Information security is defined as the administrative, technical, or physical safeguards the Library uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle personal information. The Library has a responsibility to ensure that the accessing, handling, sharing and disposing of Confidential Personal Information (CPI) data complies with Ohio Revised Code Chapter 1347 and the CLC Security Policy. Within the Credit Cardholder Data Environment, the Library will also comply with the latest revision of the Payment Card Industry Data Security Standards (PCI DSS).
Collection of Confidential Personal Information (CPI)
The collection of CPI data is used to enable member libraries to enforce policies and provide services to library patrons. The Library adheres to the Central Library Consortium (CLC) Security Practice Rules; Collection of Confidential Personal Information to determine what information is gathered from patrons.
In addition to the CPI data outlined in the CLC Security Practice Rules, the Library also collects the following personal information:
- Details about questions asked using an electronic medium, including but not limited to: the library website, the library's email address or using the text a librarian service.
- Details about purchase requests submitted using an electronic medium, including but not limited to: the library website, the library's email address or using the text a librarian service.
To ensure updated contact information for both patrons and staff, verification of CPI data will be requested no less than every 3 years. This update may be done internally or via an outside vendor specializing in data verification.
Roles and Responsibilities
The Director of Technology Services and Network Administrator will be designated to oversee the Library's Information Security Program. They will address potential internal and external risks to the security, confidentiality, and integrity of personal information that could result in a compromise as follows:
- CPI Data Deliberately or Inadvertently Given to Someone via Library Staff:
Risk is addressed through employee training and management. Upon employment, employees will be informed of information security policies. Refreshers in Information Security training and policies will be conducted according to the Central Library Consortium (CLC) Security Practice Rules; Security Calendar.
Disciplinary action up to and including termination may be applied when a breach of confidentiality in regard to CPI data is discovered. The Library may also file criminal charges or pursue civil damages to full extent provided by the law.
- Access to Personal Information via a Staff Computer:
Prior to employment, all potential candidates are subject to a criminal background check. When applying for a promotion within the library, current employees are also subject to a criminal background check. Volunteers who access library staff computers are also subject to a criminal background check. Employment applications and background checks will be stored according to the Retention and Disposal of Records Policy and Procedure. Any criminal activity related to identity theft or similar crimes will be justification to refuse employment, promotion or volunteer appointment.
Staff and volunteer accounts will be assigned according to the guidelines in the Central Library Consortium (CLC) Security Practice Rules; Accessing Confidential Personal Information section. Staff and volunteer access will be removed according to the Central Library Consortium (CLC) Security Practice Rules; Account Decommissioning guidelines.
Under no circumstances shall patrons be allowed access to staff terminals.
Physical Security Guidelines
The Library addresses this risk by adhering to the Central Library Consortium (CLC) Security Practice Rules; Physical Security Guidelines section.
In addition to the devices listed in the Physical Security Guidelines in the CLC Security Practice Rules, the Library also takes steps to protect the physical security of these devices:
- Access logs on SelfCKO machines
- Access logs on PC Management devices
- Access to CPI data Via an Outside Computer (Hackers) or Other Outside Source:
The Library addresses this risk by adhering to the Central Library Consortium (CLC) Security Practice Rules; Network Security Guidelines section.
- Outside Service Providers:
The Library will only contract with outside service providers who are capable of maintaining appropriate safeguards for CPI data as defined by the Central Library Consortium (CLC) Security Practice Rules; Vendor Compliance section.
Security Incident Response
Upon real or suspected information leaks or intrusions, the Library will follow the steps in the Central Library Consortium (CLC); Security Incident Response Plan.
In addition to the Network Security Guidelines in the CLC Security Practice Rules, the Library also follows these Network Security Guidelines:
- WPA2 with a pre-shared key is used to protect data transmission on all WiFi networks.
- The Library posts appropriate warnings about sharing confidential information over the open public WiFi connection.
Disposal of media containing CPI data
The Library will ensure that any media that contained CPI data (either staff or patron data) will be destroyed according to the Central Library Consortium (CLC) Security Practice Rules; Disposal of Confidential Personal Information section.
Leased equipment which may store confidential information will require contracts which establish the right of the Library to retain the hard drive upon return of the equipment at the end of the lease period.