Use of The Information Services Electronic Journals Service Code of Practice

Transcription

1 Use of The Information Services Electronic Journals Service Code of Practice Introduction This code of practice is intended to support the Information Security Policy of the University and should be read in conjunction with this document. This code of practice is also qualified by The University of Edinburgh computing regulations, found at: 1. Code of Practice Version Revision Date CoP Template Author Notes Version Version 14/09/ Colin Watt Initial version 20/10/ Colin Watt Review QA Date QA Process Notes 17/09/2012 Review by Liz Stevenson L&C 14 Nov 2012 Accepted by the IT Security WP 12 Nov 2014 Review by Liz Stevenson L&UC 20 Nov 2014 Submitted to IT Security WP 15 Dec 2014 Approved by ITC Security Working Group Suggested date for Revision of the CoP Author 01/09/13 Colin Watt 01/07/15 IS - L&UC Electronic Journals Code of Practice v0.2 1

2 2. System description Revision Date System Author Notes Version 14/09/2012 Colin Watt Initial version 20/10/2014 Colin Watt Review 2.1 System name Electronic Journals service. 2.2 Description of System The Electronic Journals service is based on Ex Libris s SFX product. SFX is an OpenURL link resolver which enables linking from abstracting and indexing databases (eg Web of Science) to library targets such as academic journals, facilitating access to full text resources. 2.3 Data SFX does not store or pass on any high risk user data. 2.4 Components The system comprises: - A-Z e-journals list - SFX knowledge base - Admin interface 2.5 System owner The system is owned and managed by the Electronic Resources team in the Library & Collections division of Information Services. The primary contact is Liz Stevenson. 2.6 User base SFX is available on and off campus via EASE. SFX provides a gateway to access e-journals, most of which are acquired under licence, for use by staff and students of the University of Edinburgh, as well as accredited visitors and walk in users, as appropriate. Material can be used for private study and research only, there should not be any commercial purpose, and any systematic downloading and printing is prohibited. Use is subject to the terms of the suppliers' licence agreements, and is also covered by the University Computing Regulations. 2.7 Criticality High 2.8 Disaster recovery status Ex Libris carries out disaster planning as part of its cloud based SFX hosting service. Electronic Journals Code of Practice v0.2 2

3 3. User responsibilities 3.1 Data SFX does not store or pass on any high risk user data. 3.2 Usernames and passwords Access to resources is via EASE (See EASE code of Practice). 3.3 Physical security Users should logout when finished using resources. 3.4 Remote/mobile working 3.5 Downloads and removal of data from premises 3.6 Authorisation and access control The policy for mobile working is similar to the guidelines set out in Physical Security but is replicated here for completeness. With regard to remote working it should be noted that when using their own equipment users should ensure that their computer is clean of viruses and other malware. Common methods of compromising passwords are for viruses or malicious downloads/web sites to install a keylogger that captures keystrokes as they are typed. It is therefore important to install and maintain adequate virus and malware protection software appropriate to the platform in use. Systematic download of content from electronic journals is prohibited. The risks of failure to comply are that a publisher will withdraw service, so it is important to follow the agreed procedures, and to keep the suppliers informed. There is also reputational risk, should this arise. Access to resources is via EZproxy and EASE (See EZproxy and EASE codes of Practice). News users of the University are entitled to create an EASE account. Users accessing ejournals via SFX are required to login via EASE, both on and off campus. Authorised users can also access e-journals on campus, or via the VPN, using ip authentication only. Use of resources is monitored by suppliers, and if any inappropriate or systematic downloading is suspected, the University is informed and we are asked to investigate and take corrective action if required. Notifications come to the E-Resources Team, and are passed to ITI via unidesk. In some cases it is necessary to contact the user concerned, if only to establish the facts, but this is not always required. 3.7 Competencies Users of SFX are expected to have a basic working knowledge of computers and the particular operating system, PC or device they are using. They should be familiar with the concepts of choosing a strong password, logging on and off from a computer network and an understanding of the risks of virus/malware infection is expected. AITKEN Karen 7/11/ :12 Comment [1]: typo Electronic Journals Code of Practice v0.2 3

4 4. System Owner Responsibilities 4.1 Competencies The Library & University Collection s Electronic Resources Team owns the SFX Service. It is one of this team s primary functions to specialise in providing access to the library s online resources and ensure team members have sufficient knowledge and understanding of the concepts, tools, processes, internal operation and security of service to deliver and support an electronic journals service that is highly tailored to the University s needs. 4.2 Operations Authorised staff carry out regular updates to the knowledge base, to ensure currency of information about e-journal availability. Authorised staff run reports to monitor data coverage, usage statistics, and to derive files of MARC21 records for the Voyager catalogue database. Authorised staff can make adjustments to the interface. 4.3 System System documentation is kept up to date by Ex Libris and available documentation 4.4 Segregation of Duties from their documentation centre: - All operating system updates and security patches are carried out by Ex Libris - All system backups are carried out by Ex Libris - All SFX knowledge base updates are carried out by Ex Libris - All updates to target resources made available are made by L&UC s Electronic Resources section. 4.5 Security incidents On discovery of a security incident the Electronic Resources Team should be contacted via the team Unidesk queue, by logging with the IS Helpline. The Electronic Resources Team will initially investigate and will escalate as appropriate to the Incident Response Team and ITI-Unix. 4.6 Fault/problem reporting 4.7 Systems development Faults and problem reporting should be via the team Unidesk queue, by logging with the IS Helpline. All systems development is carried out by the supplier, Ex Libris. Electronic Journals Code of Practice v0.2 4

5 5. System Management 5.1 User account User accounts are managed by Ex Libris. management 5.2 Access control Administrative level access is provided to specific IP addresses within UoE by Ex Libris. 5.3 Access monitoring Access to the electronic journals service is recorded via logs which are monitored and investigated in the case of reported abuse of the service. 5.4 Change control There are a limited number of system parameters which can be altered via the admin interface, which is available to a small number of IS staff. All changes are subject to authorisation by the Electronic Resources Team and in consultation with ITI-Unix. 5.5 Systems clock synchronisation 5.6 Network management Changes to the resources made available via EZproxy are subject to authorisation by the Electronic Resources Team. The systems clock is synchronised according to Ex Libris s hosting platform policy. There are no restrictions to the hosted SFX system. 5.7 Business continuity Business continuity is subject to Ex Libris s cloud hosting platform availability, however in the case of failure, most target resources can still be accessed by visiting the publisher s resources directly, and supporting information is provided to users to help them. 5.8 Security Control Access to the SFX platform is subject to Ex Libris s cloud service security policies. Electronic Journals Code of Practice v0.2 5

6 6. Third Party 6.1 Outsourcing The hosting of the service is outsourced to the supplier, Ex Libris. 6.2 Contracts and Agreements 6.3 Compliance with the university security policy UoE has an agreement with Ex Libris for the hosting service provided. The agreement is reviewed annually and can be cancelled subject to a minimum notice period. A supplier such as Ex Libris is made aware of the University security policy as part of any negotiation or purchase of a new service. Any breach of security policy would be escalated and fully considered when a decision is made to renew the annual service subscription. 6.4 Personal data No personal data relating to users is stored by the third party. Electronic Journals Code of Practice v0.2 6