A Sample Security Policy
Somewhere Public Library Security Policy
The Somewhere Public Library local area network (herein referred to as "the SPL network" or "the network") is critical to the provision of information services to SPL staff and patrons. The SPL library automation system processes sensitive and valuable information. The addition of public access to the Internet within the library has increased the size, complexity, and management concerns related to the operation of the network. Specific security measures and procedures must be implemented to protect the confidentiality of information transactions being processed on the network and to keep critical systems operational. Because all citizens of Somewhere are encouraged to use the network for informational and educational needs, security risks have increased and more stringent practice in safeguarding resources is necessary than was required when simple standalone PCs were used. These expanding security requirements are addressed in the following network security policy.
This policy has two purposes. First, the policy will emphasize to all Somewhere Public Library employees and patrons the importance of network security in the library and their roles in maintaining that security. Second, the policy will assign specific responsibilities needed to secure networked information resources.
The SPL network security policy covers all electronic information resources in the library. It applies equally to network servers, workstations, both staff and public access, network equipment, telecommunications equipment, and peripherals, such as printers, within the library. The policy applies to all library users, managers, and administrators, including Library staff, patrons, contractors, and City staff utilizing the Library's network resources.
The SPL security program is designed to ensure the availability of networked resources and the integrity and confidentiality of data transmitted over and stored on the network. Specifically the goals of the program include:
Ensuring the library network has sufficient security measures applied to protect the integrity of its data, the privacy of information transactions, and the availability of its resources;
Ensuring the cost of the security measures implemented is commensurate with the risks present on the network;
Ensuring appropriate budgetary and technical support is available and maintained;
Training all users to be responsible for the security of data, information, and other computing resources to which they have access, and training staff to maintain accountability practices;
Enforcing policies and technical mechanisms which contribute to the auditability of network resources;
Providing sufficient guidance to library staff in the discharge of their responsibilities in network and information security;
Ensuring that all applicable organizational and departmental policies and procedures are applied and practiced;
Developing appropriate contingency or disaster recovery plans to provide continuity of operation for all critical functions of the network.
Responsibility for implementing and maintaining the Library's network security goals is divided among four specific groups. [The library may choose to create an optional, very detailed list of tasks and responsibilities; a procedures manual should also be developed as a result of this delineation of responsibilities. If so, add the following line here: Detailed responsibilities are presented separately in Network Security Responsibilities for the Somewhere Public Library.]
1. Library Management (LM; in most environments called Functional Management) - the library director, library board, and other library administration, if applicable, who have functional responsibility for the library. Library Management is responsible for informing staff about this policy, assuring that each person has a copy, and interacting with staff and volunteers on security issues.
2. Network Management (NM) - contract technical support persons or library staff involved in the technical support, management, and operation of the SPL network. Network Management must ensure the continued operation of the network and is responsible for implementing appropriate network security measures as indicated in this security policy.
3. Local Administrators (LA) - library staff responsible for ensuring that end users have access to needed network resources available through the library's servers or Internet access. Local administrators provide day-to-day maintenance of network security in accordance with this security policy. Local administrators are responsible for reporting observed breaches of security policy to network and library management.
4. End Users (U) - library staff, volunteers, and public users who have access to the SPL network. End users are responsible for using the network resources in accordance with the provisions of this security policy and the Library's acceptable use policy. All users of data and network services (such as the Internet) are responsible for complying with security policy established by library and network management and for reporting to management any actual or suspected breach of security.
When end users fail to comply with this policy, SPL information-while stored, processed or transmitted on the Somewhere Public Library network-may be exposed to the unacceptable risk of loss of confidentiality, integrity or availability. Violations of security guidelines and procedures established to support this policy will be brought to the attention of management for action and could result in disciplinary action up to and including termination of employment or termination of rights to use the network.
GENERAL POLICIES OF THE LAN
GP1. Every workstation and server shall have a designated local administrator who is responsible for maintaining the security of the computer. All end users of the system are responsible for following all policies and procedures in this policy and the acceptable use policy. SPL staff who manage workstations or servers shall be trained so they can follow all policies and procedures effectively.
GP2. Server security shall be exclusively controlled by one local administrator and network management. Access to server security mechanisms by all other staff, volunteers, or public users shall be considered unauthorized access.
GP3. The local administrator responsible for each workstation or server must ensure that all software installed on the system is approved for use and is licensed properly.
GP4. All software installation and updates shall be the responsibility of network management or the designated local administrator.
GP5. One local administrator shall be designated to oversee the backup of server and workstation hard drives.
GP6. Each staff member, volunteer, and contract worker will be assigned a unique USERID and initial password according to established procedure. Public users will use a generic USERID and password [note: or unique USERID and password if the policy is adjusted to allow it] to gain access to network resources. Users must not share or disclose unique USERIDs/passwords.
GP7. All users must be authenticated to the network before accessing network resources.
GP8. Use of network hardware or software such as traffic monitors/recorders and routers shall be restricted to network management or a designated local administrator.
GP9. Security training shall be integrated into existing library training programs such as orientation programs for new employees, volunteers, or patrons in the use of computers, software, and network information resources.
GP10. Incident logs and subsequent security reports must be generated and reviewed on a regular basis.
SPECIFIC RESPONSIBILITIES FOR ENSURING Somewhere Public Library LAN SECURITY
1. Users (Staff and Public)
Users are expected to be knowledgeable about and adhere to the Library's security and acceptable use policies. Users are ultimately responsible for their own behavior. User responsibilities include:
U1. Understanding and respecting relevant Federal and State laws, Somewhere Public Library policies and procedures, and other applicable security procedures and practices established for the Somewhere Public Library network.
U2. Using network resources in accordance with terms specified in the Library's acceptable use policy, and being aware of activities disallowed and the consequences of engaging in such unauthorized use.
U3. Being aware of privacy issues related to their use of network resources and protecting the confidentiality and integrity of their own information.
U4. Selecting and maintaining strong passwords as outlined in the Library's password policy. Specifically, users must not disclose unique USERIDs or passwords to others.
U5. Notifying a local administrator when security procedures are not followed-for example, when a previous user leaves a workstation without logging off or when passwords are written and left in open view.
U6. Notifying a local administrator or network management if a security violation or breach is observed or detected.
U7. Being familiar with how malicious or virus-infected software is distributed and observing practice that minimizes the risk of damage due to the introduction of such software.
U8. Reporting any signs of abnormal or suspicious activity to the local administrator.
U9. (Staff only) Ensuring that his/her workstation is left on as scheduled so the hard drive may be backed, according to the Library's backup policy.
2. Library Managers
Library managers, with guidance or direction from the parent agency, are responsible for developing and implementing effective security policy. They are ultimately responsible for ensuring that the objectives of library policy and individual responsibilities are clearly communicated to staff and end users and adequately followed. Specific responsibilities of library managers include:
FM1. Effectively analyzing potential security risks in order to formulate an appropriate security policy. This risk management requires:
identifying the assets to be protected
assessing potential vulnerabilities
analyzing the risk of exploitation
implementing cost-effective safeguards
FM2. Providing training, or at least written training materials, to all staff, volunteers, and patrons in the appropriate use of the network, awareness of the possible effects of misuse or unauthorized use of network resources, and the consequences of any unauthorized use.
FM3. Ensuring staff and patrons understand the danger of malicious software, how it is generally spread, and the technical controls used protect against it.
FM4. Informing local administrators and network management of the change in status of staff, volunteers, or contract workers [note: and any patrons who have unique USERIDs] who utilize the Somewhere Public Library network. This could include a position change (providing greater or more restricted access privileges) or termination of library employment.
3. Network Managers
Network management may include local staff or contracted support and is expected to implement and maintain security measures enforcing local security policies, to archive critical programs and data, and to control access and protect physical network facilities. Specifically, network management is responsible for:
NM1. Rigorously applying available security measures enforcing local security policies.
NM2. Advising library management on the effectiveness of the existing policies and technical considerations that may lead to improved practices.
NM3. Responsible for securing the local network and its borders with outside networks (e.g., city hall, the school district, or the Internet).
NM4. Responsible for responding to security breaches or violations in a timely and effective manner.
NM4.1. Notify local administrators if a break-in is in progress and assist other local administrators in responding to security violations.
NM4.2. Cooperate with local administrators in tracking/monitoring violators and assist in enforcement efforts.
NM5. Configuring audit logs and using network monitoring tools to aid in the detection of security violations.
NM6. Conducting timely audits of network server logs.
NM7. Remaining informed on outside policies and recommended practices and, when appropriate, informing library management of new developments.
NM8. Exercising the powers and privileges inherent in network administration with caution and discretion.
NM9. Identifying, recommending, installing, and configuring software providing:
monitoring of unauthorized activity
removal of malicious software
NM10. Developing procedures that allow users and local administrators to report security violations, and notifying library management and possibly outside agencies of any threats.
NM11. Promptly notifying designated personnel of all computer security incidents.
NM12. Providing assistance in tracking the source of malicious software or computer viruses and determining the extent of contamination.
NM13. Removing malicious software or viruses.
NM14. Conducting periodic audits to ensure proper security practices are followed.
NM15. Maintaining user privacy.
4. Local Administrators
Local administrators are local staff or volunteers who assist in the daily maintenance of security services and who support and enforce applicable security policies and procedures. Specifically, local administrators are responsible for:
LA1. Managing all users' access privileges to data and programs.
LA2. Monitoring security-related events and following up on any actual or suspected violations, where appropriate; notifying network management of reported security incidents and assisting in investigating them.
LA3. Maintaining and protecting server software, relevant files, and media using specified security mechanisms and procedures.
LA4. Overseeing the update of anti-virus signatures on all local workstations and servers and for scanning server hard drives regularly.
LA5. Assigning a unique USERID and initial password to new users according to established procedures.
LA6. Promptly notifying network management and library management of all computer security incidents;
LA6.1. Notify the network management if a break-in is in progress; assist other local administrators in responding to security violations.
LA6.2. Cooperate with network management in tracking violators and assisting in enforcement efforts.
LA7. Backing up all data on network servers and workstations according to established procedure.