Skip to main content
Font size options
Increase or decrease the font size for this website by clicking on the 'A's.
Contrast options
Choose a color combination to give the most comfortable contrast.

Administrative Policy

Section 6: Cybersecurity

Program Scope

CRCPL’s Cybersecurity Program dictates the acceptable use, access, and management of technology resources provided by the Chillicothe & Ross County Public Library to ensure safe, equitable, and lawful access for all patrons and staff. 

The Cybersecurity Program includes considerations for data protection; network and physical security; access control; acceptable use; incident response and disaster recovery; vendor relations; employee training; and policy management; and applies to library staff, patrons, and vendors. 

The purpose of the Cybersecurity Program is to:

  • Identify critical functions and risks
  • Assess the potential impact of breaches
  • Implement threat detection mechanisms
  • Identify vulnerabilities and deploy prompt remediations
  • Establish incident response procedures
  • Plan for recovery and continuity
  • Implement employee cybersecurity training

Cybersecurity and Ransomware Incidents / Reporting Obligations

For purposes of the CRCPL Cybersecurity Policy/Program, and in accordance with Section 9.64 of the Ohio Revised Code, the following definitions will apply:

1.  “Cybersecurity Incident” means any of the following:

  1. A substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network;
  2. A serious impact on the safety and resiliency of a covered entity’s operational systems and processes;
  3. A disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services;
  4. Unauthorized access to an entity’s information system or network, or nonpublic information contained therein, that is facilitated through or is caused by:
    1. A compromise of a cloud service provider, managed service provider, or other third-party data hosting provider; or
    2. A supply chain compromise.

“Cybersecurity incident” does not include mere threats of disruption as extortion; events perpetrated in good faith in response to a request by the system owner or operator; or lawfully authorized activity of a United States, state, local, tribal, or territorial government entity.

2.  “Ransomware Incident” means a malicious cybersecurity incident in which a person or entity introduces software that gains unauthorized access to or encrypts, modifies, or otherwise renders unavailable the library’s information technology systems or data and thereafter the person or entity demands a ransom to prevent the publication of the data, restore access to the data, or otherwise remediate the impact of the software.

In the event of a “cybersecurity incident” or a “ransomware incident”, the library shall notify both of the following:

  1. The Ohio Homeland Security’s Ohio Cyber Integration Center (OCIC) as soon as possible but not later than seven days after the library discovers the incident;
  2. The Ohio Auditor of State, in a manner prescribed by the Ohio Auditor of State, as soon as possible but not later than thirty days after the library discovers the incident.

Ransomware Demand Requirements

The library, if experiencing a ransomware incident, shall not pay or otherwise comply with a ransom demand unless the library’s legislative authority, the Board of Trustees, formally approves the payment or compliance with the ransom demand in a resolution that specifically states why the payment or compliance with the ransom demand is in the best interest of the library.

Staff of the library are not authorized to approve, negotiate, or make ransom payments.

Ransom payments may only be considered after all recovery options have been evaluated and documented as infeasible.

Ohio Public Records Law Application

Any records, documents, or reports related to the cybersecurity program and framework set forth in Division (C) of Section 9.64 of the Ohio Revised Code, and the reports of a “cybersecurity incident” or “ransomware incident” under Division (D) of Section 9.64 of the Ohio Revised Code, are not public records under Section 149.43 of the Ohio Revised Code.

A record identifying cybersecurity-related software, hardware, goods, and services, that are being considered for procurement, have been procured, or are being used by the library, including the vendor name, product name, project name, or project description, is a security record under Section 149.433 of the Ohio Revised Code.

Cybersecurity Responsibility

The CRCPL Cybersecurity Program is coordinated by the Access Director and implemented by the IT Manager. All library staff are responsible for reporting suspicious cyber activity. Relevant department managers provide input and compliance. Comprehensive oversight is provided by the Executive Director and Board of Trustees.

Cybersecurity Awareness & Training

Library staff are on the front line of cybersecurity response and are trained annually in Cybersecurity Awareness. Depending on the staff member’s role, additional training is provided for maximum preparation. All staff also participate in the Ohio Auditor’s Fraud, Waste & Abuse Training. Random phishing simulations are also provided, which train staff in threat response.

Asset Inventory

The core of the Cybersecurity Program is an Asset Inventory which details all networks, servers, equipment, software, Softwares as a Service (SaaS), cloud services, web sites, and vendors that the library utilizes. The Asset Inventory aids in identifying the Key Cyber Terrain requiring the most protective efforts. Asset Inventories per department will be updated at a minimum of every 6 months, in January and July, or on an as-needed basis as assets and/or staffing change.

Risk Assessment & Management

The Access Director and IT Manager maintain a Risk Register, Risk Treatment Plan, and Statement of Accountability regarding all library assets. Severity of risk is prioritized with security controls implemented accordingly.

Vulnerability & Patch Management

Identifying vulnerabilities and promptly applying patches and updates are pivotal to maintaining network and data integrity. A variety of tools, including internal and external penetration testing and remote access software, are used to monitor for vulnerabilities, remediations, and threats. Remediation is prioritized depending on the severity of the vulnerability and security controls are implemented to mitigate the issue. A database of known vulnerabilities will be maintained, and key staff will participate in annual Vulnerability Management training.

Updates and patching are completed either automatically or manually immediately following release dates.

Vendor Management

For cloud service providers and technology vendors, a Vendor Readiness Assessment Report (VRAR) will be requested by the library annually to ensure that the vendor is compliant with CRCPL Cybersecurity Program measures. Any compliance required that is not documented in the VRAR will be communicated with the vendor by the IT Manager.

Password Management

All CRCPL employees and trustees are provided with a library email address. Multi-Factor Authentication (MFA) is enabled on these accounts. Passwords must be complex, changed at regular intervals, and must not be shared. If there is a concern that an email account has been compromised, the IT manager must be notified, and the password must be changed immediately.

Acceptable Use

HR Policy 5.12 Acceptable Use of Technology defines how staff are permitted to use library resources to maintain confidentiality, privacy, data protection, safety, equal access, and adherence to legal compliance, where applicable. 

Access Control

Library technology, including networks, equipment, and access to resources are safeguarded through the Principle of Least Privilege, which means that only the staff who needs access to a resource to perform their job function(s) is granted that access.

Least privilege enforcement ensures the non-human tool has the requisite access needed – and nothing more. Effective least privilege enforcement requires a way to centrally-manage and secure privileged credentials, along with flexible controls that can balance cybersecurity and compliance requirements with operational and end-user needs. 

Oversight of staff and departmental contact information like emails and extensions, as well as access permissions, is the responsibility of the IT Manager. Following the Principle of Least Privilege, only the IT Manager has access to this information. 

Network Security Controls

A variety of security measures are implemented to prevent unauthorized access and remediation in the event of a breach.

  • A firewall is used on internet connections.
  • Networks are segregated as needed to provide additional protection.
  • Physical and cloud backups are maintained for redundancy.
  • Remote access is limited to only those who need it and provided via a password-protected VPN service.
  • Passwords for network equipment and cloud services use MFA and are changed frequently.
  • Antivirus software is installed and active on all networked computers and devices.
  • Two-person verification is used to process all payment requests in the Fiscal Office. If digital verification is impossible, another form of verification will be attempted.

Incident Response & Contingency Plan

The Incident Response & Contingency plan outlines how key staff will Prepare, Identify, Contain, Eradicate, and Recover technology services in the event of a data breach.

Preparation includes working with the Ohio Persistent Cyber Initiative (OPCI) on tabletop exercises and penetration testing; developing and maintaining the Asset Inventory; training staff of Cybersecurity Awareness, etc.

Identification includes the detection and analysis of risks and vulnerabilities that pose a threat to the network and services.

Containment includes taking actions to limit the impact of a cybersecurity event, such as training staff to exclude an affected computer from the network immediately, documenting the incident in detail, and promptly reporting the breach to IT or administration.

Eradication is the process of removing the threat from the network. This may require the assistance of outside entities like the Ohio Cyber Reserve, depending on the severity of the breach.

Recovery is the process of bringing all systems back online to complete functionality; informing the affected parties if data was lost or shared during the intrusion; and documenting the incident and lessons learned.

A targeted mean response time for key cyber assets will be maintained, and response times will also be requested from technology vendors via the VRAR documentation.

A database of technology vendors will be maintained for quick communication regarding affected services.

Annual Policy Review

The CRCPL Cybersecurity Program is a continually-evolving mechanism to respond to the constantly-changing threat landscape, new technologies, legal requirements, and vendor partnerships.

Asset inventories will be updated by key staff at least every 6 months, and components such as Key Cyber Terrain, Risk Management, Vulnerability Management, and Incident Response will be updated by the Access Director and IT Manager as needed, and reviewed annually by administration. Upon completion of annual updates, the Cybersecurity Program will be presented to the Board of Trustees for re-approval.