Newer version available.
Purpose and Scope
Ex Libris, a ProQuest Company, is committed to protecting our systems, information, and our customers’ information. The purpose of this policy is to provide a security framework based on ISO 27002 that will ensure the protection of Ex Libris information from unauthorized access, loss or damage.
This policy applies to all Ex Libris employees and to all other individuals and entities granted use of Ex Libris information, including, but not limited to contractors and temporary employees. Information may be verbal, digital, and/or hardcopy, individually-controlled or shared, stand-alone or networked.
Terms and Acronyms
Vulnerability: Weakness that can be exploited by one or more threats.
Control: Means of managing risk, including policies, procedures and standards.
Information security: Preservation of confidentiality, integrity and availability of information.
Personal data: All information about a person
Risk: Combination of the probability of an event and its consequences.
Threat: Potential cause of an unwanted incident, which may result in harm to a system.
Information Security Policy
Ex Libris will perform risk assessment at least annually based on NIST standard SP 800-30 that identify, quantify, and prioritize risks.
Classification of Information
Ex Libris information will be classified into one of the following three classification levels:
- Internal Use Only
Classification and handling requirements are defined in The Ex Libris Data Classification Policy.
Access to information is based on the concept of ‘least privilege.’ Access control requirements are defined in the Ex Libris Access Control Policy.
Ex Libris will maintain the accuracy, integrity and confidentiality of personal and confidential data. See section, “Personal Data at Rest.”
Ex Libris destroys data based on NIST 800-88
- Ex Libris policies are communicated by Human Resources.
- Job descriptions will include information security responsibilities.
- Prior to employment, as allowed by law, individuals will be vetted and background checks performed for staff in critical positions, including positions with access to customer information.
- All employees will sign confidentiality agreements are part of the employment process.
- Segregation of duties will be implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse.
Business continuity and disaster recover plans are based on ISO 22301 and implemented.
System and hardware configurations are defined, secured, and documented based on ITIL and best practice standards.
The Ex Libris network will be secured both physically and logically (network segmentation).
Ex Libris systems will be housed in security areas that are appropriately protected.
- Ex Libris assets are managed based on ITIL principles.
- An owner is assigned to each Ex Libris asset.
- The asset owner is responsible for the maintenance and protection of the asset.
Ex Libris change management is based on the IT Infrastructure Library (ITIL) methodology for change management. Change management requirements are detailed in Welcome to the Ex Libris Cloud.
Security and Privacy Incident Response
The Ex Libris Chief Information Security Officer is responsible for compliance with this policy.
- Ex Libris Password Management Policy
- Ex Libris Access Control Policy
- Ex Libris Data classification Policy
- Welcome to the Ex Libris Cloud
- ISO 27001:2013 Control Standards
- ISO 27018:2014 Control Standards
- ISO 22301 Control Standards
- Ex Libris Security and Privacy Incident Response Policy
- Ex Libris Cloud Services Business Continuity Plan Policy
- Ex Libris Security Patches and Vulnerability Assessments Policy
- Ex Libris IT Security Policy
Record of Changes
|Type of Information||Document Data|
|Ex Libris Information Security Policy|
|Ellen Amsel -Ex Libris Privacy & Regulation Officer & DPO|
|Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO).|
|Apr 26 ,2018|
Reviewed & Revised:
May 10 ,2018
|Version Number||Nature of Change||Date Approved|
Apr 26 ,2018
Updated – Tomer S
May 10 ,2018
Document Distribution and Review
The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver