Adopted by the Board of Trustees 4/18/2023
Information Security Policy PDF

Policy

The Library will take every reasonable precaution to ensure that any confidential information that is kept by the Library for any purpose is safeguarded from unauthorized access. The Library has a responsibility to ensure that the accessing, handling, sharing and disposing of confidential information complies with the Confidentiality of Library Records and Privacy Policy, NYS Civil Practice Law and Rules, Section 4509, NYS Civil Practice Law and Rules, Section 2307.

In general, this policy applies to all East Greenbush Community Library employees, volunteers, and contractors with access to East Greenbush Community Library systems, networks, East Greenbush Community Library information, nonpublic personal information, personally identifiable information, and/or customer data.

 

Roles and Responsibilities

The Library’s administration is assigned the goal of implementing a secure technology infrastructure using the appropriate vendors and products. These assets must be protected from unauthorized access, theft, and destruction. All workers must be informed about relevant, current information security matters, and motivated to fulfill their information security obligations.

The Library Director is responsible for developing and maintaining a comprehensive suite of information security policies, standards, procedures, and guidelines that are to be mandated and/or endorsed by management where applicable.

The Head of Digital Services is accountable for running an effective information security awareness and training program that informs and motivates workers to help protect the organization’s and the organization’s customer’s information assets. They will address potential risks to the security, confidentiality, and integrity of confidential information that could result in a compromise. The Head of Digital Services must ensure that the following standards are met on every computing system, equipment, or network with access to confidential information:

• Secure computing systems, equipment, and networks with confidential information.
• Restrict physical and login access to authorized users.
• Maintain up-to-date software patches and antivirus software.
• Ensure and maintain complete system backups.
• Enable and use firewalls.
• Perform regular security scans on computing systems, equipment, and networks.
• Provide training to staff, volunteers, and contract workers who have unsupervised access to the network, in the appropriate use of the network, awareness of the possible effects of misuse or unauthorized use of computer resources, and the consequences of any unauthorized use.

 

All Department Heads are responsible for ensuring that their staff and other workers within their responsibility participate in the information security awareness training and educational activities where appropriate and required. Department Heads are responsible for ensuring that Information Security Policies and Procedures are clearly communicated to staff and adequately followed. Department Heads are responsible for informing the Head of Digital Services of any changes in the status of staff, volunteers, or contract workers who use library technology or have access to confidential information. This could include a position change (providing greater or more restricted access privileges) or termination of library employment.

It is the responsibility of all staff members to protect the technology and information assets of the Library. Staff IT Guidelines (included in the Staff Manual) will be distributed to all staff upon hire. Staff will complete assigned security awareness training at least annually, with ongoing phishing training throughout the year. All workers must be informed about relevant, current information security matters, and be motivated to fulfill their information security obligations. All Staff are personally accountable for completing the security awareness training activities, and complying with applicable policies, laws, and regulations at all times.

This policy also applies to third parties working or volunteering for the Library, whether they are explicitly bound (e.g., by contractual terms and conditions) or implicitly bound (e.g. by generally held standards of ethics and acceptable behavior) to comply with our information security policies.

 

Security Awareness Training Requirements

The information security awareness program should ensure that all staff achieve and maintain at least a basic level of understanding of information security matters, such as general obligations under various information security policies, standards, procedures, guidelines, laws, regulations, contractual terms, and generally held standards of ethics and acceptable behavior.

Additional training is appropriate for staff with specific obligations towards information security that are not satisfied by basic security awareness. Such training requirements must be identified and funded accordingly. The training requirements will reflect relevant prior experience, training and/or professional qualifications, as well as anticipated job requirements.

The East Greenbush Community Library will provide staff with information on the location of the security awareness training materials, along with security policies, standards, and guidance on a wide variety of information security matters.

All awareness training must fulfill the requirements for the security awareness program as listed below:

  • Upon hire, and at least annually thereafter, all employees must successfully complete a General Security Awareness Course.
  • Awareness training should continue on a continuous/rolling basis thereafter in order to maintain a reasonably consistent level of awareness.
  • Employees whose specific job requirements require access to increased levels of confidential information must complete additional training modules depending on their specific job requirements.
  • Staff will be given a reasonable amount of time to complete each course so as to not disrupt business operations.
  • The Library Digital Services department will conduct periodic simulated social engineering exercises including but not limited to: phishing (e-mail), vishing (voice), smishing (SMS), USB testing, and physical assessments. These will be conducted at random throughout the year with no set schedule or frequency.
 

Breach of Security

Any actual or suspected security breaches involving confidential information must be reported immediately to Digital Services Staff and the Library Director. The IT Incident Response Plan will be initiated to identify the suspected breach, remediate the breach, and notify appropriate parties.

Enforcement

When users fail to comply with this policy, confidential information that is stored, processed, or transmitted on the East Greenbush Community Library network or property may be exposed to the unacceptable risk of loss of confidentiality, integrity, or availability. Violations of security guidelines and procedures established to support this policy will be promptly investigated and could result in disciplinary action up to and including termination of employment, or termination of rights to use the computer resources or have access to confidential information.

Subject East Greenbush Card UHLS Card UHLS MyCard
Library Card Registration Free to any individual who resides or pays taxes in the East Greenbush Community Library taxing district or Town of Schodack. Cards expire and must be renewed every three years.

Free to any individual who volunteers or works at the EGRN Library. Cards expire and must be renewed yearly.

Free to partner educational agencies with verified employment. Cards expire and must be renewed yearly.

Those that live outside the UHLS area may purchase a temporary card at the price established by our Table of Fines and Fees. Cards expire and must be renewed yearly.

All ages eligible. Youth under age 16 must have their application completed and signed by a parent or guardian, who provides acceptable identification for them.

Card blocked at $5 or more in replacement costs or fines/fees

Fines vary according to individual library rules and UHLS resource sharing rules. The EGRN Table of Fines and Fees are applicable for items which are checked out from the East Greenbush Community Library

Free to residents residing in a community served by a UHLS library.

All ages eligible. Youth under age 16 must have their application completed and signed by a parent or guardian, who provides acceptable identification for them.

UHLS library cards expire and must be renewed every three years.

Card blocked at $5 or more in replacement costs or fines/fees

Fines vary according to individual library rules and UHLS resource sharing rules. The EGRN Table of Fines and Fees are applicable for items which are checked out from the East Greenbush Community Library

The UHLS MyCard is a fine-free, limited-access library card for youth. It is intended to address multiple barriers to serving youth and families, including:

  • Barriers to access related to fines (e.g. computer access, checking out materials)
  • Parents not present for a child’s library card registration
  • Previous fines on a child’s card

Free for youth residing in a community served by a UHLS library.Applicants 18 and under who are applying for a limited use, UHLS Youth Only MyCard, need to provide name, address, and date of birth.UHLS library cards expire and must be renewed every three years.Youth ages birth to 18 can register unaccompanied, or with the help of a caregiver or relative who is not the child’s parent/guardian.This card may be used at all UHLS Libraries except for the Colonie Town Library.

Card blocked at $10 or more in replacement costs.

No fines for late items

Limits on # of Materials Borrowed Unlimited checkouts Unlimited checkouts Limited total items: Can only have 3 items checked out on their card at a time
Types of Items All eligible item types. All eligible item types except Museum Passes, ILL, and Hot off the Press. Active paid members of the Friends of the East Greenbush Community Library have access to all lending collections. Only items eligible to be borrowed are books (any age level), juvenile and young adult (teen) audiobooks, and juvenile and young adult (teen) DVDs.
Databases/Digital Content EGRN and UHLS subscription databases and digital content UHLS subscription databases and digital content Only items eligible to be borrowed are books (any age level), juvenile and young adult (teen) audiobooks, and juvenile and young adult (teen) DVDs.
Interlibrary Loan Nationwide UHLS Libraries UHLS Libraries
Program Registration Unlimited except by limited program capacity Preference given to resident cardholders Preference given to resident cardholders