Library Security Basics
Securing any computer in a library must be achieved without any compromise to these three basic concepts: public service, user privacy and legal access. In an office or business environment, security is a matter of making sure that documents and transactions haven't been tampered with, corporate information is protected, personal employee information is kept private, and data is available when the business wants it to be. Network and computer security in a library setting faces these same challenges and a few additional ones.
Library public access computers and networks must be available and able to withstand long hours of uninterrupted use (often abuse) without attention from library computer technicians who are often overworked or even non-existent. This means it is up to network administrators to ensure data integrity and availability. Public-access computers are provided to our patrons as a public service. If a patron's experience using a computer is frustrating due to poor implementation of a security policy or if the online catalog is not available when they need it, the patron's perception of the library is negatively affected. Today it is more important than ever that the patron's experience with computers is a positive one.
Whenever a patron uses a public access computer they leave behind pieces of information. web browsers record information on a local computer, proxy servers contain logs of websites visited, reservation systems document when patrons use public access computers. Protecting this information on behalf of unsuspecting patrons is the library's job.
Finally, another new security issue facing libraries is that of legal access. Now that many libraries provide access to the Internet from their computers, they must decide how they are going to deal with the issue of filtering children's access to the Internet. Furthermore, many libraries provide access to their systems and resources over the Internet. That access must be carefully controlled to comply with relevant licensing restrictions. Patron authentication to subscription databases must be managed according to licensing agreements whether the patron signs on from the public access computer in the library or from home.
Goals of a Good Security System
There are three primary goals of security:
- To protect confidentiality by ensuring private information is kept private.
- To ensure data integrity by preventing data from being inappropriately changed or deleted.
- To ensure data availability by making sure services are available and uninterrupted, that data can be accessed whenever it is needed, and that data can be restored quickly.
Protecting confidentiality means—at a minimum—keeping passwords out of the wrong hands; preventing access to financial information and circulation information; and protecting private patron data such as documents and email. You should always follow the principle of least privilege, which states that the user be given only the privileges that they need to perform their jobs or tasks. For instance, if a user only needs to check or print out their email using a library's Internet connection, they have no need (and should have no ability) to access the operating system files of that print server.
Protecting data integrity means ensuring that you can recognize and recover from breaches of integrity and that you can protect systems from viruses, worms, and Trojan horses. It also means you should prevent deliberate alteration of documents, websites, operating system files, and it certainly means you should allow only appropriate physical access to computers. Ensuring data availability means you should know how to recognize and defend against denial-of-service attacks, viruses, worms, use good backup and recovery procedures and ensure service is not interrupted during routine hardware and software maintenance.
Therefore, public access computer security must at least ensure:
- Computers which demand little maintenance will be available for anyone who wants to use them when the library is open.
- Patrons won't be able to delete or alter (or add) applications and system files that might cause a computer to suddenly malfunction.
- Computers will be protected against viruses spread by patron diskettes or by Internet-borne viruses and Trojans that can cause damage not only to local computers but also to servers.
- Patrons can be confident that their documents will not be infected by viruses, Trojan horses or other malicious code.
- Patrons can expect that applications and other software will function properly so their documents won't be corrupted.
- Patrons can feel confident that their electronic privacy is being protected: that others can't view their documents, access their email, or view a record of their Internet searches.
- Staff can feel confident their documents, applications and data won't be accessed inappropriately by patrons.
- All network users can have a reasonable assumption of privacy. This privacy cannot be disturbed by adware, spyware or network intruders using hacker tools.
- Networks will be protected against attacks that slow Internet access to a crawl or, worse, deny it completely.
- Libraries will be able to protect their resources and comply with federal laws by making sure that patrons will only use computers, applications or data for which they have been granted access. If the library's policy so states, children will not be allowed to browse the unfiltered Internet without having been specifically granted that right by a parent.
- Patrons will not be able to log in to databases without meeting the Library's access requirements.
