EU General Data Protection Regulation (GDPR)
Ex Libris is committed to GDPR compliance. We have closely analyzed the requirements of the GDPR, and our engineering, product, security, and legal teams have been working to align our procedures, documentation, contracts, and services to support compliance with the GDPR. We also support our customers with their GDPR compliance journey with our strong foundation of certified security and privacy controls by design.
ISO 27701 Certified – Privacy Information Management System (PIMS)
ISO/IEC 27701:2019 is a data privacy extension to ISO 27001. ISO/IEC 27701 Privacy Information Management System (PIMS) is a standard that provides guidance for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).
Ex Libris complies with this standard and is ISO 27701 certified. This standard establishes privacy requirements and helps manage privacy risks related to personally identifiable information (PII), outlines a comprehensive set of operational controls that can be mapped to various regulations, and helps Ex Libris comply with GDPR as well as other data protection regulations.
The ISO 27701 was originally published in 2019, and Ex Libris has been certified since 2020.
ISO/IEC 27001 – Information Security Management
Ex Libris continues to seek out best practices and follow established industry standards. As new security standards and certifications become available, we review them and adopt those that are relevant to our customers and our environment.
Ex Libris is ISO 27001:2013 certified and undergoes a rigorous annual audit process to verify that Ex Libris complies with Information Security Management System (ISMS) security measures. The audit process is conducted by an independent third party audit firm and includes annual penetration testing.
ISO/IEC 27032 – Guidance for Cybersecurity
The ISO 27032:2012 is an international standard that provides guidance for improving the state of Cybersecurity in information security, network and internet security, and critical information infrastructure protection (CIIP). Ex Libris is the first in the library software industry to achieve ISO 27032:2012 certification, demonstrating the Ex Libris commitment to high security and infrastructure protection.
ISO/IEC 27018 – Protecting Personal Data in the Cloud
ISO 27018:2014 defines the controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in the public cloud computing environment.
Ex Libris has been ISO 27018:2014 certified since February 2016.
ISO/IEC 27017 – Security Controls for Cloud Services
ISO 27017:2015 defines the code of practice for information security controls based on ISO/IEC 27002 for cloud services.
Ex Libris has been ISO 27017:2015 certified since July 2018.
ISO/IEC 22301 – Business Continuity Management System
ISO 22301:2012 is an international standard that specifies requirements to plan, monitor, maintain and continually improve a documented business continuity management system.
Ex Libris is the first in the library software industry to achieve ISO 22301:2012 certification, demonstrating the Ex Libris commitment to high availability and business continuity.
FedRAMP (The Federal Risk and Authorization Management Program) – U.S. Government Data Standards
The U.S. Federal Government established the Federal Risk and Authorization Management Program (FedRAMP), a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services, in 2011. FedRAMP authorization ensures that cloud offerings meet the federal government’s stringent requirements, as verified by a third party.
Ex Libris has received FedRAMP Tailored Authorization. To learn more, read the press release.
Cloud Security Alliance – Security, Trust, and Assurance Registry (CSA STAR)
CSA STAR is a powerful program for security assurance in the cloud. The CSA STAR Self-Assessment documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering using. This information is publicly available, promoting industry transparency and providing customer visibility into specific provider security practices.
Service Organization Control (SOC 2) Reports
SOC 2 Reports focus on business’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system, as defined by the American Institute of Certified Public Accountants (AICPA).
Data centers used by Ex Libris have been reviewed for SOC 2 controls. The audit is performed on an annual basis and the resulting report can be provided upon request.
Data Center Compliance
The Ex Libris private cloud strategy utilizes a colocation model whereby Ex Libris owns and manages all servers, storage, and network equipment while contracting with leading data center vendors to provide the actual data center facilities, including space, power, and cooling.
Below is a full list of certifications and standards achieved for each Ex Libris data center:
- United States (Equinix) data centers: ISO 27001, SOC 2 Type 2, SOC 1 Type 2
- Canada (Cyxtera) data center: ISO 27001, SOC 1 Type 2, SOC 2 Type 2
- Europe (Equinix) data center: ISO 27001, ISO 9001, SOC 1 Type 2, SOC 2 Type 2
- Europe (Digital Realty) data center: ISO 27001, ISO 9001, SOC 1 Type 2, SOC 2 Type 2, SOC 3
- China (21vianet) data center: ISO 27001, ISO 22301
- Singapore (Equinix) data center: ISO 27001, SOC 2 Type 2 and SOC 1 Type 2
- Australia (Equinix) data center: ISO 27001, SOC 2 Type 2 and SOC 1 Type 2
Ex Libris is committed to making our services accessible. Ex Libris cloud service accessibility is based on the Web Content Accessibility Guidelines (WCAG) 2.0, which define how to make web content more accessible for people with disabilities. To this end, Ex Libris completes and updates Voluntary Product Accessibility Templates (VPATs) for relevant Ex Libris services to document conformance with these accessibility standards.