Ex Libris Information Security Policy
Version 1.1
Newer version available.
Purpose and Scope
Ex Libris, a ProQuest Company, is committed to protecting our systems, information, and our customers’ information. The purpose of this policy is to provide a security framework based on ISO 27002 that will ensure the protection of Ex Libris information from unauthorized access, loss or damage.
This policy applies to all Ex Libris employees and to all other individuals and entities granted use of Ex Libris information, including, but not limited to contractors and temporary employees. Information may be verbal, digital, and/or hardcopy, individually-controlled or shared, stand-alone or networked.
Terms and Acronyms
Vulnerability: Weakness that can be exploited by one or more threats.
Control: Means of managing risk, including policies, procedures and standards.
Information security: Preservation of confidentiality, integrity and availability of information.
Personal data: All information about a person
Risk: Combination of the probability of an event and its consequences.
Threat: Potential cause of an unwanted incident, which may result in harm to a system.
Information Security Policy
Risk
Ex Libris will perform risk assessment at least annually based on NIST standard SP 800-30 that identify, quantify, and prioritize risks.
Classification of Information
Ex Libris information will be classified into one of the following three classification levels:
- Public
- Internal Use Only
- Confidential
Classification and handling requirements are defined in The Ex Libris Data Classification Policy.
Access Control
Access to information is based on the concept of ‘least privilege.’ Access control requirements are defined in the Ex Libris Access Control Policy.
IT Security
Encryption
Ex Libris will maintain the accuracy, integrity and confidentiality of personal and confidential data. See section, “Personal Data at Rest.”
Data Destruction
Ex Libris destroys data based on NIST 800-88
Human Resources
- Ex Libris policies are communicated by Human Resources.
- Job descriptions will include information security responsibilities.
- Prior to employment, as allowed by law, individuals will be vetted and background checks performed for staff in critical positions, including positions with access to customer information.
- All employees will sign confidentiality agreements are part of the employment process.
- Segregation of duties will be implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse.
Business Continuity
Business continuity and disaster recover plans are based on ISO 22301 and implemented.
Configuration Management
System and hardware configurations are defined, secured, and documented based on ITIL and best practice standards.
Network Operations
The Ex Libris network will be secured both physically and logically (network segmentation).
Physical Security
Ex Libris systems will be housed in security areas that are appropriately protected.
Asset Management
- Ex Libris assets are managed based on ITIL principles.
- An owner is assigned to each Ex Libris asset.
- The asset owner is responsible for the maintenance and protection of the asset.
Change Management
Ex Libris change management is based on the IT Infrastructure Library (ITIL) methodology for change management. Change management requirements are detailed in Welcome to the Ex Libris Cloud.
Security and Privacy Incident Response
See Ex Libris Security and Privacy Incident Response Policy.
Compliance
The Ex Libris Chief Information Security Officer is responsible for compliance with this policy.
Related Documents
- Ex Libris Password Management Policy
- Ex Libris Access Control Policy
- Ex Libris Privacy Policy
- Ex Libris Data classification Policy
- Welcome to the Ex Libris Cloud
- ISO 27001:2013 Control Standards
- ISO 27018:2014 Control Standards
- ISO 22301 Control Standards
- Ex Libris Security and Privacy Incident Response Policy
- Ex Libris Cloud Services Business Continuity Plan Policy
- Ex Libris Security Patches and Vulnerability Assessments Policy
- Ex Libris IT Security Policy
Record of Changes
| Type of Information | Document Data |
|---|---|
|
Document Title: |
Ex Libris Information Security Policy |
|
Document Owner: |
Ellen Amsel -Ex Libris Privacy & Regulation Officer & DPO |
|
Approved by: |
Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO). |
|
Issued: |
Apr 26 ,2018 |
|
Reviewed & Revised: |
May 10 ,2018 |
Revision Control
| Version Number | Nature of Change | Date Approved |
|---|---|---|
|
1.0 |
Initial version |
Apr 26 ,2018 |
|
1.1 |
Updated – Tomer S |
May 10 ,2018 |
Document Distribution and Review
The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver