Security

Safety Improves Usability

The confidentiality, integrity, and availability of our clients’ data is a top priority for SirsiDynix, as your patrons are more likely to use your services if they feel their data is secure.  Your success is our success.  The SirsiDynix Information Security Program has been developed with this in mind, using overlapping layers of security, continuous monitoring, and an agile model to protect data while adapting to the ever-changing world in which we live.

The entirety of the SirsiDynix Information Security Program is based around the pillars of management commitment, comprehensive risk assessments, creation of appropriate policies and procedures, accreditation of security controls by applicable client security officers, and monitoring and enforcement of those controls—assisted by regular external audits. SirsiDynix is the clear choice for those who care about security.

The Industry Leader

SirsiDynix is the worldwide industry leader in library automation technologies, and for more than 30 years libraries have used SirsiDynix technologies to enhance their communities through the power of their collections. As such, SirsiDynix recognizes the importance to clients of data privacy and protection of intellectual property and is leading the drive toward better, more secure products and services. SirsiDynix is a U.S.-based operation, yet the company serves many international clients and special compliance requirements apply. These requirements are incorporated into each of the program components outlined below, building upon existing security controls where necessary.

A Holistic View

Organizations too often view technological security in isolation from other critical components of the overall security posture; this is not the case with SirsiDynix. Built upon the standards set forth in the U.S. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 – Recommended Security Controls for Federal Information Systems and Organizations, the SirsiDynix Information Security Program has been designed with a holistic view of security, encompassing operational, technical, and physical control families.

In addition to compliance with the stringent U.S. NIST SP 800-53 security standards, SirsiDynix has also aligned its controls with the International Organization for Standardization (ISO) 27000 Series for international standardization.

Access Control, Monitoring, and Identity Management

• Internal user identification and authentication provided through sophisticated Virtual Directory Service (VDS)
• External user identification and authentication control via a number of available technologies, including Virtual Private Network (VPN), Secure Socket Layer (SSL)/Transport Layer Security (TLS), Secure Shell (SSH), Citrix, and Simple IP restriction
• Support for client communication and authentication technologies, including Session Interchange Protocol (SIP), NISO Circulation Interchange Protocol (NCIP), Z39.50 Database Access Protocol, Lightweight Directory Access Protocol (LDAP), and Central Authentication Service (CAS)
• Network protection devices updated using the latest definitions for malicious code detection technologies as soon as these are available
• Real-time monitoring and notification system alerts response personnel immediately upon detection of security related events via a range of notification options for 24×7 event coverage
• System design separates user functionality—including user interface services—from information system management functionality
• SirsiDynix load balancers protect against the effects of Denial of Service (DoS) attacks   and limits the use of resources on individual systems by priority to enhance effective operations
• SirsiDynix network control devices monitor and control all communications at SirsiDynix network perimeters, and security officers allow connection to external networks or systems only through managed interfaces consisting of boundary protection devices
• Publicly accessible information system components are physically allocated to separate sub-networks with separate network interfaces and public access to internal networks is prevented if not through managed and approved mechanisms
• The number of network access points is limited to the minimum necessary

Development, Configuration/Change Management, Bug Fixes, and Maintenance

• Security advocates [advocates/advisors/monitors] assigned in each development team to perform internal testing at intermediate stages
• Specific security testing performed against all software prior to release using continuously updated tools hosted by an industry leading third party security entity
• Interdepartmental and departmental Change Management Plans (CMPs) ensure no unauthorized or untested changes occur
• Production system access stringently restricted to individuals authorized by the department security officers, with all maintenance conducted under officers’ supervision—via real-time technical observation through remote connection for all third party maintenance and with additional video feed for onsite third party maintenance
• SirsiDynix policies and procedures enforced by security officers require the continuous identification, reporting, and correction of information system flaws, as can be reviewed on the SirsiDynix Known Issue Tracker database made available to clients

Contingency Planning/Disaster Recovery

• Timely media backup processes at each data center, with live restoration copies maintained onsite
• Skilled disaster recovery team works closely with applicable third parties to prepare for disaster scenarios and maintain a comprehensive Disaster Recovery Plan (DRP)
• Secure data backup transportation and storage provided by industry leading provider
• Disaster recovery procedures tested to verify projected recovery times and ability to fully reconstitute client data

​Incident Response

• Experienced incident response team available 24×7
• Communications plan configured for rapid client notification
• Personnel highly trained in their roles using the detailed Incident Response Plan (IRP) in preparation for foreseeable and newly developed attack vectors
• Incident response team is highly skilled in forensic evidence collection and legal chain of custody, having previously worked for United States federal agencies

Physical, Environmental, Removable Media Protection

• 24-hour manned security and video surveillance throughout SirsiDynix facilities
• Photo-printed, proximity-activated key cards for access restriction
• Computing equipment operates from secured cages or hard-walled suites for added security
• Redundant Power Distribution Units (PDUs) and Uninterruptible Power Supplies (UPSs) and/or backup generators with fuel storage counteract effects of power interruptions
• Strategically positioned fire extinguishing devices/systems, fire and smoke sensors, and alarms throughout each facility
• Humidity and temperature control, leak detectors to prevent water damage to systems, with raised flooring where possible for improved air circulation

​Personnel Security, Awareness and Training

• All SirsiDynix employees and contracted personnel required to be vetted via criminal background checks, input from references, and employment history verification at a level appropriate for their access to sensitive information prior to the granting of such access
• The need for SirsiDynix employees and contracted personnel access to sensitive information is regularly reviewed by security officers and revised as necessary
• Employment termination procedures in the Personnel Security Plan (PSP) designed to minimize risk exposure to SirsiDynix clients and resources during the termination process
• The SirsiDynix Security Awareness and Training Program requires every contracted individual to complete an annual security education course and successfully pass the associated comprehension examination in order to continue employment

Risk Assessments, Security Assessments, Accreditation, and Compliance

• Privacy Impact Assessments (PIAs) performed according to the standards of the U.S. Department of Homeland Security (DHS) Privacy Impact Assessment Official Guidance, and according to the policies found in M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 for every system prior to moving to production, with periodic reevaluation
• Risk assessments performed prior to system promotion to production and during periodic reevaluation according to the comprehensive standards set forth in U.S. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 –Guide for Conducting Risk Assessments
• Accreditation of security controls by clients or applicable government agencies according to U.S. NIST SP 800-53, including third party audits and Plan of Action and Milestones (POA&M) management
• Security controls aligned with the International Organization for Standardization (ISO) 27000 Series for international standardization
• TRUSTe-accredited privacy policy (http://www.sirsidynix.com/privacy) ensures only necessary data is collected, securely handled, stored, and properly destroyed by SirsiDynix
• Information may only be obtained by third parties through legal processes such as search warrants, court orders, subpoenas, through a statutory exemption, or through user consent

System and Services Acquisition

• All third party equipment and services are vetted by security officers prior to implementation, including contract review, component inspection, access control, and network traffic monitoring
• Third party access/data transfer agreements are restricted to only that data necessary to perform contracted services
• Third parties are required to adhere to the security control specifications in the SirsiDynix Corporate Security Policy (CSP), and third party security performance is regularly reviewed by security officers