Purpose and Scope
Ex Libris, a ProQuest company, proactively strives to maintain the security and integrity of Ex Libris information. Reliable and accurate information is critical to proper decision making in Ex Libris, and a vital business asset that we must protect. Information risk management provides this protection by managing risks to the confidentiality, integrity and availability (CIA) of information. The purpose of the risk management policy is to provide guidance regarding the management of risks and to ensure that all risks are controlled or mitigated. This policy forms part of Ex Libris governance framework and is applies to all employees.
Roles and Responsibilities
1.1. Senior Management
1.1.1. Approves company risk management policies and top enterprise risks.
1.1.2. Ensures the development of risk management program within the company.
1.1.3. Allocates resources to implement risk management programs and activities.
1.1.4. Ensures that, where appropriate, employees receive training in risk management.
1.2. Enterprise Security Risk Management Committee (The Committee)
The management committee that oversees a coordinated approach to assessing and responding to risks that affect the achievement of Ex Libris objectives, led by the Chief Information Security Officer (CISO). The Committee provides a dedicated forum for advancing risk management and for monitoring the overall effectiveness of the Ex Libris risk management efforts. The Committee approves all risk management policies and then recommends them to the Senior Management for final approval.
1.3. Business Unit Manager
1.3.1. Participates in risk assessment and control activities.
1.3.2. Identifies employees to participate, where appropriate, in risk management.
1.3.3. Monitors the ongoing effectiveness of risk control strategies.
1.4. Chief Information Security Officer (CISO)
1.4.1. Leads the Risk Management activities.
1.4.2. Responsible for a comprehensive risk management program, which entails proposing risk vision, strategy, policies, and philosophy regarding risk tolerance to executive management.
1.4.3. Reports to Senior management.
1.4.4. Responsible for ensuring the consistent implementation of the Ex Libris risk management program throughout Ex Libris through risk management training and consulting.
1.4.5. Develops, administers, and helps interpret the Risk Management Policy.
1.5. All Employees
1.5.1. Responsible for risk management at Ex Libris.
1.5.2. Make and support risk-informed decisions. Notify supervisor or the Chief Information Security Officer (CISO) so that immediate action may be taken as needed.
Terms and Acronyms
1. Risk: The effect of uncertainty on achievement of objectives. An effect is a deviation from the expected positive and/or negative. Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence.
2. Risk Assessment: The overall process of risk identification, risk analysis, and risk evaluation.
3. Risk Tolerance: Measure of the level of risk which an individual or company is willing to accept without further treatment.
4. Risk Management: Strategic business discipline that supports the achievement of an organization's objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. Risk management provides a disciplined process for managing risk and seeks to embed this discipline in existing business processes.
5. Business Impact Analysis (BIA): Documents and analyzes the consequences of disruption of a business function or process.
Ex Libris will implement a risk assessment based on NIST 800-30 on an annual basis. This assessment will be performed jointly with an external audit company and will meet the requirements for Ex Libris ISO certifications.
1.1 Ex Libris Risk Management Process
1. Ex Libris risk management is iterative, scalable, and includes communication and discussions with internal and, as appropriate, external stakeholders regarding the risk management process.
2. Define the internal, external, and risk parameters to be evaluated when managing risk, and setting the scope and risk criteria.
3. Identify risks based on events that might enhance, prevent, degrade, or delay the achievement of the objectives.
4. Consider the causes and sources of risk, their positive and negative consequences, and the likelihood that those consequences can occur, including existing risk controls and their effectiveness.
5. Make decisions based on outcomes of risk analysis and prioritize mitigations for risks that exceed the risk tolerance criteria.
6. Identify available options for modifying unacceptable risks and implement mitigations.
7. Monitor and Review all aspects of the risk management process to:
- Lessons learned from event, changes, and trends
- Detect changes in the external and internal context including changes to the risk itself
- Ensure that the risk controls and treatment measures are effective in both design and operation
- Identify emerging risks
1.2 Classification of Risk Components
1. All items identified in the register of components will be classified using the following criteria:
1.1. Confidentiality –information is only accessed as authorized
1.2. Integrity –system functionality and the information generated is reliable and has not been tampered with
1.3. Availability –systems and information are available when needed
1.4. Accountability – all users (customers, staff, and 3rd parties) are held responsible for actions taken regarding the system or information
2. All components will be given a scale from Low to High based on the relevance of the configuration items for creating or protecting all properties of the system.
1.3 Risk-Informed Decision-Making and Operations
Organizational units will embed the principles of the risk management process into their business operations and processes so that they can effectively manage the risks that have a material impact on their objectives.
1.4 External Audit
Ex Libris Chief Information Security Officer (CISO) will lead the audits to validate the policy is followed. The external assessment will be performed jointly with an external security company to validate all security measures are in place.
1.5 Policy Compliance
Failure to comply with this policy may result in disciplinary action, up to and including termination.
1.6 Risk Management Policy Review
This policy and our risk management framework will be reviewed at least annually by Management to review their effectiveness and to ensure their continued application and relevance as of the ISO audit process.
Record of Changes
|Type of Information||Document Data|
Ex Libris Risk Management Policy
Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO)
Eyal Alkalay - Ex Libris Sr. Director of Cloud Engineering
Apr 28, 2019
Reviewed & Revised:
Apr 28, 2019
|Version Number||Nature of Change||Date Approved|
Apr 28, 2019
Document Distribution and Review
The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver.