create a password based on a song title, affirmation, or other phrase. For example, the phrase might be “This may be one way to remember my password” and the password could be TmB1w2Rmp!  or Tmb1W>rmp@s
    • Do not share your user-level Ex Libris password with anyone, including administrative assistants or Cloud and IT employees (unless you change the password after the problem has been solved).
    • Do not open a case or ticket with your username and password in it. Instead, ask for remote assistance and type the password separately. All user-level and system-level passwords are confidential Ex Libris information. All passwords must be saved on Ex Libris password protection encrypted systems, where available.
    • IIf cloud /IT employees need access to a system using your password, you must reset your password when they have completed the task.
    • Avoid using the Remember Password feature of applications such as PuTTY, SecureCRT, and Internet Explorer.
    • Do not write passwords down and store them in your office or near your workstation.

    If you need to deliver a password:

    • Provide a temporary password by phone and set it so that it must be changed immediately.
    • Be aware of who is around you listening

    If you suspect that an account or password may be compromised, report the incident to the Ex Libris Chief Information Security Officer and immediately change all your passwords on the compromised systems.

    Enforcement of Password Requirements

    Password cracking or guessing may be performed on a semiannual security audit review performed by company Chief Information Security Officer or its delegates. Password cracking or guessing may be performed on an annual security penetration tests performed by external security company and ISO audit process. If a password is guessed or cracked during one of these scans, this will be considered a security violation and will be handled according to the security disciplinary policy.

     

     

    Record of Changes

    Type of Information Document Data

    Document Title:

    Ex Libris Password Management Policy

    Document Owner:

    Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO)

    Approved by:

    Barak Rozenblat - VP Cloud Services

    Issued:

    Mar 1, 2012

    Reviewed & Revised:

    Nov 4, 2020

     

    Revision Control

    Version Number Nature of Change Date Approved

    1.0

    Initial version

    Mar 1, 2012

    1.1

    Updated – Tomer S

    Apr 22, 2013

    1.2

    Updated – Tomer S

    Mar 12, 2014

    1.3

    Review and Update- Tomer S

    Feb 4, 2015

    1.4

    Review and Update- Tomer S

    Apr 11, 2016

    1.5

    Review and Update- Tomer S

    Jul 12, 2017

    2.0

    Review and Update- Tomer S

    Apr 26, 2018

    2.1

    Review and Update- Tomer S

    May 29, 2018

    2.2

    Review and Update- Tomer S

    Jun 3, 2019

    2.3

    Review and Update- Tomer S

    Nov 04, 2020

    Document Distribution and Review

    The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver

    • Was this article helpful?