Skip to main content
ExLibris
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    Ex Libris IT Security Policy

    Version 2.1

    Purpose and scope

    The purpose of this document is to define clear rules for the use of the information systems and other information assets in Ex Libris. This policy applies to all Ex Libris information systems and users of Ex Libris information systems including employees, students, contractors, or other third party users.

    Definitions

    Information systems – the systems that store the assets, including all servers and clients, network infrastructure, system and application software, data, and other computer subsystems and components that are owned, used by Ex Libris or are under Ex Libris responsibility (either installed on premise or provided as a service).   

    Information assets  any information – electronic or hard copy. 

    Policy

    Acceptable Use

    Information assets are used for business needs. Incidental personal use is permitted. If you require resources that exceed normal capacity requirements, you must request the additional resources in advance with a Helpdesk ticket.

    Installation of New Software/Applications

    Any new software or application must be downloaded and installed only from the Application Catalog. All new software requests for installation are handled by IT/MIS support. IT/MIS is responsible for purchasing software and for maintaining the Application Catalog. This will ensure that all installed software is compliant with Ex Libris security and licensing requirements.  

    Responsibility for Assets

    Each physical asset has an owner designated in the Inventory of Assets. The asset owner is also responsible for the information stored in the asset, in accordance with the Ex Libris data classification policy.

    Prohibited Activities

    To ensure that the security and privacy protection continues and to prevent new security risks, you may not:

    • Bypass or disable Ex Libris security controls and protections.
    • Install software that was not approved by IT/MIS or from the Application Catalog.
    • Download program code from external media that was not scanned and approved by IT/MIS.
    • Perform port scanning or security scanning unless prior notification to the Ex Libris Chief Information Security Officer (CISO) is made.
    • Interfere with or deny service to any user other than the employee's host (for example, denial of service attack).
    • Connect external storage media, memory cards, and other devices for storing and reading data (e.g., USB flash drives) without explicit permission from IT/MIS team or the Ex Libris Chief Information Security Officer (CISO).

    Use of Removable Media

    The use of removable media is prohibited and restricted by our Antivirus system Where there is a business case for using removable media, contact IT/MIS Support. Use of removable media requires also Ex Libris Chief Information Security Officer (CISO) approval. 

    Taking Assets Off-Site

    Equipment, information and software, regardless of its form or storage medium, must always be kept physically secure and controlled.

    Return of Assets upon Termination of Contract

    Upon termination of an employment contract or other contract, all equipment, information and software must be returned to IT/MIS Support Department as part of the termination process. 

    Backups

    Ex Libris files must be located on the department SharePoint sites or the employee’s OneDrive to ensure that the data is backed up on a regular basis as part of Ex Libris standard business practices. Ex Libris issued workstations are not backed up. It is the user's responsibility to ensure that data is not located on local drives. Department SharePoint sites and employees’ OneDrive are backed-up as defined in Ex Libris backup procedures.

    Antivirus Protection

    Antivirus software must be installed and activated on each computer with automatic updates enabled. It is prohibited to uninstall or disable antivirus software.

    Authorizations for Information System Use

    Access to information systems and assets is restricted only to individuals granted access. Permissions are set by the IT team and are based on the user’s job responsibilities

    Administrator and power user rights are granted based on "least privilege" and "need to know" principles. Users may not bypass information system security controls.  

    User Account Responsibilities

    Users may not share their credentials or access privileges with others. The owner of the user account is responsible for all transactions performed through the user account.

    Password Requirements

    When selecting and passwords, users must adhere to the Ex Libris Password Management Policy. This includes:

    • Appropriate password complexity.
    • Password minimum length.
    • Password retention.
    • Password age.
    • Password history.

    Clear Desk and Clear Screen

    Employees are required to ensure that all confidential information in hardcopy or electronic form is secure in their work area at the end of the day and when they expect to be out of the office for an extended period.

    • Keys used for access to restricted or sensitive information must not be left at an unattended desk.
    • Documents must be stored in a secure manner, based on their data classification level.
    • Documents must be removed from desk and printers to prevent unauthorized access.
    • During known extended periods away from the desk, such as a lunch break, workstations/laptops must be locked, and sensitive working papers must be placed in locked drawers.
    • Computer workstations must be locked at the end of the work day.
    • Any Ex Libris restricted and sensitive information must be removed from the desk and locked when users are not present at their desk.
    • Documents and other media classified as Confidential must be stored in a secure manner in accordance with the Data Classification Policy.  

    Internet use

    The internet may be accessed only through the organization's local network appropriate workstation, infrastructure firewall and proxy protection. Direct internet access from the Ex Libris local network that bypasses the security infrastructure protections is forbidden.

    Ex Libris web security protection may block access to some internet pages for individual users, groups of users, or all employees at the organization. If access to Web pages is blocked, the user may submit a written request to IT/MIS Support for authorization to access such pages. The user may not try to bypass such restriction autonomously.

