Information Security Policy

“Information Security” is the administrative, technical, and physical safeguards the Oconomowoc Public Library (“the Library”) uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle electronic information.

The Library will protect information from unauthorized access. The Library will ensure that the accessing, handling, sharing, and disposing of information complies with policies of the Oconomowoc Public Library, the City of Oconomowoc, Bridges Library System/CAFÉ, and all applicable local, state, and federal laws.

This policy covers all electronic data resources in the Library. It applies equally to network servers, workstations, staff and public networks, network equipment, telecommunications equipment, and peripherals, such as printers, within the Library. The policy applies to all Library staff, patrons, and others using the Library’s computer resources.

Roles & Responsibilities

Library Staff

  • The Library Director will hire a contract IT Support Specialist and monitor performance and satisfaction.
  • The Administrative Coordinator will be the staff liaison to IT Support Specialist.
  • All Department Heads will alert the Administrative Coordinator of issues or problems with IT equipment.
  • Staff will ensure that only authorized persons enter staff-only areas. When practical, doors to staff-only areas should be closed.
  • Staff will ensure the security of usernames and passwords by never sharing them.
  • Staff will save all files to a network drive to ensure the ability to retrieve files from backups.
  • Staff will follow Incident Reporting and Response guidelines outlined in this policy.
  • Staff with supervisory responsibilities, with guidance or direction from the Library Director, IT Support Specialist, or other authorized person, are responsible for training their staff on this policy and ensuring compliance. Specific responsibilities of supervisors include:
    • Ensuring staff understand the danger of malicious software, how it is generally spread, and the technical controls used to protect against it.
    • Informing the IT Support Specialist and Library Director (and the library system, when applicable) of the change in employment status of staff. This could include a position change (providing greater or more restricted access privileges) or termination of Library employment.

IT Support Specialist

  • Maintain servers and electronic equipment; perform computer imaging; establish and maintain wired and wireless Internet networks; perform and manage backups of servers and computers; maintain virus and malware protection; other duties as assigned.
  • Maintain an inventory of all Library-owned hardware
  • Alert Library Director and/or Administrative Coordinator of equipment and software needs, or any potential threats or problems.
  • Maintain two firewalls:
    • One firewall separates the PUBLIC internet (wireless and wired) from the STAFF network.
    • One firewall is for the local internet connection and provides remote access to the network.

Library System

  • Manage system-scale firewall
  • Establish and maintain arrangements with third-party vendors for the cloud-based server(s) and Integrated Library System (ILS) backups
  • Establish, maintain, and communicate security expectations for system-wide or system-provided resources

Equipment Security

Server Access

  • Non-authorized persons may not enter the server area.
  • Server settings will require login after idle timeout. Idle timeout will be 5 minutes or less. Servers will be logged out when leaving the server unattended.
  • Servers will not be used for internet searches.
  • All documents will be opened and scanned on a computer before storing on the servers.
  • Non-backup portable devices must never be attached directly to the servers.
  • Any virus protection alerts on server data must be reconciled with the staff member that stored the material.

Server Backup

  • Main server user data is backed up daily to the secondary server. The main server is also backed up daily to the IT Specialist’s computer. An email is sent at the end of each backup session giving the status of the backup process.
    • The IT Support Specialist will maintain a Daily Backup folder for each day’s backup.
    • The IT Support Specialist will maintain three hard drive copies of the daily backups.
  • Main server user accounts and operating system state information are backed up monthly to the secondary server. An email is sent at the end of each backup session giving the status of the backup process.
  • One set of backup drives is rotated into a fireproof lockbox to ensure there is always an offline backup drive.
  • One set of backup drives is stored securely at City Hall to ensure there is always an offsite backup drive. Staff keeps the backup drive secure at all times during transportation.
  • Only approved personnel will access the backup drive.

Computer Imaging

  • Staff computers are imaged every one to two months using imaging software. Images are stored on hard drives attached to the secondary server.
  • There are two image hard drives that rotate. Each hard drive stores the images from every other month.
  • Imaging software DVD recovery discs are stored in the server room. These discs are used to start a failed computer and restore an image to the replacement hard drive from a network connection or local connection.
  • One set of image backup drives will be rotated into a fireproof lockbox to ensure there is always an offline image backup drive.
  • One set of backup drives is stored securely at City Hall to ensure there is always an offsite backup drive. Staff keeps the backup drive secure at all times during transportation.
  • Only approved personnel will access the image backup drives.

Network Security

Network User Accounts & Passwords

  • Staff computers and users are given Domain User Accounts. The user accounts are assigned to individual computers. Each user account is assigned network access limited by the user’s job and to the user’s needs.
  • Staff will not disclose usernames or passwords.
  • Staff desktop and laptop computers should not be set to log in automatically and should be set to require login after an idle timeout or waking from sleep or hibernation. Idle timeout will be 5 minutes or less.

