Newer version available.
Purpose and scope
The purpose of this document is to define clear rules for the use of the information systems and other information assets in Ex Libris. This policy applies to all Ex Libris information systems and users of Ex Libris information systems including employees, students, contractors, or other third party users.
Information systems – the systems that store the assets, including all servers and clients, network infrastructure, system and application software, data, and other computer subsystems and components that are owned or used by Ex Libris or are under Ex Libris responsibility (either installed on premise or provided as a service).
Information assets –any information – electronic or hard copy.
Information assets are used for business needs. Incidental personal use is permitted. If you require resources that exceed normal capacity requirements, you must request the additional resources in advance with a Helpdesk IT/MIS ticket.
Installation of New Software/Applications
Any new software or application must be downloaded and installed only from the Application Catalog. All new software requests for installation are handled by IT/MIS support. IT/MIS is responsible for purchasing software and for maintaining the Application Catalog. This will ensure that all installed software is compliant with Ex Libris requirements regarding security and licensing.
Responsibility for Assets
Each physical asset has an owner designated in the Inventory of Assets. The asset owner is also responsible for the information stored in the asset, in accordance with the Ex Libris data classification policy.
To ensure that the security and privacy protection continues and to prevent new security risks, you may not:
- Bypass or disable Ex
- Libris security protections.
- Install software that was not approved by IT/MIS or from the Application Catalog.
- Perform port scanning or security scanning unless prior notification to the Ex Libris Chief Information Security Officer (CISO) is made.
- Interfere with or deny service to any user other than the employee's host (for example, denial of service attack).
- Connect external storage media and other devices for storing and reading data (e.g., USB flash drives) without explicit permission from IT/MIS team or the Ex Libris Chief Information Security Officer (CISO).
Use of Removable Media
The use of removable media is prohibited. Where there is a business case for using removable media, contact IT/MIS Support. Use of removable media requires also Ex Libris Chief Information Security Officer (CISO) approval.
Taking Assets Off-Site
Equipment, information, and software, regardless of its form or storage medium, must always be kept physically secure and controlled.
Return of Assets upon Termination of Contract
Upon termination of an employment contract or other contract, all equipment, information, software, and information must be returned to IT/MIS Support Department as part of the termination process.
Ex Libris files must be located on network drives only to ensure that the data is backed up on a regular basis as part of Ex Libris practices. Ex Libris issued workstations are not backed up.
Antivirus software must be installed and activated on each computer with automatic updates enabled. It is prohibited to uninstall or disable antivirus software.
Authorizations for Information System Use
Access to information systems and assets is restricted only to those individuals granted the access. Permissions are set by the IT team and are based on the user’s job responsibilities
Administrator and power user rights are granted based on "least privilege" and "need to know" principles. Users may not bypass information system security controls.
User Account Responsibilities
Users may not share their credentials or access privileges with others. The owner of the user account is responsible for all transactions performed through the user account.
When selecting and passwords, you must adhere to the Ex Libris Password Policy. This includes:
- Appropriate password complexity.
- Password minimum length.
- Password retention.
- Password age.
- Password history.
Clear Desk and Clear Screen
Employees are required to ensure that all confidential information in hardcopy or electronic form is secure in their work area at the end of the day and when they expect to be out of the office for an extended period.
- Keys used for access to restricted or sensitive information must not be left at an unattended desk.
- Documents must be stored in a secure manner, based on their data classification level.
- Documents must be remove from your desk and from printers to prevent unauthorized access.
- During known extended periods away from your desk, such as a lunch break, workstations/laptops must be locked and sensitive working papers must be placed in locked drawers.
- Computer workstations must be locked at the end of the work day.
- Any Ex Libris restricted and sensitive information must be removed from your desk and locked when you are not present at your desk.
- Documents and other media classified as Confidential must be stored in a secure manner in accordance with the Data Classification Policy.
The internet may be accessed only through the organization's local network appropriate workstation, infrastructure, and firewall protection. Direct internet access from the Ex Libris local network that bypasses the security infrastructure protections is forbidden.
Ex Libris web security protection may block access to some internet pages for individual users, groups of users, or all employees at the organization. If access to Web pages is blocked, the user may submit a written request to IT/MIS Support for authorization to access such pages. The user may not try to bypass such restriction autonomously.
Use of internet/intranet and e-mail may be subject to monitoring. Users may also be limited in their use of such resources. The user must regard any information received through the internet as unverified or unreliable. Such information may be used for business purposes only after its authenticity and correctness has been verified.
The user will not:
- Visit Internet sites that contain obscene, hateful, or other objectionable materials
- Make or post indecent remarks, proposals, or materials on the internet
- Attribute personal statements, opinions or beliefs to Ex Libris when engaged in blogging. If an employee is expressing his or her beliefs and/or opinions in blogs, the employee may not, expressly or implicitly represent themselves as an employee or representative of Ex Libris. Employees assume any and all risk associated with blogging.
- Violate any law pertaining to the handling and disclosure of copyrighted or export controlled materials.
Mobile Computing and Remote Access
For those Ex Libris employees with Ex Libris equipment that allows them to connect remotely, the employee must:
- Be the only person using the equipment
- Keep the equipment physically secured at all times
- Use the screen lock feature if the equipment is left unattended and follow the clean desk requirements (above)
- Protect Ex Libris information, both electronic and hardcopy
- Use the Ex Libris VPN where only public internet is available, including for browsing the internet
- Ensure that Ex Libris files are located on network drives only so that the data can be backed up
- Ensure that the Ex Libris equipment is returned to Ex Libris upon termination of employment
E-mail and Other Messaging Systems
Message exchange methods other than electronic mail also include downloading files from the Internet, using an e-mail system, transferring data via Skype, sending SMS text messages, using telephones, fax machines, portable media devices and storage, and forums and social networks.
In accordance with the data classification Policy, the Ex Libris CISO determines the communication channel that may be used for each type of data, as well as possible restrictions on who is allowed to use communication channels and defines which activities are forbidden.
It is forbidden to send materials with disturbing, unpleasant, sexually explicit, rude, and slanderous or any other unacceptable or illegal content. Users must not send spam messages.
Should a user receive a spam e-mail, he/she must inform the IT/MIS support.
Violations of the rights of any person or company protected by copyright, trade secret, patent, or other intellectual property laws, or similar laws and regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by Ex Libris is strictly prohibited.
Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books, or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which Ex Libris or the end user does not have an active license is strictly prohibited.
The Ex Libris Chief Information Security Officer (CISO) will provide training to all employees on all aspects of this IT security policy.
Each employee, supplier or third person who is in contact with data and/or systems of Ex Libris must report any system weakness, incident, or any potential security vulnerability to the Ex Libris Chief Information Security Officer (CISO) at SecurityOfficer@exlibrisgroup.com
Any security incident or any potential security breach in customer data privacy identified must be reported to the Privacy and Regulation Officer & DPO at email@example.com immediately.
Any system weakness, incident, or potential security vulnerability noted must be reported to the Ex Libris Chief Information Security Officer (CISO) at SecurityOfficer@exlibrisgroup.com
Any employee found to have wilfully or intentionally violated this policy may be subject to disciplinary action, up to and including termination of employment.
Record of Changes
|Type of information||Document Data|
|Ex Libris IT Security Policy|
Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO)
|Eyal Alkalay – Ex Libris Sr. Director of Cloud Engineering|
|Nov 13 ,2012|
Reviewed & Revised:
|Apr 18 ,2017|
|Version Number||Nature of Change||Date Approved|
Nov 20 ,2012
Updated – Tomer S
Jun 16 ,2013
Updated – Tomer S
Jan 20 ,2014
Updated – Tomer S
Jan 7 ,2015
Updated – Tomer S
|Jan 27 ,2016|
Updated – Tomer S
|Apr 18 ,2017|
Document Distribution and Review
The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver