Skip to main content
ExLibris
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    Ex Libris Information Security Policy

    Version 1.3

    Purpose and Scope

    Ex Libris, a ProQuest Company, is committed to protecting our systems, information, and our customers’ information. The purpose of this policy is to provide a security framework based on ISO 27002 that will ensure the protection of Ex Libris information from unauthorized access, loss or damage.

    This policy applies to all Ex Libris employees and to all other individuals and entities granted use of Ex Libris information, including, but not limited to contractors and temporary employees. Information may be verbal, digital, and/or hardcopy, individually-controlled or shared, stand-alone or networked.

    Terms and Acronyms

    Vulnerability: Weakness that can be exploited by one or more threats.

    Control: Means of managing risk, including policies, procedures and standards.

    Information security: Preservation of confidentiality, integrity and availability of information.

    Personal data: All information about a person.

    Risk: Combination of the probability of an event and its consequences.

    Threat: Potential cause of an unwanted incident, which may result in harm to a system.

    Information Security Policy

    Risk

    Ex Libris will perform risk assessment at least annually based on NIST standard SP 800-30 that identify, quantify, and prioritize risks.

    Classification of Information

    Ex Libris information will be classified into one of the following three classification levels:

    • Public
    • Internal Use Only
    • Confidential

    Classification and handling requirements are defined in The Ex Libris Data Classification Policy.

    Access Control

    Access to information is based on the concept of ‘least privilege’. 
    Access control requirements are defined in the Ex Libris Access Control Policy.

    Security Patches and Vulnerability Assessments

    Patches, updates, and service packs will be verified and tested before they are released.
    Security vulnerability will be communicated, evaluated and analyzed following the Ex Libris Security Patches and Vulnerability Assessments Policy.

    Passwords are created and used as required in the Ex Libris Password Management Policy.

    Data Encryption

    Ex Libris uses industry standards to encrypt personal data in transit and at rest.

    Data Destruction

    Ex Libris destroys data based on NIST 800-88.

    Human Resources

    • Ex Libris policies are communicated by Human Resources.
    • Job descriptions will include information security responsibilities.
    • Prior to employment, as allowed by law, individuals will be vetted and background checks will be performed for staff in critical positions, including positions with access to customer information.
    • All employees will sign confidentiality agreements as part of the employment process.
    • Segregation of duties will be implemented, as appropriate to reduce the risk of negligent or deliberate system misuse.

    Business Continuity

    Business continuity and disaster recovery plans are based on ISO 22301.
    See Ex Libris Cloud Services BCP for additional information.

    Configuration Management

    System and hardware configurations are defined, secured, and documented based on ITIL and best practice standards.

    Network Operations

    The Ex Libris network will be secured both physically and logically (network segmentation).

    Physical Security

    Ex Libris systems will be housed in security areas that are appropriately protected.

    Continuous monitoring of security controls

    Continuous monitoring of security controls will be performed through security checks, security reviews, application security vulnerability assessment scans and scans of network vulnerabilities. 

    Asset Management

    • Ex Libris assets are managed based on ITIL principles.
    • An owner is assigned to each Ex Libris asset.
    • The asset owner is responsible for the maintenance and protection of the asset.

    Change Management

    Ex Libris change management is based on the IT Infrastructure Library (ITIL) methodology for change management.
    Change management requirements are detailed in Welcome to the Ex Libris Cloud.

    Security and Privacy awareness training

    Security training and awareness is provided annually as part of the employee life cycle.

    Security and Privacy Incident Response

    Security and/or privacy incidents response will be performed as documented in the Ex Libris Security and Privacy Incident Response Policy.

    Compliance

    The Ex Libris Chief Information Security Officer (CISO) is responsible for compliance with this policy.

    Related Documents

     

    Record of Changes

    Type of Information Document Data

    Document Title:

    Ex Libris Information Security Policy

    Document Owner:

    Ellen Amsel -Ex Libris Privacy & Regulation Officer & DPO

    Approved by:

    Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO).

    Issued:

    Apr 26, 2018

    Reviewed & Revised:

    Jun 5, 2019

     

    Revision Control

    Version Number Nature of Change Date Approved

    1.0

    Initial version

    Apr 26, 2018

    1.1

    Updated – Tomer S

    May 10, 2018

    1.2

    Updated – Tomer S

    Jul 22, 2018

    1.3

    Updated – Tomer S

    Jun 5, 2019

    Document Distribution and Review

    The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver

    • Was this article helpful?