Ex Libris Security And Privacy Incident Response Policy

Purpose and Scope

The purpose of this policy is to ensure that Ex Libris reacts appropriately to any actual or suspected security or privacy event regarding Ex Libris systems and/or data and that all activities are documented for future reference. This policy establishes responsibility and accountability and defines the steps required to ensure that security incidents are identified, contained, investigated, remedied, communicated, and documented.

This policy applies to all systems, personnel, and data at Ex Libris.

Policy Statement

Management responsibilities and processes will be established to ensure a quick, effective, and orderly response to information security and/or privacy incidents. All activities pertaining to the incident will be documented in a Service Now ticket.

Definitions

Security Incident - A security incident is any real or suspected event that may adversely affect the security of Ex Libris cloud information or the systems that process, store, or transmit that information. examples include:

A Security Incident includes, but is not restricted to, the following:

Attempts (either failed or successful) to gain unauthorized access to a system or its data
A system infected with malware, such as a worm, virus, or Trojan horse
Theft, loss, or unauthorized transfer of data to those who are not entitled to receive that data
Unwanted disruption or denial-of-service (DoS) attack
Changes to data or system hardware, firmware, or software without Ex Libris’ knowledge, instruction, or consent

Event Management Kit – Ex Libris for internal use only document for recording details of an event.

SIRT – Security Incident Response Team

CISO – Chief Information Security Officer

Responsibilities

Security Incident Response Team (SIRT)

The SIRT consists of:

Chief Information Security Officer (CISO) - Team Lead
Privacy and Regulation Officer & DPO
VP Product Management
VP Platform and Tech
VP Cloud Services
Chief Operating Officer
President
echnical Support Manager
Cloud Operation Group (COG) Manager
Cloud Engineering Group (CEG) Manager
24 x 7 HUB Manager
BU Development (URM or URD) Director
Global Support Organization (GSO) Director

Responsibilities of the SIRT include:

Coordinating and overseeing the response to incidents in accordance with the requirements of Ex Libris’ security policy and regulatory laws
Minimizing the potential negative impact on Ex Libris and Ex Libris’ customers resulting from such incidents
Determining what type of incident has occurred: security, privacy or both security and privacy
Repairing, or coordinating the repair of, damage caused by the incident
Restoring services to a normalized and a secure state of operation
Preserving evidence of the incident, as appropriate
Providing clear and timely communication to all interested parties
Taking proactive steps to prevent future incidents

Policy Review and Update

This policy and its supporting procedures will be reviewed at least annually and updated as required.

Security and Privacy Incident Response Procedure

Security and privacy incident response includes:

Reporting the initial information regarding how the incident was identified.
Collecting the information around the event to understand what has happened and the impact.
Assessing the event to understand the severity.
Communicating about the event, which includes:
- Communication within the immediate event team.
- Communication within the company, as appropriate.
- Communication with customers, as appropriate.
Containing/limiting the current event
Taking corrective action
Ensuring that complete documentation is available during and after the event.
Documenting the Root Cause of the event
Incident closure
Lessons learned review

Incident Identification

A privacy or security incident is initiated when:

An employee contacts the Information Security Office
A customer notifies Ex Libris of a security issue
An alert is created from the Security Information Event Management (SIEM) system

An incident begins when a security or privacy incident is reported to the Ex Libris Chief Information Security Officer, the Ex Libris Privacy and Regulation Officer, or the VP of Cloud Services. This report could come from an Ex Libris employee, an automated system diagnostic, a customer, or other means.

Customers usually contact the Ex Libris through Salesforce, but can also contact the HUB directly. When the customer contacts Ex Libris regarding a system disruption, the incident will be escalated to the HUB immediately and will include information regarding the disruption.

Documenting the Incident Initially

Based on the information collected below, an immediate determination will be made by the CISO or event manager. If the event involves customer data notify the Privacy and Regulation Officer immediately.

Once an incident is identified, document the following information in an information system.

