"Mary, are you telling me you didn't know chatting is against the rules?"
"Yes, ma'am," Mary replied, sounding very contrite.
"But you read the acceptable use policy?"
In exasperation, the library director pulled a copy of the AUP out of the acrylic stand of training brochures sitting just to the right of the monitor. She opened it and spread it out on the desk in front of Mary, putting her index finger below the bold-faced letters.
"You didn't see these statements in bold-faced type?"
"How do you explain that, Mary?"
"Maybe it got updated sometime after I read it?" the girl offered hopefully.
You've taken the time to learn about dangers lurking around your network if you don't secure it. You've done some planning and created a security policy, working it in with your Acceptable Use Policy where applicable. You've identified the security measures most likely needing implementation on your network. You've hired someone to come onsite and implement those measures. You've arranged for a security audit. Seems like you're close to being able to go home and get a good night's sleep.
Just a little training.
Security training isn't like learning a software application. It's not like learning to sew or ride a bike. It's not a step-by-step thing, and it's not skill gained by repetition or judgment. Security training is more a process of familiarization. After determining security goals in your security policy and listing the rules of use, it's time to impart these to your staff and your patrons.
Staff Rules & Guidelines
Be sure that everyone on staff is familiar with the rules and procedures that apply to their positions. For example, make sure the person in charge of system backups understands:
how to operate the backup software
the procedure related to rotating backup media (e.g., which Friday tape is to be used next, or when to take a tape offsite)
how to review the backup log the morning after each backup and remove the tape
report any problems
schedule and conduct a test restore 2-4 times per year
In these cases, training the person also means checking their work occasionally to make sure it is done as specified.
The remainder of the training relates to the sensible guidelines of making sure sensitive information isn't inadvertently compromised. Here are common guidelines taught to staff members.
Always log out from the server when finished performing administrative tasks. Lock the console if necessary.
Those staff members who know the Administrator password should log onto their workstations using their personal accounts unless the task they are performing specifically requires Administrator privileges. (Always assign each staff member and volunteer a personal account with appropriate privileges for routine use.) They should log off immediately after completing the task(s) requiring Administrator privileges. Further work can be done after logging back in under their personal accounts.
Do not log onto the Administrator account from a public workstation.
When logging on as Administrator, be sure no unauthorized persons are observing.
Keep passwords secret. Since everyone is assigned a personal account, there is no need to reveal personal or system passwords to anyone. This especially includes technicians or competent-sounding phone callers. Staff must obtain approval from the library director or his/her designee before revealing passwords or other network-related information to a representative of a computer company arriving at the library to do tech work.
Keep network configuration information (IP addresses, for example) confidential. Obtain approval from library administration before revealing such information to any third party.
Create strong passwords, as specified in the Library's password policy (see Part III for an example), when creating or changing passwords.
Memorize your password. If it's a password you may forget, write it down on a sheet of regular paper (with no reference to the account it corresponds to) and store the sheet in an innocuously labeled manila folder and file it.
Do not use credit cards to purchase products online with any library computer.
Public User Rules & Guidelines
Rules and guidelines are generally different for public users of your network. If your library offers individual accounts to patrons (not many do at this writing), the first two items below should be included; otherwise they can be deleted. Most of the other items are warnings about using the Internet safely in a public environment.
Keep your account password secret. Since everyone is assigned a personal account, there is no need to reveal your password to anyone.
When changing your password, create a strong password as described in the Library's password policy.
Be cautious about submitting personal information to sites on the Internet; personal information submitted as part of a web-based form may be stored on computer's hard drive in the form of a "cookie" and the privacy of such information cannot be guaranteed. Never use a credit card to purchase products online from a library computer.
The following services are not available through the Library's Internet connection (include a list of these services, such as chat and e-mail use)
Read the following documents (list preferred web sites or library materials here), which describe safe practice in the use of Internet resources.
When you complete your Internet session, exit the web browser to clear the browser's cache, history, and URL lists.
In order to maintain a secure network, it is important to monitor specific user actions on the network. Monitoring specific patron use of resources is not often done in libraries. It has been important in our work to assure patron's privacy in regard to their use of materials. In the case of computer networks, however, it is necessary to strike a balance between the patron's right to privacy and the library's right to protect its resources for the use of all patrons.
Part of the library's security program is to determine what specific actions or activities should and will be monitored. The program must also determine the procedures used to monitor these activities and how violations of policy will be reported and resolved. When these decisions are made, it is then imperative to inform staff and public users how their usage will be monitored.
The library is encouraged to include a disclaimer providing details related to the monitoring of network activity on all training materials, acceptable use policies, and other public documents. (A sample statement is included on the next page; it is provided for illustrative purposes only. Be sure to have the library's legal counsel review and approve all such statements before adopting them for use.) The disclaimer works in tandem with the custom logon banner recommended in the Network Security Checklist (a sample is provided in Chapter 8 on pages 98-99) to notify patrons that not all uses of the network are anonymous or welcomed.
Use of the Library network is a privilege, not a right. All network activity is monitored for illegal and unauthorized use. While the Library keeps no permanent records of particular materials viewed by patrons, any attempts to access restricted services are noted. The Library reserves the right to refuse service to anyone engaged in illegal or unauthorized activity as specified in its Security Policy and its Acceptable Use Policy.
Specifically, the following actions are monitored:
- all attempts to access the Administrator account
- attempts to access restricted areas of the network server or local workstations
- attempts to copy unauthorized software or utilities onto a server or local workstation
- attempts to run unauthorized software or utilities stored on a server, a local workstation, or on a personal diskette
- public workstations are configured to operate without providing access to a "command line" (also called a DOS session). Patrons observed running a DOS session will be considered to be running unauthorized software.
- Other actions (as they are identified) harmful to the provision of network services to all patrons.
When confirmed by library staff, unauthorized attempts to access restricted resources, whether successful or unsuccessful, shall result in loss of privilege as indicated by policy.
There may be other activities that need to be monitored. However, given the library's need to protect its patrons' privacy in their use of resources, such activities are anywhere from difficult to impossible to monitor. These activities include, but are not limited to:
sending threatening or harassing e-mail to others,
to the President of the United States (possible)
to any prominent person (very difficult)
or any other Internet user (next to impossible)
using chat or other multi-person communication resources in an illegal way (almost impossible)
breaking into government or banking networks (difficult)
If these activities are an extreme concern, the only common, practical method for most libraries to use in restricting them is filtering software, although it is also possible to limit access through the router, firewall, or ISP's connection. For many libraries this is an untenable solution.
Like most training, staff and patrons need to be taught these guidelines and rules of conduct as soon as the network is functional. This means planning an orientation session and software training. Optimally, the training plan needs to be developed well before the network implementation.
If the network is already operational when security topics are addressed, an orientation and "re-certification" of user access is recommended.
For public users, the orientation session and software training can be combined and be presented in small groups at scheduled times.