Ex Libris Rosetta Privacy Impact Assessment

Similar documents
Ex Libris. Aleph Privacy Impact Assessment

What You Need to Know About Addressing GDPR Data Subject Rights in Primo

SecureFTP Procedure for Alma Implementing Customers

ARRIS Solutions Inc. TERMS OF USE ARRIS SOFTWARE APPLICATIONS

Building Your DLP Strategy & Process. Whitepaper

Privacy Policy. April 2018

CUBITT TOWN JUNIOR SCHOOL CCTV POLICY 2017

VFA Participation Agreement 2018 (Year 5)

CYRIL JACKSON PRIMARY SCHOOL CCTV POLICY

How to Categorize Risk in IoT

Terms of Use and The Festival Rules

November Ex Libris Certified Third-Party Software and Security Patch Release Notes

MTN Subscriber Agreement

UTILITIES (220 ILCS 5/) Public Utilities Act.

New York MX700 Room. PWD-NY5-MX700-P60 List Price: $11, SLA Price: $1,100.00/year (Other options available See Appendix B)

DM Scheduling Architecture

1X4 HDMI Splitter with 3D Support

The Internet of You: The Ethical, Privacy, and Legal Implications of Connected Devices. Beverly Kracher, Ph.D. Business Ethics Alliance

Zargis TeleSteth User Manual

ANSI/SCTE

Device Management Requirements

RULES AND REGULATIONS

Follow-up on the 2014 Rosetta User Group Update. Adi Alter Digital Resources Product Manager

IoT and the Implications for Security Inside and Outside the Enterprise. Richard Boyer CISO & Chief Architect, Security

Rules and Policies WRBB 104.9FM. Fall 2018 (Last Updated 5/2018)

Prime Minister's Advisory Council on Cyber Security - Industry Working Group on IoT

DATA LOSS PREVENTION: A HOLISTIC APPROACH

Autodesk software rental plans

Dr. Tanja Rückert EVP Digital Assets and IoT, SAP SE. MSB Conference Oct 11, 2016 Frankfurt. International Electrotechnical Commission

Welcome to Verde. Copyright Statement

ITU-T Y.4552/Y.2078 (02/2016) Application support models of the Internet of things

OUR CONSULTATION PROCESS WITH YOU

HOW FAIR IS THE GOOGLE BOOK SEARCH SETTLEMENT? Pamela Samuelson Berkeley Law School Feb. 12, 2010 FAIR TO WHOM?

TCTV Templeton Community Television

COMPOSITE VIDEO (BNC) TO VGA VIDEO FORMAT CONVERTER AND SCALER AT-RGB110

G4S ACADEMY BODYCAMS GUIDE VERSION

EX LIBRIS GENERAL QUESTION & ANSWER. 8th IGeLU Meeting. Session 13. Berlin, 10 September 2013

Absolute Relevance? Ranking in the Scholarly Domain. Tamar Sadeh, PhD CNI, Baltimore, MD April 2012

PPM Rating Distortion. & Rating Bias Handbook

ENGINEERING COMMITTEE Energy Management Subcommittee SCTE STANDARD SCTE

Metuchen Public Educational and Governmental (PEG) Television Station. Policies & Procedures

LARCHMONT - MAMARONECK COMMUNITY TELEVISION, INC. POLICIES AND PROCEDURES

RIDER CATCH-UP RIGHTS 1

TERMS AND CONDITIONS FOR USE OF MTN PROTECT SERVICE

PRINTING AND PHOTOCOPYING POLICY AND GUIDANCE FOR STUDENTS

Cineplex Presents the Injustice: Gods Among Us Big Screen Event (the Tournament ) Official Rules and Regulations

Dear Fellow Educator:

SERVICE DESCRIPTION VIDENS SD-WAN SERVICE MANAGEMENT

EASY SET UP GUIDE. Thank you! You now own Flapit. Tell us about Flapit and you #flapitcounter

Publishing India Group

Internet of Things: Networking Infrastructure for C.P.S. Wei Zhao University of Macau December 2012

ITU-T Y Reference architecture for Internet of things network capability exposure

Internet of Things and Smart Cities & Communities Convergence

Internet of things (IoT) Regulatory aspects. Trilok Dabeesing, ICT Authority 28 June 2017

In this document, the Office of Management and Budget (OMB) has approved, for a

Recomm I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n

Bridging the Trust Gap for Mobile BYOD Deployments. Ojas Rege, VP Strategy, MobileIron Professional Techniques D12

LEARN TO BE AN EXPERT FROM THE EXPERTS IN CABLE TECHNOLOGY.

The fundamental purposes of the educational and public access channel are as follows:

Standing Committee on Copyright and Related Rights

Colorado Communications and Utility Alliance Customer Service Standards (Revised June 18, 2013)

CHARLOTTE MECKLENBURG PUBLIC ACCESS CORPORATION

Reservation, Facility Usage and Facilitation

POLICIES AND PROCEDURES For Channel 17 Community Cable Television Programming Town of Sandown May, 2004 Revised July 10, 2017

Re: Live Streaming/Video Archiving of Board and Standing Committee Meetings

Thursday 29 March list of shortlisted entrants published online (close of business)

Stalking in Supervised Visitation

emedical Frequently Asked Questions (FAQs) Guide

OPERATING GUIDELINES Cape Elizabeth Television Adopted April 10, 1989 (revised effective June 8, 2009.) Introduction

NEUSE REGIONAL LIBRARY

TCTV Templeton Community Television

Electronic Music Composition MUS 250

Chapter 6. University Library

PRODUCT INFORMATION LETTER

LAZER s Sing with Stone Sour Contest

March 14, Gentlemen;

The Art of Low-Cost IoT Solutions

Digital noise floor monitoring (DNFM)

WUWF TV. Guide to Policies and Procedures WATCHDOG TELEVISION FROM THE UNIVERSITY OF WEST FLORIDA

Q Entercom National Cash Contest Rules

2010 PLATO S CLOSET TELL US YOUR STORY AUDITION OFFICIAL RULES

Video Ezy Privacy Policy

Security Measures to be taken to Reduce Theft, Mutilation and Misplacement of Karnataka State University Library Resources: A Study

Studio Recording Techniques MUS 251

ADVANCED TELEVISION SYSTEMS COMMITTEE, INC. CERTIFICATION MARK POLICY

Invention Disclosure Form Dana-Farber Cancer Institute

TV Translator Relocation Grant Program

Enduring the IoT storm to unlock new paths to value. How a governance model protects you from a blizzard of IoT risk

A MIDI/MP3 actualization or recording of the composition (digital file, web link, or audio CD)

Standing Committee on Copyright and Related Rights

ICOMOS ENAME CHARTER

1x16 HDMI Distribution Amplifier AT-HD-V116

5 Port DVI Splitter VIDEO WALLS VIDEO PROCESSORS VIDEO MATRIX SWITCHES EXTENDERS SPLITTERS WIRELESS CABLES & ACCESSORIES

Micro Services Architecture: Spring Boot and Netflix Infrastructure

Public Educational and Governmental (PEG) & Commercial Access Rules & Regulations

SUPREME COURT OF COLORADO Office of the Chief Justice DIRECTIVE CONCERNING COURT APPOINTMENTS OF DECISION-MAKERS PURSUANT TO , C.R.S.

Stalking in Supervised Visitation

LEARN TO BE AN EXPERT FROM THE EXPERTS IN CABLE TECHNOLOGY.

LEARN TO BE AN EXPERT FROM THE EXPERTS IN CABLE TECHNOLOGY.

Security Challenges in the Internet of Things. Dr. Sigrid Schefer-Wenzl

Transcription:

Ex Libris Rosetta Privacy Impact Assessment March 2018

1 - Table of Contents 1 - Table of Contents... 2 2 - Disclaimer... 3 3 - Purpose of this document... 4 4 - Main Findings and Conclusions... 4 5 - Scope and Plan... 5 6 - Data Elements... 5 6.1 - Data sharing... 5 6.2 - Data Flows... 5 7 - Risks and Controls... 6 8 - Privacy management framework... 6 8.1 - GOVERNANCE... 6 8.2 - REMOTE ACCESS TO CUSTOMER DATA (SUPPORT)... 7 8.3 - SECURITY... 7 8.4 - THIRD PARTY... 7 8.5 - USER RIGHTS... 7 8.6 - CONSENT... 8 8.7 - TRAINING & AWARENESS... 8 8.8 - INCIDENT HANDLING... 8 8.9 - PRIVACY BY DESIGN... 8 Page 2 of 8

2 - Disclaimer This report is provided to Ex Libris. If this report is received by anyone other than Ex Libris. The recipient is placed on notice that the attached report has been prepared solely for use in connection with Ex Libris, and this report and its contents may not be shared with or disclosed to anyone by the recipient without the express consent of Ex Libris and KPMG Somekh Chaikin. KPMG Somekh Chaikin shall have no liability for the use of this report by anyone other than Ex Libris and shall pursue all available legal and equitable remedies against recipient, for the unauthorized use or distribution of this report. Page 3 of 8

3 - Purpose of this document The Privacy Impact Assessment (PIA) is a process that identifies what impact a project, product, service, initiative or general collection and use of information might have on the privacy of individuals. A PIA is a point-in-time assessment, and the resultant report and other outputs should be revisited as changes occur to the processes that were originally assessed. This PIA includes a brief description of the data processed in the Ex Libris Rosetta solution, the privacy impact of these processes, and the measures Ex Libris is taking in order to manage the risks involved. 4 - Main Findings and Conclusions We have reviewed the privacy risks regarding the Ex Libris Rosetta product, and the privacy and security controls designed to mitigate those risks. Rosetta is a software solution provided to customers as a standalone system without a connection to the Ex Libris infrastructure. Ex Libris does not have access to any data stored in a customer's system, except when providing support to the customer. Any potential risk in these support processes is mitigated by Ex Libris policy (8.2) and infrastructure. Page 4 of 8

5 - Scope and Plan This PIA scope is Rosetta, an Ex Libris solution. Because Rosetta is provided to the customer as an on premise solution, Ex Libris does not have access to customer data. We noted that during support processes for Rosetta, an Ex Libris support engineer may be exposed to customer data, which makes Ex Libris a data processor. This assessment does not include the hosting of Rosetta at Ex Libris data centers. 6 - Data Elements Ex Libris exposure to data elements in a customer on premise installation of Rosetta is minimal and limited to support sessions when a remote connection to a customer's network is executed. 6.1 - Data sharing As stated, only during a support session would an Ex Libris employee potentially be exposed to customer information, which may include personal information. In this situation, the Ex Libris employee cannot perform any action on the personal information, including sharing it with others. This is a result of a policy (see 8.2) that prohibits Ex Libris employees from copying any information from the customer network to the Ex Libris network, and a network topology that physically separates the support infrastructure from the Ex Libris infrastructure. 6.2 - Data Flows Same as 6.1 Page 5 of 8

7 - Risks and Controls Ex Libris risk regarding an on premise Rosetta installation is very low. Even in cases where an Ex Libris employee may be exposed to personal information, that exposure is limited in time and the information does not reside on the Ex Libris network or infrastructure. Table 1 details the risks and the key controls that mitigate these risks. Main Risks Disclosure of individuals data to unauthorized party internal users Disclosure of individuals data to unauthorized party external party (like hackers) Processing of personal data without proper need Breach of individual rights Lack of documented and implemented Privacy management framework Key Controls - Separation of environments between the remote connection infrastructure and Ex Libris network. - A policy (see 8.2) prohibits the copying of customer information. - N/A since no customer information resides on Ex Libris infrastructure. - Separation of environments between the remote connection infrastructure and Ex Libris network. - A policy (see 8.2) prohibits the copying of customer information. - N/A since no customer information reside on Ex Libris infrastructure. - Documented, published and implemented policy (see 8.2). - Appointed DPO (Ellen Amsel), responsible for keeping the privacy processes current. 8 - Privacy management framework 8.1 - GOVERNANCE The development and implementation of the privacy framework is the responsibility of Ex Libris DPO, Ellen Amsel. This also includes involvement in product development and privacy processes implementation throughout Ex Libris. Page 6 of 8

8.2 - REMOTE ACCESS TO CUSTOMER DATA (SUPPORT) It is Ex Libris policy not to copy customer data, and especially credentials in Salesforce, and to contact customers directly if access to personal data is required to resolve a customer case (for example, if the data is corrupt). Ex Libris asks its customers to send personal data using any channel that the customer considers secure by their institution, based on the institution s security and privacy standards. Additionally, Support works with test user accounts that are created specifically for replication and debugging purposes. 8.3 - SECURITY Ex Libris has implemented a multi-tiered security model that covers all technological aspects of the company. The security model and controls are based on international standards, including ISO/IEC 27001:2005 and ISO/IEC 27002, the standards for an information security management system (ISMS). Information security policies are published in: https://knowledge.exlibrisgroup.com/cross_product/security/policies Security policies include: - Cloud Security and Privacy - Customer Appropriate Usage Statement - Ex Libris Certified Third-Party Software and Security Patch Release Notes - Ex Libris Cloud Services BCP - Ex Libris New Third Party Software Evaluation and Plan - Ex Libris Password Policy - Ex Libris Security Incident Response Policy - Ex-Libris Security Patches and Vulnerability Assessments Policy - Welcome to the Ex Libris Cloud 8.4 - THIRD PARTY There is no use of third parties for support services. 8.5 - USER RIGHTS Ex Libris is considered a data processor for any data that a support engineer may be exposed to even though Ex Libris, in its support processes, does not store any personal information. Therefore, the GDPR "User Rights" article is not relevant for a Rosetta on premise implementation. Page 7 of 8

8.6 - CONSENT and DATA SUBJECT RIGHTS User consent and other data subject rights are managed by the data controller, therefore, it is the customer's responsibility to only allow access to the system for users who have expressed their consent for the relevant data processing. 8.7 - TRAINING & AWARENESS Ex Libris is managing privacy training and security awareness training. The privacy training includes GDPR specific training, which includes Privacy by Design training. 8.8 - INCIDENT HANDLING Ex Libris has developed and implemented incident response and notification procedures. Procedures include a breach notification policy and the involvement of the DPO in case of a data breach. 8.9 - PRIVACY BY DESIGN Ex Libris has implemented Privacy by Design processes, which involve the DPO and addresses privacy concerns from the beginning of product development and through change management. Page 8 of 8

2024 © artsdocbox.com Privacy Policy | Terms of Service | Feedback