Planning for Security
Security does not happen overnight; it requires a good deal of planning. Libraries that are serious about improving their security should be prepared to:
- Create or modify policies and procedures
- Revisit disaster recovery plans
- Ensure adequate funding
- Train and educate staff
- Incorporate security lifecycle
Policies and Procedures
Library staff and information systems personnel should work together to complete two very important tasks:
- Perform a Risk Assessment, which should include threats and vulnerabilities facing the library's computers and networks.
- Create a Security Policy which includes specific protection strategies.
Risk Assessment involves identifying assets, their threats and vulnerabilities. An asset is something of value to your organization; in information technology terms, it can be information, computers (both hardware and software) or people. A Risk Assessment will help a library decide which of its assets are most important and why. It is important to remember that risk can never be eliminated—the goal of security is to reduce it to an acceptable level.
Computer assets are constantly exposed to threats and vulnerabilities. A threat is a situation in which someone or something deliberately compromises confidentiality, integrity or availability. A vulnerability is a flaw in software code which might be exploited to perform attacks on the networks or computers which use that software. Listing the threats and vulnerabilities of a library's computers and networks is a vital part of a Risk Assessment.
Once a Risk Assessment has been performed, a library can then create one or more security policies. A Security Policy should be created by a team including system or IT members, administration and representatives from every department. It should develop usage policy statements that can be separate from each other, or part of one overarching policy, such as an Acceptable Use Policy, or an Internet Use Policy. The team should review security policies from comparable organizations (after all, why re-invent the wheel?) and customize ideas to their own environment. It should also include users' roles and responsibilities and grant authority to those who will be responsible for responding to security breaches.
A major part of a security policy should be devising protection strategies. These protection strategies should include IT policies and procedures such as backup procedures, a disaster recovery plan, guidelines on training for staff, and specific protection procedures. These might include implementing the principle of least privilege on all servers, isolating public access systems such as web servers from mission-critical systems such as bibliographic databases, and requiring strong authentication.
A security policy should be a living document that is constantly reviewed and changed. It should updated after an attack or security event, whenever network conditions change, or in the face of new technologies.
Disaster Recovery Plan
A disaster recovery plan should also be created (if one is not already in existence) that covers:
- Procedures to be followed in the event of a network attack or failure
- The location of offsite storage of installation media and backup media
- Backup documentation and installation procedures documentation
- A technology asset inventory
- A list of personnel authorized and capable of system restoration (include more than one!)
Creating a secure network requires money—money for training, security software and hardware, monitoring tools and perhaps even a third party assessment. An important tool in ensuring funding for security is administration buy-in. Maintain logs that show system or network downtime, and estimate the costs involved in downtime. These costs should include both lost productivity and labor involved in restoring a system or network.
Train and Educate Staff
Make sure your library staff understand the importance of security. An alert librarian on the floor of a busy library can often spot problems as they are occurring. Be sure staff know what to do in case of a security event by training them on your library's security policies and procedures. IT Staff should keep up on the latest security threats and vulnerabilities, keep track of issues related to your library's installed software, and patch as needed.
Incorporate Security Lifecycle
Security is a never-ending process. If you plan for security in every step of a system's lifecycle, then you are building a solid, secure foundation. When considering a product for purchase, take into account a product's known vulnerabilities, and incorporate your security requirements into product specifications. When installing a product, take into account common security measures such as removing unused services and using strong passwords.
Also consider incorporating security testing into the implementation process, especially for vulnerable systems such as web or email servers. During the operating and maintenance phase, a system should be continually monitored and updated, and periodically audited. Finally, when a new system replaces an older system, every effort should be made to ensure that information is moved, archived, erased or destroyed before the old hardware is actually disposed of. This is an important step that is often overlooked, but it can go a long way towards keeping your network information private. Attackers never sit still, and the people who are charged with protecting a library's information assets should never sit still, either.
Next: Risk Assessment