Information Security Policy

Last Updated Date
Policy Type

Lincoln Lawrence Franklin Regional Library (LLFRL, “Library”) will take reasonable precautions to ensure that any sensitive personal information kept by the Library for any purpose is safeguarded from unauthorized access. LLFRL expects all data stewards and custodians who have access to and responsibilities for library data to manage it as set forth in this policy. This is in accordance with the rules regarding collection, storage, disclosure, access, processing, destruction, and classification of information and minimum privacy and security standards.

All use of personal information by LLFRL is subject to governing privacy laws and the Library’s confidentiality requirements.

 

DEFINITIONS

At-Risk Data (ARD) 

  • ARD is information that requires the highest level of privacy and security controls. 
  • Information that contains any of the following data elements, when appearing in conjunction with an individual’s legal name or other identifier (ex. email address), is considered to be ARD:
    • Credit or debit card number (risk: patron)
    • Social Security number (risk: patron, employee)
    • Driver’s license or government ID number (risk: patron, employee)
    • Bank account number (risk: patron, employee)

 

ARD Information Collections

  • Information collections retained by LLFRL that are known to contain ARD data elements:
    • Whitworth transcripts
    • Patron application forms of ID
    • Petty cash and Friends of the Library collection bags – ref. patron check payments
    • Employment files which include, but are not limited to, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA), banking information, and forms of ID.
    • Government and business documents.

 

SECURITY

Security - General

  • It is the responsibility of the county librarians to secure ARD at their supervised location(s), when ARD has been generated by or is associated with said location(s).  Security measures should be calculated to ensure that the branch’s information resources are protected by physical security measures that address physical tampering, damage, theft, or unauthorized physical access.
  • Documents containing ARD must never be left unattended in a public area or placed in public view.
  • It is not the responsibility of library staff to examine documents discarded by library patrons. 
    • If discarded patron documents are incidentally found to contain ARD, the documents must:
      • Be stored in a secure location.
      • Be returned only to the individual identified on the documentation.  Official identification documents should be requested if the library staff does not have personal knowledge of the patron’s identity.
      • Be destroyed by shredding or tearing, if not retrieved by the document owner within 24 hours. 
    • If original ARD documents (social security cards, driver’s license, etc.) are found, the documents must:
      • Be stored in a secure location.
      • Be returned only to the individual identified on the documentation.  Official identification documents should be requested if the library staff does not have personal knowledge of the patron’s identity.
      • Be released to a local law enforcement office(r) if not retrieved by the owner within 24 hours. 

 

Security – Transactions

  • ARD may be sent to library email accounts when patrons are utilizing library services.  To protect this data -
    • Daily closing procedures for each branch shall include:
      • Deletion of all files located in the Downloads directory on service desk computers.
      • Deletion of all files in the Recycle Bin on service desk computers.
      • Deletion of all files on library USB drives used to assist patrons with service desk activities.
    • Daily closing procedures for the Headquarters branch shall additionally include:
      • Deletion of all correspondence in the Inbox, Sent, and Trash folder of library email accounts used to support service desk activities.
      • Deletion of all documents in the associated cloud folder(s) of email accounts used to support service desk activities.
  • Credit or debit card numbers as payment transactions (Patron)
    • All credit/debit card transactions are established as self-serve transactions.
      • Library staff are strictly prohibited from (1) physically handling credit/debit cards and (2) obtaining credit/debit card numbers from patrons in any format.
      • Receipt printouts for credit/debit card transactions are ‘as requested’ by patrons using automated interfaces only.  Handwritten receipts are not authorized.

 

Security – Retained Documents

  • Whitworth Transcripts -
    • Transcripts for Whitworth College are physically housed in a staff office that is locked when staff members are not present. The Library Business office manages requests for the Whitworth transcripts.  Transcripts are only released to the individual named on the transcript.  Proof of identity may be required.
  • Patron applications and account records -
    • Most information related to patrons is kept for the purposes of circulating materials and ensuring that responsibility is attributed to the correct person when an item is borrowed. This information is not publicly available and, beyond interactions between the library and the customer, will be shared only with third-party vendors with whom the library has contracted services necessary for conducting business and with law enforcement personnel upon valid, legal request. Information related to delinquent customers may be shared with a third-party vendor for the purposes of collection. The library will not share personally identifiable customer information for any other purpose.
    • Driver’s License numbers should be redacted from all photocopies using a combination of ink and marker.  For new copies, the redaction shall occur immediately after the photocopy image is produced.   Redaction of archived images should occur as the images are detected.
    • It is not the practice of the Library to record ARD information on patron online account records.
    • Patron records that carry no outstanding debt (financial or in borrowed materials) and have been inactive for the amount of time defined by the Mississippi Public Library System Accreditation Program are considered inactive and should be permanently deleted from the Library’s computer system.
  • Patron Check Payments -
    • Petty Cash
      • Library staff are not authorized to photocopy images of patron check images.
      • Patron check payments must be removed from the cash drawer at/before the end of the business day and stored in a secure location until they have been presented to the business office for deposit.
    • Friends of the Library (FOL) collection bags
      • Library staff do not manage or authorize check payments for FOL activities.  Checks are filed in a FOL designated collection receptacle (bag, envelope, box, etc.).
      • FOL collection receptacles are stored in a secure location as part of Library’s closing procedures.
  • Employment Data
    • Physical copies of employee records are kept in fireproof locking file cabinets in the Library’s business offices.  Access to these records is limited to authorized personnel only.
      • Driver’s License
        • Photocopies of driver’s licenses or similar government forms of identification should not be retained in employees’ personnel files.
      • Banking information
        • Cancelled checks and paperwork related to employee bank accounts are destroyed at the time of employment termination.
      • Government and Business documents
        • All government and business documents managed during the course of operating the Library have a high risk of containing ARD.  This documentation is stored in the Library’s business office.  Security door locks, locking file cabinets, and restricted access are some, but not all, of the security measures undertaken to protect this information.
      • Other
        • All other sensitive employment documents are retained/destroyed based on the Library’s record retention policy.

 

Security - Relocation/Destruction

  • ARD  is considered permanently destroyed when it has been shredded (manual or machine) at a Library facility or submitted by the LLFRL business office to a contracted vendor for bulk destruction. 
  • County librarians are responsible for the security of at-risk paperwork if/while in transit from a Library branch to the LLFRL business office.
  • When documents containing ARD are sent to a contracted vendor for destruction, a signed receipt of delivery to the vendor (or equivalent documentation) is required.
  • Unless expressly approved by policy or written guidance by the Library Director,
    • ARD shall never be stored at a non-library facility. 
    • Library staff are not authorized to use any ARD destruction methods outside the procedures outlined in this policy.

 

INFORMATION TECHNOLOGY

If ARD is stored in an electronic format, it shall be protected from access by unauthorized individuals. Such information must be protected by software that prevents unauthorized access.

Firewalls

  • A minimum of one network firewall shall be active where Library networks connect to Internet service.
  • A minimum of one firewall services shall be active on all Library computer devices that access the Internet.

Anti-virus/Steady State Software

  • All technology that has Internet access shall use anti-virus and/or steady state software.
  • All Library technology that has Internet access and is used by library patrons shall have steady state software or similar protections installed. 

Internal networks

  • Network equipment shall be housed in areas generally inaccessible to the public, preferably in a locked location.
  • The Library does not maintain servers to control network operations.
  • Specialized servers that control digital applications may be installed at staff workstations.  Such servers should not retain ARD information.
  • Separate secure and public segments of internal networks shall be integral to the network design.

Data backups

  • For vendor provided cloud based services, primary data backup measures shall be the responsibility of the vendor.  Secondary backups may be performed by library staff for additional security.
  • Backups of business data housed on the Library Director’s computer, as well as any computer identified by the Director as housing critical information, shall be backed up to a secondary device on a near daily basis.

General

  • Remote access to library information is available to the Library Director to support library operations.
  • Library personnel may receive authorized remote access by the Library Director on an as-needed basis to accomplish specific tasks.
  • Passwords to critical online resources are modified at least once each quarter

 

INCIDENTS - PREVENTION

Library staff should verify the identity of third-party persons presenting themselves as repair or maintenance personnel for library equipment.

Library staff should report suspicious behavior around devices.  Suspicious behavior may include

  • attempts to unplug equipment or components of equipment
  • attempts to open devices
  • physically testing the attributes of equipment
  • asking unusual questions about the equipment

 

INCIDENTS - TRAINING

A review of this policy, along with accompanying training material/videos, shall take place (1) with all newly hired employees and (2) annually thereafter.

Suspected or confirmed

Security incidents, whether suspected or confirmed, must be reported immediately to the Library Director. The Library will investigate incident reports. Based on the results of the Library's investigation, internal and/or external parties may be notified, as necessary and appropriate.

Upon notification of a suspected security incident, the Library will:

  • Report the breach to the appropriate officials.
  • Block, mitigate, or de-escalate the breach, if possible.
  • Implement processes and procedures to prevent similar incidents from occurring in the future.

If the Library's investigation determines that criminal activity has taken place, the Library Director, in consultation with the Library Board of Trustees, will determine if external notification will be required. External notification is required if any of the following conditions are met:

  • Access has been gained to ARD.
  • A physical device that contains ARD has been lost or stolen.
  • There is evidence that ARD has been copied or removed from a physical device containing ARD.

External notifications will go to anyone affected by the breach, or whose data may have been compromised, as well as to government officials, as required by law.

 

LIMITATIONS IN SCOPE

Personal information stored by employees does not fall under the requirements for safeguarding ARD.

It is not the Library’s practice to systematically retain employee ARD information in a digitized format.  Any occurrence of a digitized format would be incidental and outside the scope of this policy.

This policy does not specifically address physical security needs and threats, such as natural disasters, electrical outages, fire, or other physical threats to personnel or information resources.

 

Approved 12.13.2022