Purpose and Scope
Ex Libris, a ProQuest Company,is committed to protecting our systems, information, and our customers’ information. This document defines the Ex Libris policy regarding Access Control. It is Ex Libris’ goal to ensure that personnel are positively authenticated and authorized prior to being granted access to information resources.
This policy applies to all systems, personnel, and data at Ex Libris.
- The EX Libris Chief Information Security Officer (CISO)
- Reviewing and updating the process periodically.
- Approving of the process changes.
- IT/MIS Management
- Implementing the process.
- Complying with the process requirements.
- Human Resources
- Present each new employee with the relevant job description and the applicable security policies for that function.
- Cloud Management
- Implement the process.
- Comply with the process requirements.
- Least Privilege – principle of limiting access to the minimal level that will allow normal function.
- Segregation of Duties (SoD) – internal control designed to prevent error and fraud by ensuring that at least two individuals are responsible for the separate parts of any task. SoD involves breaking down tasks that might reasonably be completed by a single individual into multiple tasks so that no one person is solely in control.
- Need to Know – users or resources will be granted access to systems that are necessary to fulfill their roles and responsibility
- Privileged Access – a higher level of access that includes, but is not limited to, administrator accounts, administrator group access, and administrator rights.
Ex Libris will positively authenticate authorized personnel prior to granting access to Ex Libris information resources. Access will be based on an individual's role and will be limited to the minimum necessary to perform the job function.
Access to information resources will be controlled through a managed process that addresses authorizing, modifying, and revoking access, and periodic review of information system privileges, to ensure that only approved, documented and tested activities are allowed in the cloud environments. The process to grant or remove permissions is based on “least privilege” and “need to know" principles.
Physical Access Control
Ex Libris Data Center
Physical access to the data center is restricted to personnel with a business need to access the data center. All physical access activities will be logged and monitored. Access to the facilities requires prior authorization an escort, and sign-in of the security log for the specific visit. Visitors will be accompanied by an authorized employee throughout their visit.
Ex Libris Offices
Physical access to the Ex Libris offices will be granted to individuals based on access IDs and business need.
Ex Libris offices visitors must be escorted by an authorized employee throughout their visit.
User Enrollment and Authorization
Only authorized users will be provided access to information resources and will be managed based on the following procedures and standards:
- Access Control Procedures
- Review of User Access Rights
- Password Management Policy
Personnel will be positively identified, follow a rigorous login process, and adhere to defined standards before gaining access to information resources. The UserID is required for the authentication login process
Personnel will be positively identified and authenticated prior to gaining access to Ex Libris Cloud Services information resources. It includes:
- Session timeout
- Access Control systems
- Remote access
- Segregation of Duties
- Display and Printing of Passwords and User IDs
- Disable Accounts
And follow the Ex Libris Group Password Management Policy, that includes:
- Password History
- Password Length / Composition
- Password Expiration
- User Password Change
- Password Storage
- One Time Use of Initial Passwords
- Password Resets
- Failed or Unsuccessful Login Attempts
- Default Passwords
Privileges are assigned to users based on roles. Roles are established based on responsibilities and job description.
The allocation of privileged access rights, which allow users elevated access privileges, are audited and documented.
Change of Employment Status
To ensure that access rights and privileges are changed as needed in a timely manner, the HR Manager will immediately notify the appropriate individuals regarding changes of employment status of individuals.
When contractual relationships change with external and third parties who have access to systems, services and facilities, or when the contract expires, the IT Team and the Cloud Manager will immediately inform the responsible individuals so that access rights and privileges can be updated appropriately in a timely manner.
The following requirements must be met for administrative rights to be granted:
- Validate that the user is authorized to access the resources
- Authenticate the user
- Grant access privileges based on defined roles
- Audit and log access activities
Privileged Access Control for Cloud Activities
Only authorized users will connect to a production server. All sessions to a production server will only be made through the access control system, ensuring that the user, the activity, and the access channel are properly controlled.
The access control system in use:
- Is the only focal point through which access to the Ex Libris cloud servers can be made.
- Validates that the user is authorized to access the resources.
- Checks and ensures that only approved activity on the server is performed.
- Restricts access according to predefined user and policy restrictions.
- Stores all data related to access rights encrypted.
All activity sessions are recorded and tracked for review.
Remote access to Ex Libris Cloud will be accomplished using the Ex Libris VPN.
The following applies regarding remote access:
- Access will be based on the change management and activity needed
- Access will be based on least privileged principles
- Devices used for remote access will be pre-configured with appropriate security controls
Wireless connections are prohibited in Ex Libris Data Centers. In Ex Libris offices wireless is allowed for internal workstations using signed certificates only.
Workstations with active applications accessing confidential information will be logged-off or locked prior to being left unattended for an extended period of time. Screensaver functionality will be invoked after 20 minutes of inactivity to password-protect workstations, and terminals.
When an account is no longer required it will be disabled in a timely manner.
Vendor Default User Accounts
Where possible, default vendor accounts and or passwords will be disabled or changed immediately.
Examples of default accounts include guest, temp, operator, and admin.
Review of User Access Rights
The Ex Libris Chief Information Security Officer (CISO) will review the access rights granted to ensure that they meet business and security requirements.
On a regular basis, the Ex Libris Chief Information Security Officer (CISO) will review and audit access activities. Any suspicious activity, potential violations, or unauthorized access will be addressed immediately in accordance with the Ex Libris Security and Privacy Incident Response Policy.
Any employee found to willfully or intentionally violate this policy may be subject to disciplinary action, up to and including termination of employment.
Record of Changes
|Type of Information||Document Data|
|Ex Libris Access Control Policy|
|Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO).|
|Eyal Alkalay – Ex Libris Sr. Directorof Cloud Engineering.|
|Sep 13, 2016|
Reviewed & Revised:
May 19, 2019
|Version Number||Nature of Change||Date Approved|
|Initial version||Sep 13, 2016|
|Review and updated – Tomer S||Jan 22, 2017|
Review and updated – Tomer S
May 22, 2018
Review and updated – Tomer S
|Jun 06, 2018|
Review and updated – Tomer S
May 19, 2019
Document Distribution and Review
The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver