Ex Libris. Aleph Privacy Impact Assessment

Similar documents
Ex Libris Rosetta Privacy Impact Assessment

What You Need to Know About Addressing GDPR Data Subject Rights in Primo

SecureFTP Procedure for Alma Implementing Customers

CUBITT TOWN JUNIOR SCHOOL CCTV POLICY 2017

CYRIL JACKSON PRIMARY SCHOOL CCTV POLICY

Building Your DLP Strategy & Process. Whitepaper

ARRIS Solutions Inc. TERMS OF USE ARRIS SOFTWARE APPLICATIONS

Welcome to Verde. Copyright Statement

November Ex Libris Certified Third-Party Software and Security Patch Release Notes

Absolute Relevance? Ranking in the Scholarly Domain. Tamar Sadeh, PhD CNI, Baltimore, MD April 2012

ANSI/SCTE

Privacy Policy. April 2018

Terms of Use and The Festival Rules

Autodesk software rental plans

Prime Minister's Advisory Council on Cyber Security - Industry Working Group on IoT

DATA LOSS PREVENTION: A HOLISTIC APPROACH

New York MX700 Room. PWD-NY5-MX700-P60 List Price: $11, SLA Price: $1,100.00/year (Other options available See Appendix B)

1X4 HDMI Splitter with 3D Support

DM Scheduling Architecture

Zargis TeleSteth User Manual

VFA Participation Agreement 2018 (Year 5)

Ex Libris and Shibboleth

OUR CONSULTATION PROCESS WITH YOU

Device Management Requirements

How to Categorize Risk in IoT

MTN Subscriber Agreement

UTILITIES (220 ILCS 5/) Public Utilities Act.

IoT and the Implications for Security Inside and Outside the Enterprise. Richard Boyer CISO & Chief Architect, Security

EX LIBRIS GENERAL QUESTION & ANSWER. 8th IGeLU Meeting. Session 13. Berlin, 10 September 2013

Dr. Tanja Rückert EVP Digital Assets and IoT, SAP SE. MSB Conference Oct 11, 2016 Frankfurt. International Electrotechnical Commission

Introduction to Primo

The Internet of You: The Ethical, Privacy, and Legal Implications of Connected Devices. Beverly Kracher, Ph.D. Business Ethics Alliance

ITU-T Y.4552/Y.2078 (02/2016) Application support models of the Internet of things

COMPOSITE VIDEO (BNC) TO VGA VIDEO FORMAT CONVERTER AND SCALER AT-RGB110

G4S ACADEMY BODYCAMS GUIDE VERSION

ENGINEERING COMMITTEE Energy Management Subcommittee SCTE STANDARD SCTE

PRINTING AND PHOTOCOPYING POLICY AND GUIDANCE FOR STUDENTS

RIDER CATCH-UP RIGHTS 1

SERVICE DESCRIPTION VIDENS SD-WAN SERVICE MANAGEMENT

Publishing India Group

RULES AND REGULATIONS

Follow-up on the 2014 Rosetta User Group Update. Adi Alter Digital Resources Product Manager

Rules and Policies WRBB 104.9FM. Fall 2018 (Last Updated 5/2018)

Internet of Things: Networking Infrastructure for C.P.S. Wei Zhao University of Macau December 2012

ITU-T Y Reference architecture for Internet of things network capability exposure

Internet of things (IoT) Regulatory aspects. Trilok Dabeesing, ICT Authority 28 June 2017

Internet of Things and Smart Cities & Communities Convergence

Recomm I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n

CHARLOTTE MECKLENBURG PUBLIC ACCESS CORPORATION

Standing Committee on Copyright and Related Rights

Enduring the IoT storm to unlock new paths to value. How a governance model protects you from a blizzard of IoT risk

Stalking in Supervised Visitation

F5 Network Security for IoT

LEARN TO BE AN EXPERT FROM THE EXPERTS IN CABLE TECHNOLOGY.

Re: Live Streaming/Video Archiving of Board and Standing Committee Meetings

LARCHMONT - MAMARONECK COMMUNITY TELEVISION, INC. POLICIES AND PROCEDURES

Chapter 6. University Library

PRODUCT INFORMATION LETTER

Cineplex Presents the Injustice: Gods Among Us Big Screen Event (the Tournament ) Official Rules and Regulations

TERMS AND CONDITIONS FOR USE OF MTN PROTECT SERVICE

March 14, Gentlemen;

Internet of Things: Cross-cutting Integration Platforms Across Sectors

ICOMOS Charter for the Interpretation and Presentation of Cultural Heritage Sites

Video Ezy Privacy Policy

Metuchen Public Educational and Governmental (PEG) Television Station. Policies & Procedures

PPM Rating Distortion. & Rating Bias Handbook

TCTV Templeton Community Television

Micro Services Architecture: Spring Boot and Netflix Infrastructure

DVDO VS4 HDMI Switch. User s Guide How to install, set up, and use your new DVDO product

5 Port DVI Splitter VIDEO WALLS VIDEO PROCESSORS VIDEO MATRIX SWITCHES EXTENDERS SPLITTERS WIRELESS CABLES & ACCESSORIES

EASY SET UP GUIDE. Thank you! You now own Flapit. Tell us about Flapit and you #flapitcounter

Stalking in Supervised Visitation

Standing Committee on Copyright and Related Rights

1x16 HDMI Distribution Amplifier AT-HD-V116

ICOMOS ENAME CHARTER

PRELIMINARY. QuickLogic s Visual Enhancement Engine (VEE) and Display Power Optimizer (DPO) Android Hardware and Software Integration Guide

A MIDI/MP3 actualization or recording of the composition (digital file, web link, or audio CD)

Security Challenges in the Internet of Things. Dr. Sigrid Schefer-Wenzl

Prohibition Order 1 Ineligible Customer Lists & Customer Blocks (Update)

Emerging IoT Technologies for Smart Cities

Passive DVI Extenders Over single Cat5/6/7 AT-DVI60SRS

Adopted Date: Section 411. Art Exhibit Policy

Security of the Internet of Things

Guideline on the Functioning of the CCTV system

POLICIES AND PROCEDURES For Channel 17 Community Cable Television Programming Town of Sandown May, 2004 Revised July 10, 2017

The fundamental purposes of the educational and public access channel are as follows:

3M 8900 Single-mode SC Crimplok Connector

Legal Memorandum. In this issue, link to information about. Developments: FCC Proposes New Video Description Rules. April 29, 2016

LEARN TO BE AN EXPERT FROM THE EXPERTS IN CABLE TECHNOLOGY.

IJMIE Volume 2, Issue 3 ISSN:

LEARN TO BE AN EXPERT FROM THE EXPERTS IN CABLE TECHNOLOGY.

Building Accountability into the Internet of Things: The IoT Databox Model

In this document, the Office of Management and Budget (OMB) has approved, for a

APPLICATION AND EFFECTIVENESS OF THE SEA DIRECTIVE (DIRECTIVE 2001/42/EC) 1. Legal framework CZECH REPUBLIC LEGAL AND ORGANISATIONAL ARRANGEMENTS 1

OPERATING GUIDELINES Cape Elizabeth Television Adopted April 10, 1989 (revised effective June 8, 2009.) Introduction

Component Video + Analog/Digital Audio Wall Plate (6-RCA) AT80COMP7

THE RADIO CODE. The Radio Code. Broadcasting Standards in New Zealand Codebook

Broadcasting Authority of Ireland Guidelines in Respect of Coverage of Referenda

Atlona HDBaseT Transmitter Over Single CAT5e/6/7 w/ir, RS-232, and Ethernet

1x4 HDMI SPLITTER MAX. 1x4 HDMI SPLITTER MAX PRODUCT CODE: SPLITTERMAX14 SM1X4-V

Transcription:

Ex Libris Aleph Privacy Impact Assessment March 2018

1 - Table of Contents 1 - Table of Contents...2 2 - Disclaimer...3 3 - Purpose of this document...4 4 - Main Findings and Conclusions...4 5 - Scope and Plan...5 6 - Data Elements...5 6.1 - Data sharing...5 6.2 - Data Flows...5 7 - Risks and Controls...6 8 - Privacy management framework...6 8.1 - GOVERNANCE...6 8.2 - REMOTE ACCESS TO CUSTOMER DATA (SUPPORT)...7 8.3 - SECURITY...7 8.4 - THIRD PARTY...7 8.5 - USER RIGHTS...7 8.6 - CONSENT...8 8.7 - TRAINING & AWARENESS...8 8.8 - INCIDENT HANDLING...8 8.9 - PRIVACY BY DESIGN...8 Page 2 of 8

2 - Disclaimer This report is provided to Ex Libris. If this report is received by anyone other than Ex Libris. The recipient is placed on notice that the attached report has been prepared solely for use in connection with Ex Libris, and this report and its contents may not be shared with or disclosed to anyone by the recipient without the express consent of Ex Libris. and KPMG Somekh Chaikin. KPMG Somekh Chaikin shall have no liability for the use of this report by anyone other than Ex Libris. and shall pursue all available legal and equitable remedies against recipient, for the unauthorized use or distribution of this report. Page 3 of 8

3 - Purpose of this document The Privacy Impact Assessment (PIA) is a process that identifies what impact a project, product, service, initiative or general collection and use of information might have on the privacy of individuals. A PIA is a point-in-time assessment, and the resultant report and other outputs should be revisited as changes occur to the processes that were originally assessed. This PIA includes a brief description of the data processed in Ex Libris Aleph solution, the privacy impact of these processes, and the measures Ex Libris is taking in order to manage the risks involved. 4 - Main Findings and Conclusions We have reviewed the privacy risks regarding Ex Libris Aleph solution and the privacy and security controls designed to mitigate those risks. Ex Libris Aleph solution is provided to customers as a standalone system that has no connectivity to the Ex Libris infrastructure. Ex Libris does not have access to any data stored in a customer's system, except when providing support to the customer. Any potential risk during a support process is mitigated by Ex Libris policy (8.2) and infrastructure. Page 4 of 8

5 - Scope and Plan This PIA scope is Ex Libris Aleph solution. Ex Libris does not have access to customer data because Aleph is installed on premise at the customer site. We noted that during support processes for Aleph, when Ex Libris connects to the customer s Aleph installation, an Ex Libris support engineer could potentially access customer data, at which point Ex Libris becomes a data processor. This assessment does not include instances where Aleph is hosted at the Ex Libris data center. 6 - Data Elements Ex Libris exposure to customer data in an on premise installation is minimal and limited to support sessions when a remotely connecting to a customer s Aleph installation. 6.1 - Data sharing As noted above, only when Ex Libris provides support to the customer remotely, the Ex Libris engineer may potentially access customer information, which may include personal information. In accordance with Ex Libris policy, an Ex Libris engineer may not perform any action on the personal information including sharing it with others. This is a result of a policy (see 8.2) that prohibits Ex Libris engineers from copying any information from the customer system to Ex Libris and a network topology that physically separates the support infrastructure from Ex Libris infrastructure. Should a customer wish Ex Libris to work with their information, the customer must send their data to Ex Libris securely based on the customer s security policies. See 6.1 6.2 - Data Flows Page 5 of 8

7 - Risks and Controls Because Alep is on-premise at the customer location, the risk to customer data from Ex Libris is very low. Even in cases where an Ex Libris may be exposed to personal information it is limited in time and the information does not reside on Ex Libris network or infrastructure. Table 1 details the risks and the key controls that mitigate these risks. Main Risks Disclosure of individuals data to unauthorized party internal users Disclosure of individuals data to unauthorized party external party (like hackers) Processing of personal data without proper need Breach of individual rights Lack of documented and implemented Privacy management framework Key Controls - Separation of environments between the customer on-premise installation of Aleph and the Ex Libris network - A policy (see 8.2) prohibits the copying of customer information - N/A since customer data does not reside on the Ex Libris infrastructure - Separation of environments between the remote connection infrastructure and Ex Libris network - A policy (see 8.2) prohibits the copying of customer information - N/A since no customer information resides on the Ex Libris infrastructure - Documented, published and implemented policy (see 8.2) - Appointed DPO (Ellen Amsel), responsible for keeping the privacy processes current 8 - Priv acy management framework 8.1 - GOVERNANCE The development and implementation of the privacy framework is the responsibility of Ex Libris DPO, Ellen Amsel. This also includes involvement in product development and privacy processes implementation throughout Ex Libris. Page 6 of 8

8.2 - REMOTE ACCESS TO CUSTOMER DATA (SUPPORT) It is Ex Libris policy not to copy customer s data and especially credentials in Salesforce and to contact customers personally if personal data is required to handle customer cases (for example, if the data is corrupted). We ask our customers to send us personal data using any channel that the customer considers secure by their institution s security and privacy standards. Additionally, Support works with test user accounts that are created specifically for replication and debugging purposes. 8.3 - SECURITY Ex Libris has implemented a multi-tiered security model that covers all technological aspects of the company. The security model and controls are based on international standards, including ISO/IEC 27001:2005 and ISO/IEC 27002, the standards for an information security management system (ISMS). Information security policies are published in: https://knowledge.exlibrisgroup.com/cross_product/security/policies Security policies include: - Cloud Security and Privacy - Customer Appropriate Usage Statement - Ex Libris Certified Third-Party Software and Security Patch Release Notes - Ex Libris Cloud Services BCP - Ex Libris New Third Party Software Evaluation and Plan - Ex Libris Password Policy - Ex Libris Security Incident Response Policy - Ex-Libris Security Patches and Vulnerability Assessments Policy - Welcome to the Ex Libris Cloud 8.4 - THIRD PARTY There is no use of 3 rd parties 8.5 - USER RIGHTS Ex Libris is considered a data processor for any data that a support engineer may be exposed to even though Ex Libris, in its support processes, does not store any personal information. Therefore "User Rights" are the responsibility of the data controller for Aleph on premise implementations. Page 7 of 8

8.6 - CONSENT User consent is managed by the data controller, therefore, it is the customer's responsibility to only allow access to the system for users who have expressed their consent for the relevant data processing. 8.7 - TRAINING & AWARENESS Ex Libris is managing a privacy training, as well as security awareness training. The privacy training incorporates GDPR specific training, including Privacy by Design training. 8.8 - INCIDENT HANDLING Ex Libris has developed and implemented incident response and notification procedures. Procedures include breach notification policy and the involvement of the DPO in case of a data breach. 8.9 - PRIVACY BY DESIGN Ex Libris has implemented Privacy by Design processes, which involve the DPO and addressing privacy concerns from the beginning of product development and through change management. 8.9.1 - Data minimization There is an ongoing process for data minimization by policy (see 8.2) and by infrastructure topology. Due to these limitations, no personal information is collected by Ex Libris 8.9.2 - Data retention Data retention rules are the responsibility of the data controllers, and should be defined by Ex Libris customers. Page 8 of 8

2024 © artsdocbox.com Privacy Policy | Terms of Service | Feedback