    Use of internet/intranet and e-mail may be subject to monitoring. Users may also be limited in their use of such resources. The user must regard any information received through the internet as unverified or unreliable. Such information may be used for business purposes only after its authenticity and correctness has been verified. 

    The user will not: 

    • Visit Internet sites that contain obscene, hateful, or other objectionable materials.  
    • Make or post indecent remarks, proposals, or materials on the internet.  
    • Attribute personal statements, opinions or beliefs to Ex Libris when engaged in blogging. If an employee is expressing his or her beliefs and/or opinions in blogs, the employee may not, expressly or implicitly represent themselves as an employee or representative of Ex Libris. Employees assume any and all risk associated with blogging.
    • Violate any law pertaining to the handling and disclosure of copyrighted or export controlled materials.

    Mobile Computing and Remote Access

    Ex Libris employees with Ex Libris equipment, that allows them to connect remotely must:

    • Be the only person using the equipment.
    • Always Keep the equipment physically secured.
    • Use the screen lock feature if the equipment is left unattended and follow the clean desk requirements (above).
    • Protect Ex Libris information, both electronic and hardcopy.
    • Use the Ex Libris VPN where only public internet is available, including for browsing the internet.
    • Ensure that Ex Libris files are located on the department SharePoint sites or the employee’s OneDrive only so that the data can be backed up.
    • Ensure that Ex Libris equipment is returned to Ex Libris upon termination of employment.

    Personal computer usage

    In case of use of personal computers to access Ex Libris resources (remote desktop connection over Ex Libris VPN), it is the employee’s responsibility to ensure his/her computer has the latest version of Antivirus and Operating System.

    E-mail and Other Messaging Systems

    Message exchange methods, other than electronic mail, also include downloading files from the Internet, using an e-mail system, transferring data via Skype, sending SMS text messages, using telephones, fax machines, portable media devices and storage, and forums and social networks.

    In accordance with the data classification Policy, the Ex Libris CISO determines the communication channel that may be used for each type of data, as well as possible restrictions on who is allowed to use communication channels and defines which activities are forbidden.

    It is forbidden to send materials with disturbing, unpleasant, sexually explicit, rude, slanderous or any other unacceptable or illegal content. Users are not allowed to send spam messages. Should a user receive a spam e-mail, he/she must inform the IT/MIS support.

    Copyrights

    Violations of the rights of any person or company protected by copyright, trade secret, patent, or other intellectual property laws, or similar laws and regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by Ex Libris is strictly prohibited.

    Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books, or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which Ex Libris or the end user does not have an active license is strictly prohibited.  

    Training

    The Ex Libris Chief Information Security Officer will provide training to all employees on all aspects of this IT security policy.

    Security Concerns

    Each employee, supplier or third person who is in contact with data and/or systems of Ex Libris must report any system weakness, incident, or any potential security vulnerability to the Ex Libris Chief Information Security Officer (CISO) at SecurityOfficer@exlibrisgroup.com.  

    Any security incident or any potential security breach in customer data privacy identified must be reported to the Privacy and Regulation Officer & DPO at privacy@exlibrisgroup.com immediately.  

    Any system weakness, incident, or potential security vulnerability noted must be reported to the Ex Libris Chief Information Security Officer (CISO) at SecurityOfficer@exlibrisgroup.com.  

    Policy Enforcement

    Any employee found to have wilfully or intentionally violated this policy may be subject to disciplinary action, up to and including termination of employment. 
     

     

    Record of Changes

    Type of information Document Data

    Document Title:

    Ex Libris IT Security Policy

    Document Owner:

    Tomer Shemesh - Ex Libris Chief Information Security Officer (CISO)

    Approved by:

    Eyal Alkalay – Ex Libris Sr. Director of Cloud Engineering

    Issued:

    Nov 13, 2012

    Reviewed & Revised:

    Jun 3, 2019

     

    Revision Control

    Version Number Nature of Change Date Approved

    1.0

    Initial version

    Nov 20, 2012

    1.1

    Updated – Tomer S

    Jun 16, 2013

    1.2

    Updated – Tomer S

    Jan 20, 2014

    1.3

    Updated – Tomer S

    Jan 7, 2015

    1.4

    Updated – Tomer S

    Jan 27, 2016

    1.5

    Updated – Tomer S

    Apr 18, 2017

    2.0

    Updated – Tomer S

    May 14, 2018

    2.1

    Updated – Tomer S

    Jun 3, 2019

    Document Distribution and Review

    The document owner will distribute this document to all approvers when it is first created and as changes or updates are made. This document will be reviewed and updated annually or upon written request by an approver or stakeholder. Questions or feedback about this document can be directed to the owner or a listed approver

     

    • Was this article helpful?