Wired Internet Network

  • The Wired Network is divided into wired STAFF and wired PUBLIC. The wired PUBLIC network is governed by this policy and the Internet Use Policy. The STAFF network is governed by this policy, the Public Computer & Internet Use Policy, and the City of Oconomowoc’s Employee Manual.
  • No physical connection should be made between these networks.
  • Unused wired connections that are tied to the STAFF network should not be connected from the patch bays to the switches.
  • Unused wired connections that are tied to the STAFF network should be physically secured with a jack lock that prevents a network cable from being inserted.
  • Wired connections that are in use and are tied to the STAFF network and that are visible to and accessible to the public should be physically secured with a cable lock that prevents a network cable from being removed and another cable inserted.
  • Personal devices should not be connected to the STAFF wired networks.
  • Only Library–provided wired devices and properly protected devices should be connected to the STAFF wired network.
  • Non–Library property, unapproved switches, routers, or access points should not be attached to either the STAFF or PUBLIC wired networks.

Wireless Internet Network

  • The Wireless Network is divided into wireless STAFF and wireless PUBLIC.
    • No physical connection should be made between these networks.
    • The STAFF wireless network is password protected.
      • Only approved personnel will receive the password.
      • Only Library-provided devices and properly protected devices should be connected to the wireless STAFF network.
    • The PUBLIC wireless network is for patrons and Library staff’s personal devices.

Mobile Device Network Connections

  • Only Library-provided wired or wireless devices and properly protected devices should be connected to the STAFF wired or wireless networks.
  • Patrons’ personal mobile devices should be connected to the PUBLIC Wired or Wireless network.

Remote Access to Network

  • Only staff with Library-issued portable devices may remotely access the STAFF network.
  • Staff who are issued portable devices must be vigilant when the device is transported and used. When transporting the device, it should always be in the staff member’s view and possession. When using the device, it should always be in the staff member’s view and possession. Staff should never leave the
    device unattended.
  • Only the staff member issued the device should use the device.
  • Staff must immediately report lost or stolen devices to Library Director and IT Support Specialist.

Hardware & Software

Software

  • Only Library-approved and purchased software should be installed on Library computers and devices.
  • Any problems with software operation should be reported to the IT Support Specialist.
  • Any modification to software on a computer should be reported to the IT Support Specialist.

Email

  • Staff will exercise caution when opening unsolicited emails and will not click on questionable links or attachments.

Downloads

  • Staff should only download files from trusted sources.
  • Staff should not download plugins to access pictures, videos, music, and other content online.

Portable Media

  • Portable media includes but is not limited to USB drives, CD/DVD/Blu-Ray drives, digital media card readers, digital cameras, and tablets.
  • Only Library-issued portable media should be connected to staff computers.
  • Only Library-issued portable media approved for backup use should be connected to Library servers.
  • Library-issued portable media should be used for Library business only.
  • No personal media such as pictures, movies, music, or data files should be stored or opened on staff computers.
  • Only approved persons may take approved portable media in and out of the Library.
  • Data transfers between staff should be done over the network using the Shared drive or email. Do not use portable media to pass data between staff members.

Virus & Malware Protection

  • Servers and staff computers have virus protection and malware protection.
  • Virus protection on devices should not be disabled. Any activation of the virus protection or malware protection should be reported as an Incident.
  • The IT Support Specialist will empty TEMP file folders weekly.

Hardware Recycling

  • At the end of life and use of equipment, the IT Support Specialist will prepare the equipment for recycling or disposal:
    • Wipe hard drives of computers and servers
    • Electronically wipe and physically destroy hard drives
    • Electronically wipe and reset to factory default settings on tablets and cell phones

Incident Reporting & Response

  • Any actual or suspected incidents and/or security breaches must be reported immediately to the Library Director or their representative, who will contact the IT Support Specialist. Those parties will work to identify the suspected breach, remediate the breach, and notify appropriate parties. The Library Director will work with staff and the IT Support Specialist to determine any necessary operational or policy changes following a security breach.
  • When any takeover of a computer and screen occurs, staff will immediately push and hold the computer power button until the computer shuts down.
  • Any activation of the virus protection or malware protection should be reported as an Incident.
  • Any suspicious or threatening emails, emails requesting account information or validation should be reported as an Incident.
  • Any uncontrolled takeover of a computer and screen should be reported as an Incident.
  • Any violation of the Public Computer & Internet Use Policy should be reported as an Incident.

Computer & Internet Acceptable Use

Adopted 7/11/2019
Revised 12/10/2020