Cybersecurity Policy

Purpose and Scope

This policy defines the mandatory minimum information security requirements for Worthington Libraries. The purpose of this policy is to safeguard the physical and digital assets, personal data and privacy of library patrons and staff who access the library's public or private networks.

Cybersecurity Roles and Responsibilities

1. The director/CEO or their designee is the designated official responsible for overseeing cybersecurity at Worthington Libraries. The role will be defined as the Cybersecurity Lead for purposes of this policy. Unless stated otherwise, the Cybersecurity Lead will be responsible for ensuring organizational compliance and coordinating the necessary activities to comply with this policy.
2. The systems administrator is responsible for the technical implementation of security controls and leading response efforts for suspected security incidents.
3. All employees are responsible for understanding and adhering to established security protocols, reporting suspected security incidents to technology staff, and completing the required awareness training.
4. Completion of required training is coordinated by the staff development coordinator.

Annual Policy Review

The Cybersecurity Policy must be reviewed at least once per year and updated as required.

Data Protection and Privacy

See the Network Security Policy for policy regarding the handling of CPI (Confidential Personal Information) data.

Data Classification and Protection

See the Records Retention Policy for policy regarding records retention.

Cybersecurity Awareness and Training

All employees are required to complete cybersecurity awareness training at least once per year, relevant to their role.

Asset Inventory

An inventory of all enterprise technology assets (computers, servers, network equipment, mobile devices, IoT devices, etc.) and software assets (operating systems and applications) must be maintained.

Vulnerability and Patch Management

Computer systems, software, and other assets must be kept up to date with security patches, in accordance with industry-accepted frequencies and procedures, such as those outlined in the Critical Security Controls® from the Center for Internet Security (CIS Critical Controls). It is expected that vulnerability remediation practices will generally align with manufacturer recommendations based on severity.

Password Management

Staff are required to adhere to network password requirements set by the CLC (Central Library Consortium), as well as in accordance with the CIS Critical Controls. Interactive passwords shall adhere to the following rules:

• Length: At least 14 characters without MFA or 8 characters with MFA.
• Composition: At least 1 non-alphanumeric character.
• Expiration: Immediately upon events with one-year backstop.
• Lockout: 5 failed attempts with reset required after 10.

Third-party passwords must be stored only in library approved password management systems and will be limited only to those staff who require access to accomplish assigned tasks.

Anti-Malware Protection

Anti-malware (antivirus) software must be installed and active on all computers and devices. Public computers have a system restore utility installed in addition to anti-malware software for additional security and to prevent the retention of personal data. Anti-malware logs are reviewed for anomalies.

Network Security Controls

1. Secure Access and Remote Connectivity
   1. Network firewalls are used on all patron and staff Internet connections.
      
      1. Intrusion protection systems must be enabled on compatible network firewalls to detect and block known exploits.
      2. Network firewall logs are reviewed weekly for anomalies.
   2. An encrypted VPN is required to access the library network remotely.
      
      1. Remote VPN access is limited to staff accounts that need it, as determined by the director.
      2. All remote connections must be made through approved points-of-entry (VPN).
      3. MFA (Multi-Factor Authentication) is mandatory to establish VPN connection.
   3. Staff Wi-Fi networks are encrypted with at least WPA 3.
   4. Patron Wi-Fi networks are encrypted with at least WPA 2.
   5. Due to the nature of open and free Wi-Fi, patrons should not expect complete information privacy when using the library's public network. See the Wireless Network Access Policy for policy regarding patron security expectations on the public network.
2. Account Security
   1. Supervisors, administrators, and technology staff must authenticate network logins with an authentication token in addition to a password.
      
      1. Hardware and software tokens used to authenticate a person must be treated as confidential and protected appropriately.
      2. Tokens must not be stored on paper, in the browser, or in an electronic file unless they can be stored securely using a sanctioned password vault.
   2. Access privileges will be granted in accordance with the employee's role and will be limited only to those necessary to accomplish assigned tasks.
      
      1. Access privileges must be assigned in accordance with least privilege principles.
   3. Automated session controls must be implemented to lock sessions and require re-authentication after a period of inactivity for any system where authentication is required.
   4. Human resources staff are responsible for initiating onboarding/offboarding procedures and defining the user access groups that are assigned via job title.
   5. Technology staff are responsible for executing onboarding/offboarding procedures, ensuring proper user group assignment, and managing user account access in the event of a cybersecurity incident.
   6. Onboarding is automated and role-based access control is in place to assign user access groups based on job title.
      
      1. Upon an employee's departure, human resources staff must trigger a termination request. Technology staff is responsible for immediately disabling all network access to the terminated employee's account on their day of departure and retaining any data at the request of the terminated employee's supervisor.

Physical Security Controls

On-site enterprise networking systems and servers are secured behind badge-accessible rooms with no public access, and limited scope staff access. Some networking systems and servers are located at the SOCC (State of Ohio Computer Center), requiring technology staff and a representative from OPLIN (Ohio Public Library Information Network) to be present to access.

Cybersecurity Incident Response

1. All observed or suspected information security incidents or weaknesses are to be reported to the systems administrator, computer systems analyst, or director of public services as quickly and urgently as possible.
   1. The systems administrator must notify the director of public services and director/CEO of any cybersecurity incident. Breaches that qualify as significant must be reported according to the Ohio Revised Code to the Ohio Cyber Integration Center and the Ohio Auditor of State.