Ex Libris Information Security Policy_1.3
Version 1.3
Purpose and Scope
Ex Libris, a ProQuest Company, is committed to protecting our systems, information, and our customers’ information. The purpose of this policy is to provide a security framework based on ISO 27002 that will ensure the protection of Ex Libris information from unauthorized access, loss or damage.
This policy applies to all Ex Libris employees and to all other individuals and entities granted use of Ex Libris information, including, but not limited to contractors and temporary employees. Information may be verbal, digital, and/or hardcopy, individually-controlled or shared, stand-alone or networked.
Terms and Acronyms
Vulnerability: Weakness that can be exploited by one or more threats.
Control: Means of managing risk, including policies, procedures and standards.
Information security: Preservation of confidentiality, integrity and availability of information.
Personal data: All information about a person.
Risk: Combination of the probability of an event and its consequences.
Threat: Potential cause of an unwanted incident, which may result in harm to a system.
Information Security Policy
Risk
Ex Libris will perform risk assessment at least annually based on NIST standard SP 800-30 that identify, quantify, and prioritize risks.
Classification of Information
Ex Libris information will be classified into one of the following three classification levels:
- Public
- Internal Use Only
- Confidential
Classification and handling requirements are defined in The Ex Libris Data Classification Policy.
Access Control
Access to information is based on the concept of ‘least privilege’.
Access control requirements are defined in the Ex Libris Access Control Policy.
IT Security
Security Patches and Vulnerability Assessments
Patches, updates, and service packs will be verified and tested before they are released.
Security vulnerability will be communicated, evaluated and analyzed following the Ex Libris Security Patches and Vulnerability Assessments Policy.
Passwords are created and used as required in the Ex Libris Password Management Policy.
Data Encryption
Ex Libris uses industry standards to encrypt personal data in transit and at rest.
Data Destruction
Ex Libris destroys data based on NIST 800-88.
Human Resources
- Ex Libris policies are communicated by Human Resources.
- Job descriptions will include information security responsibilities.
- Prior to employment, as allowed by law, individuals will be vetted and background checks will be performed for staff in critical positions, including positions with access to customer information.
- All employees will sign confidentiality agreements as part of the employment process.
- Segregation of duties will be implemented, as appropriate to reduce the risk of negligent or deliberate system misuse.
Business Continuity
Business continuity and disaster recovery plans are based on ISO 22301.
See Ex Libris Cloud Services BCP for additional information.
Configuration Management
System and hardware configurations are defined, secured, and documented based on ITIL and best practice standards.
Network Operations
The Ex Libris network will be secured both physically and logically (network segmentation).
Physical Security
Ex Libris systems will be housed in security areas that are appropriately protected.
Continuous monitoring of security controls
Continuous monitoring of security controls will be performed through security checks, security reviews, application security vulnerability assessment scans and scans of network vulnerabilities.
Asset Management
- Ex Libris assets are managed based on ITIL principles.
- An owner is assigned to each Ex Libris asset.
- The asset owner is responsible for the maintenance and protection of the asset.
Change Management
Ex Libris change management is based on the IT Infrastructure Library (ITIL) methodology for change management.
Change management requirements are detailed in Welcome to the Ex Libris Cloud.
Security and Privacy awareness training
Security training and awareness is provided annually as part of the employee life cycle.
Security and Privacy Incident Response
Security and/or privacy incidents response will be performed as documented in the Ex Libris Security and Privacy Incident Response Policy.
Compliance
The Ex Libris Chief Information Security Officer (CISO) is responsible for compliance with this policy.
Related Documents
- Ex Libris Password Management Policy
- Ex Libris Access Control Policy
- Ex Libris Privacy Policy
- Ex Libris Data classification Policy
- Welcome to the Ex Libris Cloud
- ISO 27001:2013 Control Standards
- ISO 27018:2014 Control Standards
- ISO 22301 Control Standards
- Ex Libris Security and Privacy Incident Response Policy
- Ex Libris Cloud Services Business Continuity Plan Policy
- Ex Libris Security Patches and Vulnerability Assessments Policy
- Ex Libris IT Security Policy
Record of Changes
| Type of Information | Document Data |
|---|---|
|
Document Title: |
Ex Libris Information Security Policy |
|
Document Owner: |
Ellen Amsel -Ex Libris Privacy & Regulation Officer & DPO |
|
Approved by: |
Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO). |
|
Issued: |
Apr 26, 2018 |
|
Reviewed & Revised: |
Jun 5, 2019 |
Revision Control
| Version Number | Nature of Change | Date Approved |
|---|---|---|
|
1.0 |
Initial version |
Apr 26, 2018 |
|
Updated – Tomer S |
May 10, 2018 |
|
|
Updated – Tomer S |
Jul 22, 2018 |
|
|
1.3 |
Updated – Tomer S |
Jun 5, 2019 |
Document Distribution and Review
The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver