Ex Libris IT Security Policy

Acceptable Use

Information assets are used for business needs. Incidental personal use is permitted. If you require resources that exceed normal capacity requirements, you must request the additional resources in advance with a Helpdesk ticket.

Installation of New Software/Applications

Any new software or application must be downloaded and installed only from the Application Catalog. All new software requests for installation are handled by IT/MIS support. IT/MIS is responsible for purchasing software and for maintaining the Application Catalog. This will ensure that all installed software is compliant with Ex Libris security and licensing requirements. 

Responsibility for Assets

Each physical asset has an owner designated in the Inventory of Assets. The asset owner is also responsible for the information stored in the asset, in accordance with the Ex Libris Data Classification Policy.

Prohibited Activities

To ensure that the security and privacy protection continues and to prevent new security risks, you may not:

• Bypass or disable Ex Libris security controls and protections.
• Install software that was not approved by IT/MIS or is not in the Application Catalog.
• Download program code from external media that was not scanned and approved by IT/MIS.
• Perform port scanning or security scanning unless prior notification to the Ex Libris Chief Information Security Officer (CISO) is made.
• Interfere with or deny service to any user other than the employee's host (for example, denial of service attack).
• Connect external storage media, memory cards, and other devices for storing and reading data (e.g., USB flash drives) without explicit permission from IT/MIS team or the Ex Libris Chief Information Security Officer (CISO).

Use of Removable Media

The use of removable media is prohibited. Where there is a business case for using removable media, contact IT/MIS Support. Use of removable media requires also Ex Libris Chief Information Security Officer (CISO) approval. 

Taking Assets Off-Site

Equipment, information and software, regardless of its form or storage medium, must always be kept physically secure and controlled, in accordance with Ex Libris Data Classification Policy.

Return of Assets upon Termination of Contract

Upon termination of an employment contract or other contract, all equipment, information and software must be returned to IT/MIS Support Department as part of the termination process. 

Backups

Ex Libris files must be located on the department SharePoint sites or the employee’s OneDrive to ensure that the data is backed up on a regular basis as part of Ex Libris standard business practices. Ex Libris issued workstations are not backed up. It is the user's responsibility to ensure that data is not located on local drives. Department SharePoint sites and employees’ OneDrive are backed-up as defined in Ex Libris backup procedures.

The use of unapproved external storage methods such as Dropbox, Google Drive etc. is not permitted.

Antivirus Protection

Antivirus software must be installed and activated on each computer with automatic updates enabled. Personnel should not connect devices to company networks unless such devices are protected with the current corporate standard anti-malware software.  It is prohibited to uninstall or disable antivirus software. Employees are required to comply with actions for software patching and virus control directives as issued by the company.

Personnel must not knowingly disable or overload any computer system or network or circumvent any system security intended to protect the privacy or security of another employee or contractor.

Authorizations for Information System Use

Access to information systems and assets is restricted only to individuals granted access. Permissions are set by the IT team and are based on the user’s job responsibilities

Administrator and power user rights are granted based on "least privilege" and "need to know" principles. Users may not bypass information system security controls.  

User Account Responsibilities

Users may not share their credentials or access privileges with others. The owner of the user account is responsible for all transactions performed through the user account.

Password Requirements

When selecting and passwords, users must adhere to the Ex Libris Password Management Policy. This includes:

• Appropriate password complexity.
• Password minimum length.
• Password retention.
• Password age.
• Password history.

Clear Desk and Clear Screen

Employees are required to ensure that all information in hardcopy or electronic form is secure in their work area at the end of the day and when they expect to be out of the office for an extended period, in accordance with Ex Libris Data Classification policy.

• Keys used for access to restricted or sensitive information must not be left at an unattended desk.
• Documents must be stored in a secure manner, based on their data classification level.
• Documents must be removed from desk and printers to prevent unauthorized access.
• During known extended periods away from the desk, such as a lunch break, workstations/laptops must be locked, and sensitive working papers must be placed in locked drawers.
• Computer workstations must be locked at the end of the work day.
• Any Ex Libris restricted and sensitive information must be removed from the desk and locked when users are not present at their desk.
• Documents and other media classified as Confidential must be stored in a secure manner in accordance with the Data Classification Policy.  

Internet Use

Ex Libris web security protection may block access to some internet pages for individual users, groups of users, or all employees at the organization. If access to Web pages is blocked, the user may submit a written request to IT/MIS Support for authorization to access such pages. The user may not try to bypass such restriction autonomously.

Use of internet/intranet and e-mail may be subject to monitoring. Users may also be limited in their use of such resources. The user must regard any information received through the internet as unverified or unreliable. Such information may be used for business purposes only after its authenticity and correctness has been verified. 

The user will not: 

• Visit Internet sites that contain obscene, hateful, or other objectionable materials.  
• Make or post indecent remarks, proposals, or materials on the internet.  
• Attribute personal statements, opinions or beliefs to Ex Libris when engaged in blogging. If an employee is expressing his or her beliefs and/or opinions in blogs, the employee may not, expressly or implicitly represent themselves as an employee or representative of Ex Libris. Employees assume any and all risk associated with blogging.
• Violate any law pertaining to the handling and disclosure of copyrighted or export controlled materials.

Mobile Computing and Remote Access

Ex Libris employees with Ex Libris equipment, that allows them to connect remotely must:

• Always keep the equipment physically secured.
• Use the screen lock feature if the equipment is left unattended and follow the clean desk requirements (above).
• Protect Ex Libris information, both electronic and hardcopy.
• Ensure that Ex Libris files are located on the department SharePoint sites or the employee’s OneDrive only so that the data can be backed up.
• Ensure that Ex Libris equipment is returned to Ex Libris upon termination of employment.

Personal Computer Usage

In case of use of personal computers to access Ex Libris resources (remote desktop connection over Ex Libris VPN), it is the employee’s responsibility to ensure his/her computer has the latest version of Antivirus and Operating System.

E-mail and Other Messaging Systems

Message exchange methods, other than electronic mail, also include downloading files from the Internet, using an e-mail system, transferring data via Skype, sending SMS text messages, using telephones, fax machines, portable media devices and storage, and forums and social networks.

In accordance with the Data Classification Policy, the Ex Libris CISO determines the communication channel that may be used for each type of data, as well as possible restrictions on who is allowed to use communication channels and defines which activities are forbidden.

It is forbidden to send materials with disturbing, unpleasant, sexually explicit, rude, slanderous or any other unacceptable or illegal content. Users are not allowed to send spam messages. Should a user receive a spam e-mail, he/she must inform the IT/MIS support.

Personnel are not authorized to access the email mailboxes of other employees or contractors except in the course of service and support at the direct request of the user.  Exceptions to this rule require prior approval from Human Resources and/or Legal and will be subject to any applicable laws. 

Communication systems must not be used to send or receive trade secrets, intellectual property, confidential information, or similarly sensitive data externally without prior authorization from the Application or Service Owner and where required, the Legal department, and only using secure transfer methods approved by the company and in accordance with Ex Libris Data Classification policy.
 

Copyrights

Violations of the rights of any person or company protected by copyright, trade secret, patent, or other intellectual property laws, or similar laws and regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by Ex Libris is strictly prohibited.

Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books, or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which Ex Libris or the end user does not have an active license is strictly prohibited.  

Physical or electronic files may only be sent, received or used for business purposes in accordance with their licenses, copyrights and handling controls as described in the Data Classification Policy.  Unauthorized peer to peer file-sharing software is not permitted. 

Training

The Ex Libris Chief Information Security Officer will provide training to all employees on all aspects of this IT security policy.

Security Concerns

Each employee, supplier or third person who is in contact with data and/or systems of Ex Libris must report any system weakness, incident, or any potential security vulnerability to the Ex Libris Chief Information Security Officer (CISO) at SecurityOfficer@exlibrisgroup.com.  

Any security incident or any potential security breach in customer data privacy identified must be reported to the Privacy and Regulation Officer & DPO at privacy@exlibrisgroup.com immediately.  

Any system weakness, incident, or potential security vulnerability noted must be reported to the Ex Libris Chief Information Security Officer (CISO) at SecurityOfficer@exlibrisgroup.com.