In this portion of the manual, we turn our focus from the management aspects of network security to actual security measures to be implemented. As a manager, your interest will be in understanding how these impact your library's network security rather than in how to implement them. So, in the following chapters, I describe the various security measures specified in the Network Security Checklist.
Need for a Standard
This Checklist is submitted as a candidate for a standard list of items public libraries need to evaluate in securing their networks. I have asked other librarians familiar with both the limitations of staff and financial resources in small public libraries and with the technical requirements of computer networks to review the Checklist. Although it is not a definitive guide to best practice for network security in the small public library, as more and more systems librarians (and others) review it, it will become more of a standard of practice.
It is important to realize that not every item on the list will apply to every library. Each item on the list has a specified level of implementation, either Mandatory, Recommended, Optional or Not Applicable. This last classification indicates that each library needs the freedom to review an item-even one considered by some to be mandatory-and determine that the cost of implementing it is greater than the consequences of leaving it unsecured.
Therefore, I encourage the library to seek the help of a knowledgeable professional to discuss and evaluate each of these items for appropriateness in the local library's environment. This will help ensure the library's funding for security is spent to reduce the threats that are most likely to materialize in each particular library environment.
Division of Security Issues
I divide the realm of network security in libraries into seven main categories: physical security, password security, hardware security, server security, workstation security, perimeter security, and financial security (this area is most important in small community organizations where the operating budget is severely constrained). These areas are expanded in the Checklist by separating out specific configuration issues related to web servers and general administrative issues related to budgeting, planning, and policy development. In addition, the perimeter security area is expanded into separate router/firewall and virtual private network sections.
Therefore, there are ten sections in the security checklist:
Physical security of computers and network equipment
Network server security
Network equipment security
Web server security
Virtual Private Network Security
Chapter 7, General and Physical Security, includes the description and the need to secure the items in Sections 1 and 2.
Chapter 8, Local Area Network Security, describes the items in Sections 3 through 7.
Chapter 9, Perimeter Security, covers Sections 8 through 10.