Information	Description
Customer data affected?	Yes/No (required)
Source	Source of the complaint/issue (e.g., Salesforce ticket, email, individual). Include the following information: Contact information for the incident reporter: Full name, affiliation, organization, e-mail address, phone number and location. If an automated system reported the event: Name of software/product, where the software is installed, physical location of the host, host/CPU ID of the host, network address of the host.
Incident contact information	List contact information for all parties involved in the incident.
Incident timeline	Date/time that the incident was discovered Date/time that the incident was reported Date/time that the incident occurred (if known)
Type of incident	Examples: Compromised system Compromised user credentials Network attacks (DOS, scanning, sniffing) Malware (viruses, worms, trojans) Lost equipment/theft Physical break-in Social engineering Policy violation Unauthorized access to customer data
Detailed description of the incident	System(s) or product(s) affected Description of incident Affected resources and organizations Estimated technical impact of the incident (i.e., data deleted, system crashed, application unavailable) Initial actions taken Cause of incident if known List of evidence gathered Official Common Vulnerabilities (CVE) Individuals contacted
Identification of the host(s)	Source of the incident: List of sources' host names/IP addresses Target of the attack: Host name/IP address (Note: the target of the attack should not be listed for the incidents involving personal data)
Communication	Internal – Ex Libris only External – customers or other parties
Does this incident require notification within 72 hours?	Yes/No (required)
Customer data affected?	Yes/No (required)

Severity Assessment

An incident must be assessed to understand the severity and impact of the event. The following factors should be considered:

Personal information – was personal information affected? This can be customer or employee information.
Service disruption – did the event disrupt service, and if so, who/what was affected?
Has the event been stopped or contained, or is it still on-going?
What is the urgency?

Incident severity will be determined as either high, medium or low. In general, use the following:

Severity	Symptoms
High	Requires immediate remedial action to prevent further compromise of data and adverse impact on network or other systems. Network of system outage with significant impact on the user population or operation of Ex Libris cloud services. High probability of propagation. Probable or actual release or compromise of personal data. Requires immediate remedial action to prevent further compromise of data and adverse impact on network or other systems.
Medium	Some adverse impact on the operation of Ex Libris. Adverse effects are localized or contained, or minimal risk of propagation. No apparent release or compromise of personal data. Remedial but not immediate action is required.
Low	Localized with little or no risk to other systems. Minimal impact on small segment of user population or operation of Ex Libris cloud services. Completely localized with few individuals affected and presenting little or no risk to other system. No loss or compromise of personal data. Remedial action is required.

Severity

Symptoms

High

Requires immediate remedial action to prevent further compromise of data and adverse impact on network or other systems.

Network of system outage with significant impact on the user population or operation of Ex Libris cloud services.
High probability of propagation.
Probable or actual release or compromise of personal data.
Requires immediate remedial action to prevent further compromise of data and adverse impact on network or other systems.

Medium

Some adverse impact on the operation of Ex Libris.

Adverse effects are localized or contained, or minimal risk of propagation.
No apparent release or compromise of personal data.
Remedial but not immediate action is required.

Low

Localized with little or no risk to other systems.

Minimal impact on small segment of user population or operation of Ex Libris cloud services.
Completely localized with few individuals affected and presenting little or no risk to other system.
No loss or compromise of personal data.
Remedial action is required.

Notification/Communication

SIRT Lead will take action to notify the appropriate internal and external parties, as necessary.

Internal Notification (within Ex Libris)

SIRT Lead will issue or direct all internal communications.
SIRT Lead will notify Ex Libris senior management, cloud directors, support directors, and 24x7 HUB of the incident and provide ongoing status reports.
Where applicable, SIRT Lead will notify Ex Libris employees and provide on-going status reports.

External Notification

In the case of a personal data breach, the affected customer(s) will be notified as soon as is reasonably practicable, but no later than twenty-four (24) hours after Ex Libris becomes aware the breach.
For all incidents where external notification is necessary, the notification will include:
- Incident Description (i.e., how it was detected, what occurred, type of security incident(e.g, network attack, worm, phishing) )
- Event Timeline / Chain of Events (e.g, date and time that the problem occurred, that the incident was discovered, that the problem was corrected, etc.)
- Root Cause Analysis
- Identified Gaps
- Action Performed and Preventative Measures
- Lessons Learned
For personal data breaches, refer to Procedure for Personal Data Breach.
For incidents caused by an Ex Libris product or a third-party product a Security Advisory must be written and published to the Customer Knowledge Center.
Once the incident is resolved and documented, if appropriate, a report will be sent to the affected external party describing the root cause analysis results, corrective measures implemented, and any additional pertinent information.

Containment

The objective is to prevent the incident from continuing. This is accomplished by:

Isolating the incident to prevent it from spreading further.
Putting measures in place to stop the immediate threat.
Preventing further damage to the compromised system and/or data.

Incident containment activities in a case of unauthorized access include, but are not restricted to, the following:

Disconnect the system or hosts from the network or access other system.
Isolate the affected IP address from the network.
Where possible, capture and preserve system, host, and application logs, network flows for review.
Disable the affected application(s).
Discontinue or disable remote access.
Stop services or close ports that are contributing to the incident.
Power off the host(s), if unable to otherwise isolate.
Notify SIRT of statues and any action take.

Note: Information pertaining to the incident should be kept confidential until the incident is resolved, at which point the classification of the information will be reconsidered.

Corrective Measures

After the incident is contained, a plan should be developed and implemented to correct the cause of the incident. This is accomplished by:

Identifying the root cause of the incident
Taking the necessary actions to prevent the incident from recurring
Securing the Ex Libris cloud environment
Restoring the Ex Libris cloud environment to its normal state

Corrective activities in a case of unauthorized access include, but are not restricted to, the following:

Change passwords/passphrases on all local user and administrator accounts or otherwise disable the accounts as appropriate.
Change passwords/passphrases for all administrator accounts where the account uses the same password/passphrase across multiple appliances or systems (servers, firewalls, routers).
Rebuild systems to a secure state.
Restore systems with data known to be of high integrity.
Modify access control lists as deemed appropriate.
Implement IP-range filtering as deemed appropriate.
Modify/implement firewall rule sets as deemed appropriate.
Make all personnel “security aware”.
Monitor/scan systems to ensure problems have been resolved.
Notify SIRT of status and any action taken.

Lessons Learned Review

After the incident has been managed and corrective actions have been implemented, a review of lessons learned will be performed within a one week period.

Incident Closure

All incident activities, from receipt of the initial report through Lessons Learned Review, will be documented in a ticketing system. The SIRT Lead will ensure that all the activities regarding the incident are recorded and will organize the lessons learned review.

Procedure for Handling Notification of Personal Data Breach

When it is determined that personal data is involved, the Privacy and Regulation Officer will immediately notify the President of Ex Libris, the Chief Operating Officer, and Ex Libris General Counsel.
- If further analysis confirms that personal data was not breached, no additional special actions are required. Normal incident response process should continue.

When the analysis identifies what personal data was breached, the Privacy and Regulations officer will convene a meeting immediately to:
- Determine the exact scope of the personal data breach (which individuals were affected and what data was compromised)
- Determine which customers need to be notified and the method for notification.
  - Provide affected customer(s) with a description of the breach.
  - Where appropriate, assist the customer(s) as needed.

· When customer data has been breached, the customer will be called personally to notify them.

Document in detail in a ticketing system what actions were taken, including who was notified.

Notification for a Personal Data Breach

All notifications regarding a personal data breach will be developed in conjunction with Legal.

Compliance

Failure to comply with this policy will result in disciplinary action up to and including termination of employment.

Appendix 1- Post-Incident Report

Incident Salesforce ID Number: YYYYYYY

Incident Severity:

Incident Title:

Incident Manager (name, title, e-mail, phone):

Date of Initial Suspicious/Malicious Activity:

Date Incident Reported:

Date Incident Fully Contained:

Post-Incident Review Session:

Date:

Participants:

Date Incident Response Completed:

Post-Incident Report Submitted by (name, title, e-mail, phone):

Post-Incident Report distributed to:

Date Post-Incident Report Submitted:

Incident Overview:

Provide a general overview of what happened, indicating how the security incident occurred and the scope of the incident

(for example, who was affected, what systems were compromised, the dates of major milestones, etc.). Detailed information, such as a timeline, may be added to the end of the report as appendices.

Incident Detection:

Briefly describe how the incident was first discovered (when, how, and by whom).

Incident Containment & Corrective Measures:

Describe how the incident was contained (prevented from spreading and/or doing further damage) and eradicated (removed from infected hosts). Also describe recovery activities.

Incident Notification:

If the incident involved the breach of, or suspected breach of personal data that requires notification, describe how and when the affected customers were notified.

Incident Follow-Up:

Identify steps taken to prevent future incidents, lessons learned, and any other recommendations resulting from the incident and the post-incident review session.

A. Steps Taken to Prevent Future Incidents

B. Lessons Learned

C. Other Recommendations

Appendices:

Attach any other relevant information about the incident that should be archived.

Appendix 2 - Data Breach Notification Form to Customers and Data Subject

From: Ex Libris

To: [Affected data subject name and address – Customer Name]

Sent by:

• Email

• Phone

_______________________________________________________________________________________

Dear customer, we regret to inform you that on [date] we have discovered that we have been the subject of a personal data

______________________________________________________________________________________

As a result of the above mentioned personal data breach, the personal data concerning you might have been:

• Disclosed

• Destroyed

• Lost

• Modified

• Accessed

• Other [please specify other possible results]
By unauthorized persons.

______________________________________________________________________________________

The following measures have been taken/will be taken to address the data breach:

[list all the measures taken such as: we have moved the data base to a secure location, we have reviewed and strengthened the security measures; we have encrypted our data bases, etc]

______________________________________________________________________________________

If you have any questions or concerns regarding to the data breach, you can contact our Privacy and Regulation Officer & DPO, Daniel Friedman by email at privacy@exlibrisgroup.com, or by post at Bldg. 9, Malcha Technological Park Jerusalem, Israel 9695809

Appendix 3 - Data Breach Notification Form to the Supervisory Authority

From: Ex Libris

To: [name and address of the Supervisory authority]

Sent by:

• Post

• Email

• Other

_______________________________________________________________________________________

Please be informed that on [date] we suffered a data breach that consisted of:

[Please fill in with the data of the occurrence of the data breach, Insert details of the nature of the data breach and a description].

_______________________________________________________________________________________

Following the data breach, the following personal data were affected: [e.g. names, contact details, accounts, etc].

_______________________________________________________________________________________

We estimate that around [estimated] data subjects and [estimated] records were affected by the data breach.

_______________________________________________________________________________________

We believe that the personal data breach might have the following consequences:

[list all possible consequences such as: you might be subject to unsolicited emails; you might be subject to phishing attempts; you might be subject to fraud attempts, etc]

_______________________________________________________________________________________

The following measures have been taken/will be taken to address the data breach:

[list all the measures taken such as: we have moved the data base to a secure location, we have reviewed and strengthened the security measures; we have encrypted our data bases, etc].

_______________________________________________________________________________________

If you have any questions or concerns regarding to the data breach, you can contact our Privacy and Regulation Officer & DPO, Daniel Friedman by email at privacy@exlibrisgroup.com, or by post at Bldg. 9, Malcha Technological Park Jerusalem, Israel 9695809

Record of Changes

Type of Information	Document Data
Document Title:	Ex Libris’ Security and Privacy Incident Response Policy
Document Owner:	Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO)
Approved by:	Barak Rozenblat - VP Cloud Services
Issued:	Apr 21, 2013
Reviewed & Revised:	Aug 25, 2021

Revision Control

Version Number	Nature of Change	Date Approved
1.0	Initial version	Apr 21, 2013
1.1	Updated – Tomer S	May 6, 2014
1.2	Updated – Tomer S	Apr 19, 2015
1.3	Review and Update- Tomer S	Feb 4, 2016
1.4	Review and Update- Tomer S	Jul 13, 2017
2.0	Review and Update- Tomer S	14-Feb-018Apr 26, 2018
2.1	Review and Update- Tomer S	Jul 17, 2019
2.2	Review and Update- Tomer S	Nov 05, 2020
2.3	Review and Update- Tomer S	Aug 25, 2021

Document Distribution and Review

The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver