OCLC's Commitment to Secure Library Services

Safeguarding your data while sharing your collections

OCLC understands that the confidentiality, integrity, and availability of our members' information are vital to their business operations and our own success. We use a multi-layered approach to protect key information by constantly monitoring and improving our applications, systems, and processes to meet the growing demands and challenges of dynamic security threats. In recognition of our security efforts, OCLC has met and received registration for ISO 27001 security standards, is Cyber Essentials scheme certified and CSA STAR registered.

Information Security and Enterprise Risk Management

  • Implemented an Information Security Management System in accordance with ISO/IEC 27001:2013
  • Professional staff of certified information security and information technology professionals and a full-time dedicated specialist in Disaster Recovery

Physical and Environmental Controls

  • 24-hour staffed security
  • Restricted access via proximity cards
  • Computing equipment in access-controlled areas
  • Video surveillance throughout facility and perimeter
  • Humidity and temperature control
  • Raised flooring to facilitate continuous air circulation
  • Underground utility power feed
  • Uninterruptible power systems (UPS)
  • Redundant power distribution units (PDUs)
  • Diesel generators with on-site diesel fuel storage
  • Smoke and fire detection sensors throughout the data centers
  • The Dublin Service Delivery Center (DSDC) is protected by a Halon system with sufficient reserves for multiple discharges
  • The Columbus Service Delivery Center (CSDC) is protected by a DuPont FM-200 fire suppression system
  • The data centers are also protected by wet-pipe sprinkler systems
  • There are fire extinguishers maintained throughout the DSDC and CSDC

Logical Access Controls

  • User identification and access management
    • Connections to patron data via TLS 1.1 and 1.2, using global step-up certificates from Thawte, ensuring that our users have a secure connection from their browsers to our service
    • Individual user sessions are identified and re-verified with each transaction, using XML-encrypted security assertions via SAML 2.0
    • Depending on the specific services utilized

Operational Security Controls

  • Connected to the Internet via redundant, diversely routed links from multiple Internet Service Providers served from multiple telecommunication provider Points of Presence
  • Perimeter firewalls and edge routers block unused protocols
  • Internal firewalls segregate traffic between the application and database tiers
  • Load balancers provide proxies for internal traffic
  • OCLC uses a variety of methods to prevent, detect, and eradicate malware
  • Third-party independent security assessments are also periodically conducted
  • All data are backed up to tape at each data center
  • The backups are cloned over secure links to a secure tape archive
  • Tapes are transported offsite and are securely destroyed when retired
  • OCLC's Information Security staff monitors notification from various sources and alerts from internal systems to identify and manage threats

Systems Development and Maintenance

  • OCLC tests code for security vulnerabilities before release, and regularly scans our network and systems for vulnerabilities
  • Network vulnerability assessments
  • Selected penetration testing and code review
  • Security control framework review and testing

Business Continuity and Disaster Recovery

  • The OCLC service performs real-time replication to disk at each data center, and near real-time data replication between the production data center and the disaster recovery site
  • Sensitive data are transmitted across dedicated links
  • Disaster recovery tests verify our projected recovery times and the integrity of the customer data

Incident Response, Notification, and Remediation

  • Incident management process for security events that may affect the confidentiality, integrity, or availability of its systems or data
  • Information Security Team is trained in forensics and handling evidence in preparation for an event, including the use of third party and proprietary tools


  • Information can only be obtained by third parties through legal processes such as search warrants, court orders, subpoenas, through a statutory exemption, or through user consent
  • OCLC maintains a strong privacy statement to help protect customer and patron data.

OCLC's services meet or exceed the recommendations of the Gartner Group1 (Table 1.) and the Cloud Security Alliance's "Security Guidance for Critical Areas of Focus in Cloud Computing."

Table 1. Gartner: Seven Cloud-Computing Security Risks

Gartner Recommendations OCLC Microsoft

Cloud (BPOS)
Google Apps

Privileged user access control X X X
Regulatory compliance X X X
Data location X X X (no disclosure)
Data segregation X X X
Recovery X X X
Investigative support X X X
Long-term viability X X X

1 Jay Heiser and Mark Nicolett. "Assessing the Security Risks of Cloud Computing." Gartner Group. 3 June 2008