Skip to main content
ExLibris
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    Ex Libris Change Management Policy

    Version 1.0

    Purpose and Scope

    Ex Libris, a ProQuest company, proactively strives to maintain Ex Libris information and information systems. Reliable and accurate information is a vital business asset and critical to proper decision making at Ex Libris. The purpose of change management is to ensure that the system components used to deliver services are identified, recorded, and monitored so that only authorized changes are applied. Change management includes hardware, software, and associated documentation. This policy is a component of the Ex Libris Cloud security governance framework.

    The policy applies to all Ex Libris employees, contractors and vendors who are authorized to access systems, applications, database, network, information and resources managed or maintained by Ex Libris. 

    Reference and Documents

    ·         Ex Libris Cloud Services Group Roles and Responsibilities Version 1.9., dated November 13, 2017

    ·         ISO 27001 certification

    ·         NIST SP 800-53 (Rev 4), Security and Privacy Controls for Federal Information Systems and Organizations

    Roles and Responsibilities

    The following section details Ex Libris roles and responsibilities regarding change management. 

    Senior Management

    a.      Approves company change management policy, procedures and enterprise risks.

    b.      Allocates resources and tools to implement the change management security control requirements.

    VP Cloud Operations

    a.      Leads the change management activities.

    Chief Information Security Officer (CISO)  

    a.      Ensures that proposed changes are compliant with information security directives.

    IT/MIS Management and Cloud Management

    a.      Implements the policy and procedures regarding change management.

    HUB

    a.      Ensures that changes made are properly validated and documented before released for production.

    b.      Monitors changes in production to ensure that they are working as intended.

    System Administrators/Developers

    a.      Follow procedures for change management.

    b.      Develop, test, and document changes made.

    Terms and Acronyms

    1. Availability:  Ensuring timely and reliable access to and use of information.  
    2. Confidentiality:  Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.   
    3. Security Impact Analysis: The analysis conducted to determine the extent to which changes to the information system have affected the security state of the system.

    Change Management Policy

    To protect confidential, integrity and availability of Ex Libris information and information systems, all changes made to Ex Libris systems will be planned, authorized, tested, reviewed, and approved before implemented. 

    Change Control

    Ex Libris will manage changes to systems and application programs. The change control process includes:

    a.        Safeguarding production systems.  Changes will not be applied directly to systems running in production.

    b.        Unscheduled changes require the same approval, testing, and review process as planned changes.

    c.        Enforcement of formal change control procedures.

    d.        Proper authorization and approvals at all levels.

    e.        Successfully testing of updates and new programs prior to being moved into a production environment.

    f.         Determining the types of changes needed.

    g.        Documenting changes implemented for the information system. 

    h.        Implementing approved changes to the information system. 

    i.         Retaining records of changes to the information system for the life of the system.

    j.         Auditing and reviewing activities associated with changes to the information system. 

    k.        Coordinating and providing oversight for change activities through a Go/No Go board that convenes before changes occur. 

    l.         Testing, validating, and documenting changes to the information system before implementing the changes on the system

    m.       Ensuring that updates addressing significant security vulnerabilities are prioritized, evaluated, tested, documented, approved and applied promptly to minimize the exposure of un-patched resources.   

    n.        Using rollback procedures designed to recover to previous stable version of information systems.   

    Impact analysis

    When changes are planned or unplanned, analysis will be done to determine potential security and privacy impact.  As a result of the impact analysis, the following will be documented:

    a.    Impact to the security, confidentiality, and privacy requirements for Ex Libris functions or services.

    b.    Where appropriate, classification and handling instructions of information stored in the files.

    c.    Changes to access control mechanisms used in support of critical functions and services.

    External Audit

    Ex Libris Chief Information Security Officer (CISO) will lead internal and external security audits to validate compliance with this policy.

    Management Commitment - Policy Compliance

    Ex Libris monitors change management controls to ensure compliance with applicable laws, directives, policies, and guidance through periodic quality reviews. The Security Officer reports to Ex Libris management as necessary regarding compliance. Ex Libris will initiate actions as necessary to correct reported deficiencies, including reallocation of resources to improve implementation of security practices.

    Failure to comply with this policy may result in disciplinary action, up to and including termination.

    Coordination Among Organizational Entities

    Ex Libris will identify and coordinate system and information integrity with internal and external organizations. The procedures provide details on the coordination.

    Policy Review

    This policy will be reviewed at least annually by Management to review its effectiveness and to ensure its continued application and relevance as part of the Ex Libris information security management system (ISMS).

    Policy Enforcement 

    Failure to comply with this policy may result in disciplinary action, up to and including termination of employment.

    Record of Changes

    Type of Information

    Document Data

    Document Title:

    Configuration Management Policy

    Document Owner:

    Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO)

    Approved by:

    Eyal Alkalay - Ex Libris Sr. Director of Cloud Engineering

    Issued:

    Apr 28, 2019

    Reviewed & Revised:

    Apr 28, 2019

     

     

    Record of Changes

    Version

    Nature of Change

    Date Approved

    1.0

    Initial Version

    Apr 28, 2019

     

     

     

     

     

     

     

    Document Distribution and Review

    The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver.

    • Was this article helpful?
    //Feedback