Use of The Information Services’ Electronic Journals Service Code of Practice
Introduction
This code of practice is intended to support the Information Security Policy of the University and should be read in conjunction with this document.
http://www.ed.ac.uk/schools-departments/information-services/about/policies-and-regulations/security-policies/security-policy
This code of practice is also qualified by The University of Edinburgh computing regulations, found at:
http://www.ed.ac.uk/schools-departments/information-services/about/policies-and-regulations
1. Code of Practice Version
Revision Date CoP
Version Template Version
Author Notes
14/09/2012 0.1 1.4 Colin Watt Initial version
20/10/2014 0.2 1.4 Colin Watt Review
QA Date QA Process Notes
17/09/2012 Review by Liz Stevenson
L&C
14 Nov 2012 Accepted by the IT
Security WP
12 Nov 2014 Review by Liz
Stevenson L&UC 20 Nov 2014 Submitted to IT
Security WP
15 Dec 2014 Approved by ITC Security Working Group
Suggested date for Revision of the CoP Author
01/09/13 Colin Watt
01/07/15 IS - L&UC
2. System description
Revision Date System Version
Author Notes
14/09/2012 Colin Watt Initial version
20/10/2014 Colin Watt Review
2.1 System name Electronic Journals service. 2.2 Description of
System
The Electronic Journals service is based on Ex Libris’s SFX product. SFX is an OpenURL link resolver which enables linking from abstracting and indexing databases (eg Web of Science) to library targets such as academic journals, facilitating access to full text resources.
2.3 Data SFX does not store or pass on any high risk user data. 2.4 Components The system comprises:
-A-Z e-journals list -SFX knowledge base -Admin interface
2.5 System owner The system is owned and managed by the Electronic Resources team in the Library & Collections division of Information Services. The primary contact is Liz Stevenson.
2.6 User base SFX is available on and off campus via EASE.
SFX provides a gateway to access e-journals, most of which are acquired under licence, for use by staff and students of the University of Edinburgh, as well as accredited visitors and walk in users, as appropriate. Material can be used for private study and research only, there should not be any commercial purpose, and any systematic downloading and printing is prohibited. Use is subject to the terms of the suppliers' licence agreements, and is also covered by the University Computing Regulations.
2.7 Criticality High 2.8 Disaster recovery
status
Ex Libris carries out disaster planning as part of its cloud based SFX hosting service.
3. User responsibilities
3.1 Data SFX does not store or pass on any high risk user data. 3.2 Usernames and
passwords Access to resources is via EASE (See EASE code of Practice). 3.3 Physical security Users should logout when finished using resources.
3.4 Remote/mobile working
The policy for mobile working is similar to the guidelines set out in ‘Physical Security’ but is replicated here for completeness. With regard to remote working it should be noted that when using their own equipment users should ensure that their computer is clean of viruses and other malware. Common methods of compromising passwords are for viruses or malicious downloads/web sites to install a keylogger that captures keystrokes as they are typed. It is therefore important to install and maintain adequate virus and malware protection software
appropriate to the platform in use. 3.5 Downloads and
removal of data from premises
Systematic download of content from electronic journals is prohibited. The risks of failure to comply are that a publisher will withdraw service, so it is important to follow the agreed procedures, and to keep the suppliers informed. There is also reputational risk, should this arise.
3.6 Authorisation and
access control Access to resources is via EZproxy and EASE (See EZproxy and EASE codes of Practice). News users of the University are entitled to create an EASE account.
Users accessing ejournals via SFX are required to login via EASE, both on and off campus. Authorised users can also access e-journals on campus, or via the VPN, using ip authentication only. Use of resources is monitored by suppliers, and if any inappropriate or systematic downloading is suspected, the University is informed and we are asked to investigate and take corrective action if required. Notifications come to the E-Resources Team, and are passed to ITI via unidesk. In some cases it is necessary to contact the user concerned, if only to establish the facts, but this is not always required.
3.7 Competencies Users of SFX are expected to have a basic working knowledge of computers and the particular operating system, PC or device they are using. They should be familiar with the concepts of choosing a strong password, logging on and off from a computer network and an understanding of the risks of virus/malware infection is expected.
AITKEN Karen 7/11/2014 13:12
4. System Owner Responsibilities
4.1 Competencies The Library & University Collection’s Electronic Resources Team owns the SFX Service. It is one of this team’s primary functions to specialise in providing access to the library’s online resources and ensure team members have sufficient knowledge and understanding of the concepts, tools, processes, internal operation and security of service to deliver and support an electronic journals service that is highly tailored to the University’s needs.
4.2 Operations Authorised staff carry out regular updates to the knowledge base, to ensure currency of information about e-journal availability.
Authorised staff run reports to monitor data coverage, usage statistics, and to derive files of MARC21 records for the Voyager catalogue database.
Authorised staff can make adjustments to the interface. 4.3 System
documentation System documentation is kept up to date by Ex Libris and available from their documentation centre: 4.4 Segregation of
Duties
-All operating system updates and security patches are carried out by Ex Libris
-All system backups are carried out by Ex Libris
-All SFX knowledge base updates are carried out by Ex Libris -All updates to target resources made available are made by L&UC’s Electronic Resources section.
4.5 Security incidents On discovery of a security incident the Electronic Resources Team should be contacted via the team Unidesk queue, by logging with the IS Helpline. The Electronic Resources Team will initially investigate and will escalate as appropriate to the Incident Response Team and ITI-Unix.
4.6 Fault/problem
reporting Faults and problem reporting should be via the team Unidesk queue, by logging with the IS Helpline. 4.7 Systems
development
5. System Management
5.1 User account management
User accounts are managed by Ex Libris.
5.2 Access control Administrative level access is provided to specific IP addresses within UoE by Ex Libris.
5.3 Access monitoring Access to the electronic journals service is recorded via logs which are monitored and investigated in the case of reported abuse of the service. 5.4 Change control There are a limited number of system parameters which can be altered
via the admin interface, which is available to a small number of IS staff. All changes are subject to authorisation by the Electronic Resources Team and in consultation with ITI-Unix.
Changes to the resources made available via EZproxy are subject to authorisation by the Electronic Resources Team.
5.5 Systems clock synchronisation
The systems clock is synchronised according to Ex Libris’s hosting platform policy.
5.6 Network management
There are no restrictions to the hosted SFX system.
5.7 Business continuity Business continuity is subject to Ex Libris’s cloud hosting platform availability, however in the case of failure, most target resources can still be accessed by visiting the publisher’s resources directly, and supporting information is provided to users to help them. 5.8 Security Control Access to the SFX platform is subject to Ex Libris’s cloud service
6. Third Party
6.1 Outsourcing The hosting of the service is outsourced to the supplier, Ex Libris. 6.2 Contracts and
Agreements The agreement is reviewed annually and can be cancelled subject to a UoE has an agreement with Ex Libris for the hosting service provided. minimum notice period.
6.3 Compliance with the university security policy
A supplier such as Ex Libris is made aware of the University security policy as part of any negotiation or purchase of a new service. Any breach of security policy would be escalated and fully considered when a decision is made to renew the annual service subscription.
6.4 Personal data No personal data relating to users is stored by the third party.
