Skip to main content
ExLibris
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    Ex Libris Password Management Policy

    Version 2.2

    Overview

    Ex Libris, a ProQuest company, is committed to providing its customers with a highly secure and reliable environment for hosting and cloud-based applications. Therefore, Ex Libris has developed a strict and secure password policy and procedures that covers all aspects of IT, including hosting and cloud-based Ex Libris systems and services.

    Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Ex Libris’ entire corporate network. For this reason, all Ex Libris employees (including contractors and vendors with access to Ex Libris systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

    Passwords not only protect Ex Libris and its information, but you as well. If somebody uses your account, you may be held responsible for their actions if you revealed your password to that person.

    Purpose

    The purpose of this policy is to establish a standard for the creation of strong passwords, the protection and appropriate use of these passwords to protect customer information, and to maintain data privacy by defining the frequency with which passwords should be changed.

    Scope

    The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Ex Libris facility, has access to the Ex Libris network, or stores non-public Ex Libris information.

    Policies

    General

    The following are general password policies:

    • All user-level passwords (such as e-mail, Web, workstation, server account, and so forth) must be changed at least every 90 days. However, when the user password is part of a multifactor authentication mechanism (such as SSH key), a one year change period is acceptable.
    • A user account that has system-level privileges granted through group memberships or programs such as sudo must have a password that is different than the password used for all other accounts held by this user.
    • Passwords must not be inserted into e-mail messages.
    • All user-level passwords must conform to the guidelines described below.
    • A new user will be created with the change password next logon option enabled.
    • All system-level passwords (such as root, NT admin, application administration account, service account, and so forth) must be changed at least every 6 months.
    • In a new installation of an Ex Libris product at a customer site, the application password must be changed.
    • When providing an internal application user name/password to an external resource (supplier, external developer, distributors, and so forth), a change of password needs to be performed immediately after the session.

    Guidelines

    Passwords that are used must be strong, these passwords have the following characteristics:

    • Complex:
      • Contain both uppercase and lowercase characters
      • Have digits, punctuation, or Unicode characters as well as letters (for example,  0-9, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)אßڑ)
    • Must be at least 8 characters long. System passwords must be at least 12 characters long
    • Enforce password history – at least 8 change cycles before a password can be reused 
    • Lockout – user accounts are blocked after 10 consecutive failed password entries
    • Must be a non-trivial combination
    • Must not be a word in any language, slang, dialect, or jargon
    • Must not be based on personal information
    • Must never be written down or stored unencrypted
    • Try to create passwords that can be easily remembered. One way to do this is to create a password based on a song title, affirmation, or other phrase. For example, the phrase might be “This may be one way to remember my password” and the password could be TmB1w2Rmp!  or Tmb1W>rmp@s.
    • Rename the system-level privilege user name if possible.
    • Do not use the product name or a name that someone can easily guess as the system-level privilege user name.
       
      In contrast, the following are characteristics of poor passwords and forbidden to use:
       
    • The default password
    • A password that is a common usage word such as:
      • Names of family, pets, friends, co-workers, fictional characters, and so forth
      • Computer terms, commands, names of companies, hardware, or software
      • Birthdays and other personal information, such as addresses and phone numbers
      • Word or number patters such as aaabbb, qwerty, zyxwvuts, 123321, and so forth.
      • Any of the above preceded or followed by a digit
      • Any of the above transformed by simple character substitutions (1 for l, @ for a, 3 for E, and so forth)

    Password Protection

    The following policies help protect your password:

    • Do not share your user-level Ex Libris password with anyone, including administrative assistants or Cloud and IT employees (unless you change the password after the problem has been solved). Do not open a case or ticket with your user name and password in it. Instead, ask for remote assistance and type the password separately. All user-level and system-level passwords are to be treated as sensitive, confidential Ex Libris information. All passwords must be saved on Ex Libris password protection encrypted systems.
    • If cloud /IT employees need access to a system using your password, they should change your password to perform the required work and then allow you to reset your password when they have completed the task.
    • Avoid using the Remember Password feature of applications such as PuTTY, SecureCRT, Internet Explorer and others applications.
    • Do not write passwords down and store them in your office or near your workstation.
    • If you must deliver a password:
      • Do it by phone and replace the password after you finish.
      • Be aware of who is listening around you.

    If an account or password is suspected of having been compromised, report the incident to Ex Libris Chief Information Security Officer and change all your passwords on the compromised systems.

    Enforcement

    Password cracking or guessing may be performed on a semiannual security audit review performed by company Chief Information Security Officer or its delegates. Password cracking or guessing may be performed on an annual security penetration tests performed by external security company and ISO audit process. If a password is guessed or cracked during one of these scans, this will be considered a security violation and will be handled according to the security disciplinary policy.

     

     

    Record of Changes

    Type of Information Document Data

    Document Title:

    Ex Libris Password Management Policy

    Document Owner:

    Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO).

    Approved by:

    Eyal Alkalay – Ex Libris Sr. Directorof Cloud Engineering

    Issued:

    Mar 1, 2012

    Reviewed & Revised:

    Jun 3, 2019

     

    Revision Control

    Version Number Nature of Change Date Approved

    1.0

    Initial version

    Mar 1, 2012

    1.1

    Updated – Tomer S

    Apr 22, 2013

    1.2

    Updated – Tomer S

    Mar 12, 2014

    1.3

    Review and Update- Tomer S

    Feb 4, 2015

    1.4

    Review and Update- Tomer S

    Apr 11, 2016

    1.5

    Review and Update- Tomer S

    Jul 12, 2017

    2.0

    Review and Update- Tomer S

    Apr 26, 2018

    2.1

    Review and Update- Tomer S

    May 29, 2018

    2.2

    Review and Update- Tomer S

    Jun 3, 2019

    Document Distribution and Review

    The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver

    • Was this article helpful?